Zero Trust: how do I make it concrete?

Rick Hofstede

13 May 2024

Every year, there are numerous research and consultancy firms with all kinds of overviews of strategic trends in IT and cybersecurity. Gartner, which was referred to last month on this platform, is no exception. Invariably, zero trust is part of these lists, with definitions along the lines of “don’t just trust anything, but verify”. But how exactly should you go about this as a CIO, CISO, or IT manager? Do you want to check all firewall rules? Equipping every endpoint with EDR technology? Or purchase a CASB?

An integral part of your strategy

Zero Trust is not a “feature” or checkmark, but an end-to-end strategy. By definition, the answer to that cannot just be a product or story. It’s about the coherence in your architecture, which is why we call it a strategy. In any case, you should look at your IT and security strategy for doing so. Look at it another way: the complexity of our IT will only increase coming years. Think of the explosive rise and increasingly sophisticated cybercrime, more liability plus new IT and cybersecurity technology. All these aspects are interrelated and it is therefore very important to map out the whole in an integrated way so the right changes can be implemented.

So what is it?

In the past, security was mainly invested in the network, e.g. firewalls. Today we see that the notion of corporate networks is becoming more and more blurred:

  • Employees work remotely, e.g. from home.
  • More and more applications and data are in the cloud.
  • Employees are allowed to work on their own equipment (BYOD).

In short, the secure corporate network is no longer sufficient. So we need to integrate security into other parts of the infrastructure as well. In the case of zero trust, you often see that the following sub-areas are used:

  • Identity
  • Device
  • Application Workload
  • Network
  • Data

So you see that security is becoming intertwined with your infrastructure. An example: a user impersonates with his/her identity on his/her device, which accesses data via the network.

A question of abstraction

Isn’t security at so many layers of the infrastructure complicated? If you are not careful, you will indeed lose the overview and it will indeed become a complicated story, especially in large and complex organizations. Fortunately, there are ways to curb that complexity. Two examples:

  • When you embed zero trust in your architecture and strategy, you look for the connection between security and your business processes. Traditionally, this has been much less the case, because back then security was still an “IT party.” Because you now set up security much more finely based on your business, you automatically notice that security becomes much more ‘logical’ and ‘closer’ to the rest of the organization, because you start speaking more of the same language.
  • In addition to zero trust, software-defined infrastructure is a theme that has taken off in recent years. This involves configuring infrastructure at a higher level of abstraction, after which the software translates it into details and devices. So while zero trust by its very nature requires more configuration, a software-defined approach is actually a counter-movement.

In short, it’s all a matter of abstraction. Ultimately, this offers your organization the following benefits:

  • More flexibility: by changing the level of abstraction with which we apply security, there is more granularity and flexibility in the fine-grained definition of access.
  • Reduced complexity: when software-defined infrastructures are the norm, we can create, automate, and centralize advanced configurations at scale, leading to lower costs.
  • More insight: moving the level of abstraction from the perimeter to identities, workloads, data, etc., allows us to create more insight for detection and response.
  • Less impact in the event of incidents: by thinking in terms of micro-segmentation, cyber threats are much less likely to move through infrastructure.
  • More business alignment: a higher level of abstraction is more in line with the business, creating more support for security within the organization.

Other benefits of a broad-based strategy

By working based on a plan/strategy, you guarantee the coherence of your approach. Especially in complex matters such as security architecture, it is important to have a proverbial guideline that you can always fall back on to validate whether you are taking the right steps. Especially when you embrace concepts such as zero trust, for which all kinds of “maturity” models have been drawn up, you can even test and quantify your status quo or progress, whether or not by an independent party. Moreover, by joining widely accepted strategies such as zero trust, you automatically align yourself to a greater or lesser extent with laws and regulations.

Where to start?

One starts with the purchase of a product, the other sets up an extensive investigation as a baseline measurement. Every organization does this in its way, although finding the balance between strategy and operations is a challenge in practice. The main reason for this: not speaking each other’s language. For that reason, we start with the business instead of IT, because that is how we secure both the organization-wide anchoring and the common starting point. As a result, business primitives become first-class citizens within the security architecture, as opposed to derivatives of IT primitives. For example, instead of thinking of IP addresses in a firewall configuration, you can think of a role in a project or a device in combination with a specific user to gain access.

All beginnings are difficult and the trick is to start simple, without making concessions to the bigger picture. A heartfelt piece of advice in these kinds of situations: let yourself be helped and don’t reinvent the wheel.