CIO: what is the zero trust approach, and how to put it in place?

Data is now a gold mine for hackers, forcing security professionals to view all traffic and data flow as potentially dangerous. This new paradigm requires many layers of authentication, both at user level and at the level of the device or application used, and a constant security dynamic.

To stem this problem, companies looking for an efficient authentication model mainly adopt the so-called “Zero Trust” approach, in order to guarantee an advanced level of security. In this model, trust is never granted implicitly but must instead be constantly reassessed. Here are the golden rules and steps to keep in mind if you are considering taking this approach …

Zero Trust is a concept, not a technology in itself

The concept of Zero Trust resides above all on a set of principles, and not on any products or services of a particular supplier. While technology is a prerequisite for its successful functioning and implementation, it is only part of a larger strategy that requires a radical change in the way users, devices and the applications connect to each other.

The “Zero Trust” approach is a concept of digital identity that creates strong mutual authentication, granting access and permissions to each user, device and process on the network individually. Using this model, organizations can then implement the authorization, assurance, analytics, and administration capabilities needed to implement a consistent, 100% secure identity architecture.

Public key infrastructure (or PKI): the founding technical principle of Zero Trust

Authenticating users and devices is the starting point. While organizations previously turned to more complex password requirements or multi-factor authentication (MFA) to provide an additional measure of security, these methods have unfortunately proven their vulnerability.

The PKI is the benchmark for authentication and identity encryption. According to the latest report from the National Institute of Standards and Technology (NIST) published in August 2020 (“Zero Trust Architecture”), the PKI is one of the founding principles of Zero Trust. With this technology, companies can guarantee the highest level of user and device authentication without affecting employee productivity or user experience.

It enables organizations to secure operations without disruption, replacing passwords with user certificates, and replacing traditional MFA with instant identification. Finally, this technique automates the life cycle of all identity certificates.

This should not be overlooked, because automation is one of the key elements in the success of a zero trust strategy. With each new request for access to a network, or to an application for example, the controls must be able to be carried out automatically to apply the policies of the company according to the user, the group, the type of device, the location… All this in order to issue access authorizations as quickly as possible. In short: seamless authentication for end users, which can be easily deployed on every device using automated tools, and out of the box.

Centralize governance and application for a successful transition

However, providing a high degree of security and authentication to your business ecosystem is no easy task. This is based not only on the new principles of governance and the new rules, but also on the modes of application of these principles. More than a change in technology, the Zero Trust approach is also a corporate culture in itself.

IT teams need to ensure that no access is granted implicitly across increasingly complex network architectures, which include private cloud, hybrid and multiple public cloud environments … In addition, each user and each terminal must be assigned an identity, which must then be authenticated on the network in which they are located. Finally, IT teams are responsible for overseeing the entire lifecycle of these identities.

Migrate to Zero Trust smoothly

But even with the help of PKI technology and digital identity processing automation, migrating an entire organization to Zero Trust can seem daunting. Fortunately, businesses don’t have to implement these certificates en masse, all at once. IT teams can choose to facilitate this transition by implementing a step-by-step process.

Below is a list to help you remember nothing when transitioning to Zero Trust Network Access, or ZNTA (Zero Trust Network Access):

  • Secure servers and applications: use SSL / TLS certificates to secure web and app servers, including those in DevOps and cloud environments.
  • Secure network access endpoints: use digital certificates to protect the network equipment you rely on, including firewalls, web filtering, email applications, virtual private networks, and Wi-Fi gateways.
  • Secure device endpoints: Use device certificates to authenticate the identity of all provisioned computers, laptops, tablets, and mobile devices, as well as BYOD devices.
  • Protect emails: use S / MIME certificates to protect and authenticate email content and email signatures across different devices and network access points
  • Replace passwords with user certificates: use digital certificates backed by PKI to provide the highest degree of authentication to each employee

To best meet this challenge and manage internal vulnerabilities in your network, it may also be relevant to surround yourself with the right experts, in particular by performing penetration tests to identify potential entry points.

Back to top button