How To Implement A Zero Trust Model When Working With Partners
When working with partners, implementing a zero trust model sounds like a great idea for your internal IT teams but an awkward scenario for your partners.
This post exists to introduce you (and your partners) to the concept of zero trust, and help you get buy-in and kick start your process.
In this post, we cover:
- How do you explain zero trust?
- Where do I start with zero trust?
- What are the benefits of a zero trust network?
- How do you create a zero trust network?
1 - How do you explain zero trust?
When making the business case for a zero trust model, it’s important that both your internal teams and partners know expectations and limitations.
Explaining zero trust to those who’ve worked in similar scenarios before is simple. But to those used to open environments, you must prepare them for a new way of interfacing with your network.
A simple definition of zero trust is ‘an approach to the design and implementation of IT systems that declines to implicitly trust anything inside or outside its network’.
This information security model’s main concept is that devices should not be trusted by default - a guilty before proven innocent type of approach.
The technical elements behind this include the principle of least privilege, micro-segmentation, multi-factor authentication, access control, analytics and SIEM, among other technologies.
Principle of least privilege
The principle of least privilege involves limiting access for users, accounts, and processes to only those who need them to complete a task. It can help prevent data breaches by ensuring people don’t have access to information they don’t need.
MFA is key in zero trust models. By requiring more than one piece of information to authenticate a user, it is more difficult for hackers to access the important data.
If an attacker exposes the password to a sensitive zone, they won’t be able to authenticate without more information such as biometrics, a code or one-time password.
2 - Where do I start with zero trust?
The very first thing you need to do when planning a zero trust network is to meet with stakeholders and agree goals in reference to the policy. This allows you to lay out a roadmap to get to those goals and the steps you need to take.
Next, you can start to think about the core assets you want to protect within the business. Zero trust isn’t about completely removing the current technologies that protect the perimeter, but rather enhancing them and ensuring there are priorities when it comes to security.
Your technology decisions are likely to come at the end, when you’ve agreed the best plan of action for your business and know the exact direction you’re going to be taking.
What is the concept of the zero trust model?
The basic concept of the zero trust model is to verify absolutely everything that tries to connect to business systems, regardless of whether they have been granted access before or not.
Your business should always authenticate and authorise access based on all available data points. These should include user identity, location, device health, service or workload, and data classification.
Least privileged access
As mentioned earlier, you should limit user access with just-in-time and just-enough-access to help secure data and productivity.
By assuming breach, you will always be prepared. Verify end-to-end encryption and use analytics to ensure visibility, drive threat detection and improve defences.
3 - What are the benefits of a zero trust network?
Implementing a zero trust network model comes with a number of benefits. Here are just some of the advantages:
By opting for a zero trust model, you naturally deploy a solution for continuous monitoring and logging of asset states, as well as user activity and behaviour. This could be in the form of cloud monitoring through your cloud provider or manual monitoring of your private cloud infrastructure.
With this increased visibility, you are therefore in a better position to detect threats and respond to them accordingly.
Increased resource access visibility
Like monitoring, by seeing who accesses what resources and for what purpose, you are better placed to determine any measures that need to be put into place to further secure your data and information.
By assuming all applications and services are malicious, you can reduce the risk to your organisation by uncovering what’s on your network and how those assets are communicating.
Many industries are regulation and compliance heavy. But, with zero trust models, you can better prove to auditors that your business is compliant thanks to clear insights in data flow and superior visibility of workloads.
With micro-segmentation implemented, you can even create perimeters around sensitive data to keep regulated data separate from non-regulated data.
4 - How do you create a zero trust network?
Once you’ve got buy-in from all stakeholders, creating a zero trust network gains momentum.
You can split building a zero trust network into three main stages:
A - Identify critical data
By splitting business critical data from regular data, you can ensure you know exactly what information you need to protect the most. You can then apply additional access controls to the data and assets that have the highest value for your business.
B - Determine source identity and device trust
It’s impossible to assign the appropriate level of authorisation for each user and device without evaluating the source identity. You can use MFA and SSO to add an additional layer of verification where needed.
When it comes to device trust, you need to distinguish between managed devices given by the company and unmanaged devices, such as an employee’s personal device, with access to the corporate network. You should be able to grant appropriate access to each group of devices.
C - Apply contextual access control
With a zero trust model, you’ll want full visibility across your entire network, including which users access what data and systems.
You can use attribute-based access controls or role-based access controls to ensure your users are given the access they need. It’s important to also consider user location, timing and device context to ensure the appropriate access policies are applied for each case.
If you need help planning your zero trust network, contact the Nasstar team here.