My team and I have been on a journey toward implementing an identity-centric zero-trust approach over the last three years, leveraging existing technologies and fitting within existing budget and resources.
I was recently asked, for an organization planning a zero-trust initiative in 2020, where would I recommend prioritizing efforts when neither budget nor resources are unlimited? That is the key question for most companies considering a zero-trust initiative. Our journey will end up spanning four to five years, but by sharing our story and contributing to the Identity Defined Security Alliance (IDSA), we hope that others can move faster and achieve a stronger security posture with fewer resources.
My experience leads me to offer three key pieces of advice
First, focus on the data. Understanding where sensitive data lives and the transactional flow of that data between users, systems, and applications.
Next, direct your attention to user governance and device trust. These two items will provide you the most value, quickly.
Last, create a business plan outlining all the areas of return on investment. Include a reduction of IT spending associated with technologies that are no longer needed once your zero-trust implementation is complete, such as firewalls, VPNs, and Active Directory. Then detail the process optimizations and automations with IT that not only reduce the need to manage the legacy environment but also automate areas where IT spends the most time and resources. This is a wonderful way to show a recoup of your initial spending on zero trust.
The chart below maps out our progress and recommendation for how to prioritize the phases of your journey. The time frame for moving through each phase and the associated costs will depend on things such as size and complexity of the organization, available resources, and existing cybersecurity technologies. The graphic below depicts what it will cost LogRhythm — a 600-employee, software-as-a-service–driven, security product development company.
Phase 1/Year 1: In the first phase, focus on security basics and shoring up your compliance program, if needed. In addition, the initial phase should identify potentially sensitive data and business-critical applications that store or have access to sensitive data. Then, map out the data flows and update application inventories. This will be the basis for the governance of your users, systems, applications, roles, and so forth as you move forward.
Phase 2/Year 2: Select a single source of truth, such as a human resource management system (HRMS), where you can provision roles, applications, entitlements, and access. In addition, implement single sign-on solution (SSO) and multifactor authentication (MFA) to critical applications, if you have not already deployed them in your organization. Selecting a single source of truth provides opportunities to recoup costs associated with multiple directory technologies, and implementing SSO and its self-service capabilities (password reset, for example) can reduce help desk costs, as well as improve efficiencies in provisioning and deprovisioning (to include move, add, change requests).
Phase 3/Year 3: Implement and integrate mobile device management (or unified endpoint management) and privileged access management to only allow sensitive data to be accessed by trusted devices. The Identity Defined Security framework provides guidance on use cases and integrations needed to bring your existing identity and security technologies together.
Phases 4 and 5: These start to bring in more advanced use cases, such as a cloud access security broker (CASB) to protect sensitive data in the cloud and advanced user and entity behavior analytics (UEBA) capabilities to detect and respond to anomalous user behaviors. However, as you can see after implementing the first three phases, our perspective is that you are more than 50% of the way on the path to maturity.
In developing the business case for the first three phases, there are several opportunities to recoup costs. In our situation, 60% of our IT help desk tickets were dealing with moves, additions, and changes associated with people. By building an integration between our identity access management system and ADP (our single source of truth), we reduced our help desk volume by 60%. With zero trust, architectural components such as backup directories, on-premises firewalls, and VPN solutions — and even Active Directory — are no longer needed, providing an opportunity to shift money in the budget to support spending on technologies that may not already be deployed, such as UEM, CASB, and UEBA.
While a zero-trust approach is not a security silver bullet, it is the best thing we have today. I jokingly compare it to the Titanic (obviously not from an execution perspective!). The Titanic was built around the concept that if a breach took place, it would flood one compartment and not the entire boat. When you look at a separate identity domain and how you authenticate, and authorize it separately, it's the same concept. You may have a user that gets compromised, you may have a system that gets compromised, but it shouldn't affect the rest of the organization — or it should buy you enough time to contain it before it does.
Bottom line: Zero trust is a phased approach, but if you start by focusing on users, data, access, and managed devices, you will make major steps in achieving better security. The business case can be a slam dunk when including all elements, including process optimization, efficiency gains, and recouped technology and infrastructure costs.
- What You Need to Know About Zero-Trust Security
- Federal CIOs Zero In on Zero Trust
- Debunking 5 Myths About Zero Trust Security
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Turning Vision to Reality: A New Road Map for Security Leadership."