Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/23/2019
02:00 PM
James Carder
James Carder
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Planning a Zero-Trust Initiative? Here's How to Prioritize

If you start by focusing on users, data, access, and managed devices, you will make major strides toward achieving better security.

My team and I have been on a journey toward implementing an identity-centric zero-trust approach over the last three years, leveraging existing technologies and fitting within existing budget and resources.

I was recently asked, for an organization planning a zero-trust initiative in 2020, where would I recommend prioritizing efforts when neither budget nor resources are unlimited? That is the key question for most companies considering a zero-trust initiative. Our journey will end up spanning four to five years, but by sharing our story and contributing to the Identity Defined Security Alliance (IDSA), we hope that others can move faster and achieve a stronger security posture with fewer resources.

My experience leads me to offer three key pieces of advice

First, focus on the data. Understanding where sensitive data lives and the transactional flow of that data between users, systems, and applications.

Next, direct your attention to user governance and device trust. These two items will provide you the most value, quickly.

Last, create a business plan outlining all the areas of return on investment. Include a reduction of IT spending associated with technologies that are no longer needed once your zero-trust implementation is complete, such as firewalls, VPNs, and Active Directory. Then detail the process optimizations and automations with IT that not only reduce the need to manage the legacy environment but also automate areas where IT spends the most time and resources. This is a wonderful way to show a recoup of your initial spending on zero trust.

The chart below maps out our progress and recommendation for how to prioritize the phases of your journey. The time frame for moving through each phase and the associated costs will depend on things such as size and complexity of the organization, available resources, and existing cybersecurity technologies. The graphic below depicts what it will cost LogRhythm — a 600-employee, software-as-a-service–driven, security product development company.

 

Source: LogRhythm
Source: LogRhythm

Phase 1/Year 1: In the first phase, focus on security basics and shoring up your compliance program, if needed. In addition, the initial phase should identify potentially sensitive data and business-critical applications that store or have access to sensitive data. Then, map out the data flows and update application inventories. This will be the basis for the governance of your users, systems, applications, roles, and so forth as you move forward.

Phase 2/Year 2: Select a single source of truth, such as a human resource management system (HRMS), where you can provision roles, applications, entitlements, and access. In addition, implement single sign-on solution (SSO) and multifactor authentication (MFA) to critical applications, if you have not already deployed them in your organization. Selecting a single source of truth provides opportunities to recoup costs associated with multiple directory technologies, and implementing SSO and its self-service capabilities (password reset, for example) can reduce help desk costs, as well as improve efficiencies in provisioning and deprovisioning (to include move, add, change requests).

Phase 3/Year 3: Implement and integrate mobile device management (or unified endpoint management) and privileged access management to only allow sensitive data to be accessed by trusted devices. The Identity Defined Security framework provides guidance on use cases and integrations needed to bring your existing identity and security technologies together.

Phases 4 and 5: These start to bring in more advanced use cases, such as a cloud access security broker (CASB) to protect sensitive data in the cloud and advanced user and entity behavior analytics (UEBA) capabilities to detect and respond to anomalous user behaviors. However, as you can see after implementing the first three phases, our perspective is that you are more than 50% of the way on the path to maturity. 

In developing the business case for the first three phases, there are several opportunities to recoup costs. In our situation, 60% of our IT help desk tickets were dealing with moves, additions, and changes associated with people. By building an integration between our identity access management system and ADP (our single source of truth), we reduced our help desk volume by 60%. With zero trust, architectural components such as backup directories, on-premises firewalls, and VPN solutions — and even Active Directory — are no longer needed, providing an opportunity to shift money in the budget to support spending on technologies that may not already be deployed, such as UEM, CASB, and UEBA.

While a zero-trust approach is not a security silver bullet, it is the best thing we have today. I jokingly compare it to the Titanic (obviously not from an execution perspective!). The Titanic was built around the concept that if a breach took place, it would flood one compartment and not the entire boat. When you look at a separate identity domain and how you authenticate, and authorize it separately, it's the same concept. You may have a user that gets compromised, you may have a system that gets compromised, but it shouldn't affect the rest of the organization — or it should buy you enough time to contain it before it does.

Bottom line: Zero trust is a phased approach, but if you start by focusing on users, data, access, and managed devices, you will make major steps in achieving better security. The business case can be a slam dunk when including all elements, including process optimization, efficiency gains, and recouped technology and infrastructure costs.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Turning Vision to Reality: A New Road Map for Security Leadership."

James Carder is the CISO and VP of Labs for LogRhythm and an IDSA Customer Advisory Board Member. He brings more than 22 years of experience working in corporate security and consulting for the Fortune 500 and US government. At LogRhythm, he oversees the company's governance, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.