Getting down to brass tacks: what's real zero trust?

Many security vendors have slapped zero trust onto solutions that truly don’t protect the network or work across any operating environment and every device... or have a robust, bidirectional and near real-time REST API. This leaves their customers no better off than they were before, with point-in-time solutions that can’t integrate. Additionally, many can’t meet the requirement to be used on- and off-premises as a unified solution/policy model. (Not everything is in the cloud or ever will be for many government agencies and commercial companies.) And even more fail to follow the principles laid out in NIST SP 800-207 or the Cloud Security Alliance 2.0 guidance for a software-defined perimeter. 

The need for integrated cyber security solutions that are part of an organisation’s or agency’s zero trust architecture is now. Issues and new exploits continue, yet could be prevented with a proper zero trust architecture.

To truly begin this journey and gain the advantages of a zero trust architecture, we need to divide the zero trust security roadmap into sensible buckets and stages within those buckets. The areas we recommend you focus on are:

• Identities: identity is the obvious and most important place to start;
• Devices: without attaching the user to a device, organisations will lack the ability to truly limit their exposure and tie them to dynamic access controls;
• Networks and environments: you must define what you are trying to protect and where. Zero trust access solutions should be able to seamlessly operate in cloud environments and across on-premises resources without impacting the user, security posture and solution needed. By having a clear understanding of the networks and environments, you can begin to place users into the right buckets of access;
• Application/workloads: knowing what you have and marrying that to where, who and what can access are key pillars in this ongoing journey;
• Data: ensuring you place proper access controls and integrating those throughout the stack is key to a zero trust process; and
• Overlay pillars: Appgate views these as analytics, automation, reporting, etc – with the drive to treat everything as code and create more automation to serve out the integrations, solutions that cannot automatically be deployed as code, read-meta data to provide near real-time actions, manage a policy model as code and provide deal analytics are not helpful in the current cyber world.

Once you’ve done this first level of work, the next step is to leverage guidance from Appgate, CISA, NIST, etc and set your stages. It is expected and normal not to be at “optimal”, or what we call stage three, right out of the gate. Decide what makes up those goals for your organisation, ruthlessly select the solutions that help enable those goals and create your plans.

The zero trust journey will not be short or simple, but with solutions like Appgate SDP, an industry-leading zero trust network access solution, you can bring current and future cyber investments together to help protect users, data and systems from attacks and breaches.

See a full podcast explaining this in more detail: Podcast: Zero Trust Security: Buzzword or Breakthrough?

Additional zero trust resources:

Solution brief: Zero Trust Access for Corporate Networks

Blog series: The CISA Zero Trust Maturity Model

Blog: Zero Trust for Critical Infrastructure

To learn more about the Appgate SDP, visit: https://www.appgate.com/software-defined-perimeter