The Transformation of Network and Security Architectures is here now
Zero Trust is near universally regarded as the solution to replace inherently insecure WAN architectures. As discussed here and here, the hard reality is Zero Trust is not something that can be can be purchased off-the-shelf. In addition to the technology design, every organization will need to architect and engineer Zero Trust to apply its principles, tenets, and capabilities into an organization’s processes, culture and operations.
An example of the strategic importance of Zero Trust is highlighted as a critical cybersecurity solution throughout this May 2021 “Executive Order on Improving the Nation’s Cybersecurity” from the United States President. The Executive Order states “The Federal Government must adopt security best practices; advance toward Zero Trust Architecture…and within 60 days of the date of this order, the head of each agency shall develop a plan to implement Zero Trust Architecture.”
Problems solved? No! Zero Trust gives us our north star – our vision to a world of application-centric security replacing network-centric security. However, Zero Trust is a long journey. It will take most businesses months to years to get to a full Zero Trust architecture implemented.
During the Zero Trust journey, how do businesses protect themselves from cybersecurity threats like the recent devastating wave of ransomware attacks? How does the Information and Communications Technology (ICT) supply chain as a whole ensure they are not conduits to cybersecurity attacks (like the Kaseya and SolarWinds attacks)? Can ISVs, SaaS and MSPs embed Zero Trust Networking so that they don’t risk conveying attacks such as ransomware across the supply chain, even before the downstream businesses and supply chain customers have finished their long zero trust journeys?
We will drill down on Zero Trust journey topics in future posts. For now, here is an outline of the six sets of recommendations for your Zero Trust journey:
Zero Trust Journey: Prioritize full, proven business continuity
Built-in Zero Trust networking is certainly more secure than bolted-on secure networking (firewalls, VPNs, password-based access, SD-WANs, dedicated circuits, etc.). But nothing is impervious. By “full” business continuity, we mean the ability to operate if your primary data, apps and servers are suddenly unavailable as the result of a successful ransomware attack. This means building the infrastructure and processes for data backups, system backups, app environment backups, and positioning those backups on different servers (clouds) so they ready to be put into use at the drop of a dime, like at the onset of a ransomware attack. That is where the “proven” part comes into play. As a rule of thumb, if you are being extremely diligent about all your backups, but not periodically running your business from those backups (and alternative environments) during non-stress situations, to validate your processes and systems, then your backups are useless! Ok, maybe not useless, but that is the best assumption you can make for planning purposes.
Prove that your business continuity strategy and tactics are in place and fully functional by regularly exercising them. Taking ransomware attacks as an example, if the attack encrypts your primary data, but you can easily cutover to a working replica environment, then you cannot be held hostage and essentially forced to pay millions of dollars to decrypt your primary data (as long as you can close the hole which the ransomware used to begin with – see below for that).
Zero Trust Journey: Implement Zero Trust in an iterative manner
Identify a set of your most vulnerable use cases, and a set of your use cases which would be the simplest to implement Zero Trust for. The intersection of this collection of use cases is likely the first step of your Zero Trust journey. For many businesses, this will mean securing vendors, supply chain partners, SaaS providers, ISVs and MSPs. The only thing between these third parties and your critical business data is usually vulnerable infrastructure like firewalls, VPNs and SD-WANs. This is not a single vendor problem – nearly every VPN, SD-WAN and firewall vendor has been breached – a recent list which includes Cisco, Zyxel, Fortinet, Palo Alto, SonicWall, Citrix, F5, Sophos and Pulse.
Fortunately, businesses can use Zero Trust as a Service (ZTaaS), essentially the SaaS version of Zero Trust, to quickly replace that bolted-on WAN infrastructure with built-in, no infrastructure, programmable, as code Zero Trust.
Additionally, businesses can require ICT partners to embed zero trust, in a similar manner in which businesses require SaaS web app providers to use TLS. ICT partners like ISVs, SaaS providers, MSPs and solution providers can embed Zero Trust inside their apps and solutions such that neither the business nor the provider needs to deploy vulnerable infrastructure.
Zero Trust Journey: DevSecOps, DevOps and NetOps
There is significant overlap between DevOps, NetOps and DevSecOps. In today’s future looking organizations, Cloud Architects, Site Reliability Engineers (SREs), App Developers, Engineers and Operations folks work together as a unified team to prioritize upfront security, automation and agility.
Similarly, in the journey to replace bolted-on WAN-centric networking architectures with built-in, app-centric zero trust networking architectures, is best executed with a unified team approach. This is a critical foundation to create architectures that are proactive and secure-by-design. Mature your DevOps, NetOps and DevSecOps teams, processes, and tools now, and they will make the Zero Trust migration that much faster, simpler and more effective.
Zero Trust Journey: Open source and open standards
Leverage open source and open standards when at all possible. The innovation advantages of open source are well known. The security advantages are substantial as well. As importantly, you need agility, extensibility, and flexibility. You don’t know what you will be dealing with tomorrow – nobody does. Do not lock yourself into a corner with proprietary or closed solutions. The days of implementing “black box” solutions and blindly trusting a 3rd party to manage everything inside the black box are over.
Zero Trust Journey: Platform approach
The last thing we need is more bespoke solutions. Bespoke solutions lead to complexity and a bolted-on architecture (bespoke solutions bolted together). Complexity equals insecurity. Complexity increases the breadth and depth of your cybersecurity risk profile. It is not an accident that bolted-on WAN infrastructure is routinely victimized by ransomware and other attacks. Complex environments are happy hunting grounds for bad actors. Take a platform approach to Zero Trust.
This applies not just the technical solution but also needs to be applied to internal processes, systems, and tooling. For example, the overall third-party risk management function is often broken into segments like vendor risk management and supply chain risk management. Likewise, app architects, network architects, centralized security groups, threat management, procurement and operations functions can be scattered. Unifying decision making will help prevent islands of bespoke solutions, as well as amplify the benefits of a platform approach to zero trust.
Zero Trust Journey: Steady progress towards your North Star
Starting the Zero Trust journey is critical. But the next step is always the most critical step, and it can be easy to lose sight of your north star along the way. Here is a quick set of questions to serve as litmus tests to make sure you are moving towards a full Zero Trust architecture:
+ Are you moving towards embedding Zero Trust in your apps – building in Zero Trust into code – rather than trying to bolt it on?
+ Are you adding to your WAN architecture or subtracting from it?
+ Are you steadily adding the key Zero Trust tenets: secure identification, authenticate before connect, least privileged access and app level microsegmentation?
+ Are you adding infrastructure, appliances, and proprietary interfaces, or are you adding software, APIs and cloud orchestrated microservices?
+ Is your architecture getting simpler or more complex?
Transforming technology architectures is a journey. Our industry has done this before and is doing it now with Cloud. The next transformation is crystal clear. Zero Trust architectures are replacing legacy WAN environments and no amount of bolting on will stop the Zero Trust transformation.
Click the Banner to Get Started Today
Web: Agentless Zero Trust Networking
Web: How Embedded ZTNA can Enhance Cybersecurity
NetFoundry Blog: https://netfoundry.io/about/blog/