5 Steps for European Orgs to Adopt a Zero Trust Security Framework
“To improve is to change; to be perfect is to change often.”
— Winston Churchill
The security function in any organisation is under constant pressure to change. It is in the unenviable position of being caught between forces that are uncontrollable. The major force of change occurring is in the way and the extent in which technology is delivered to organisations. Fear of business failure caused by competitors moving faster haunts CEOs.
There is a relentless pressure to meet new business demands for faster and cheaper technology.
On the other side of the rock and the hard place, is the external threat coming from the attacker. Often portrayed on television with the inevitable B-roll clip as a “Hacker in a Hoodie” the truth is more often than not the “hacker is in a highly dynamic business operation or a well-resourced nation state.
How Adopting Zero Trust Framework Simplifies Security
CISOs need to navigate through these competing business demands and are looking for help. This is where the concept of Zero Trust comes into play. It provides a framework upon which change to meet increasingly complex security demands can be crafted.
Often when discussing the topic with CISOs there is an intuitive understanding of Zero Trust and the benefits it can bring. Zero trust mitigates risk by requiring identity and user access management through a variety of factors - like multi-factor authentication (MFA) or two-factor authentication (2FA) - and extends protection for an organization outside of the confines of the corporate perimeter to any device, managed or managed on any OS.
The question, however, becomes: "Where and how do we start?" The answer can be as simple as: "Wherever it is appropriate." Which is a bit vague.
Adopting Zero Trust is not a one-off event. It is a continuum of constant change. It goes to the fundamental way an organisation designs its security; it changes the way in which users interact with the resources they need to complete their jobs; how partners and BYOD contractors will be controlled when working with the organisation; how we view the organisation’s assets whether they are owned or not. Selecting a starting point needs some consideration.
Choosing the Right Zero Trust Framework Starting Point
At Duo, we focus on the point of access by the end user as one particular starting point.
Securing the access point addresses one of the most vulnerable and attacked ways for a breach to occur – compromised credentials. Protection at the access point also helps to change the security culture of the organisation by including the end user into the security process.
Duo’s 5 Step Approach to Zero Trust Security
To ensure that change can be managed, and controlled Duo developed a five-step approach. This enables a clear set of steps that can be defined and measured. It is not a one off programme but is a series of iterative loops.
Step 1: Enable User Trust
Start with a specific application and a set of users. Implement the initial MFA solution, then identify the assets used before finally implementing adaptive policies. Often we have heard a CISO argue that they should start with the most critical asset. But perhaps it is best to start with a control group on a non-critical application, and learn the initial lessons before starting on applications critical to the business.
Step 2: Device Activity & Visibility
Duo’s two-factor authentication (2FA) dashboard gives IT complete device visibility. Duo works as a standalone frictionless solution, but is also software agnostic and can be deployed to work with legacy on-prem and cloud solutions. Coupled with Cisco SecureX end-to-end protection, the best integrated security in the world is easy to attain.
Step 3: Device Trust
Knowing what devices are accessing your network and their “device trustworthiness” (regardless of the platform like Apple’s iOS, Microsoft, Android) is another key layer to adopting a zero-trust security framework.
Duo’s Device Health application offers new product capability that helps control which laptop and desktop devices can access corporate applications based on device trust. It helps organizations adapt to a zero-trust security model providing IT security teams with the ability to:
Validate the health of a device at the time of authentication
Enable end users to proactively fix device security risks
Extend visibility and control for unmanaged / BYOD devices
Step 4: Adoptive Policies
Duo lets you reduce risks by enforcing precise policies and controls. Enable your team to define and enforce rules on who can access what applications — under what conditions. Define access policies by user group and per application to increase security without compromising end-user experience. Access policies are a central component of zero trust security because they allow an org granular control over who gets access to what application, when and where.
Step 5: Securing Users with Zero Trust
To achieve a zero trust security framework across the workforce, simply follow steps 1 through to 4 – then repeat.
Develop a set of KPIs that will not only show progress but also benefit. One of the first benefits often identified in discussions with CISOs is gaining greater visibility over users and assets. Creating a process to link the output from the programme to an inventory or asset register benefits the whole organisation especially the European IT teams.
Being able to block logins if a device is not up to a set patch level can be useful to any incident response team. Having access to logs can be valuable for forensic investigations. Understanding these benefits and creating the links to other parts of the security team, as well as IT, drives greater value but requires more change.
To successfully drive change, a structured repeatable process is required. The 5-step approach provides the basis for a zero-trust framework. We may never get perfect security and any such promise should be viewed with scepticism. But we can drive constant change in the hope we get somewhere near there.
How do you eat an elephant? One bite at a time. The trick is to get started.