Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/23/2019
02:00 PM
James Carder
James Carder
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Planning a Zero-Trust Initiative? Here's How to Prioritize

If you start by focusing on users, data, access, and managed devices, you will make major strides toward achieving better security.

My team and I have been on a journey toward implementing an identity-centric zero-trust approach over the last three years, leveraging existing technologies and fitting within existing budget and resources.

I was recently asked, for an organization planning a zero-trust initiative in 2020, where would I recommend prioritizing efforts when neither budget nor resources are unlimited? That is the key question for most companies considering a zero-trust initiative. Our journey will end up spanning four to five years, but by sharing our story and contributing to the Identity Defined Security Alliance (IDSA), we hope that others can move faster and achieve a stronger security posture with fewer resources.

My experience leads me to offer three key pieces of advice

First, focus on the data. Understanding where sensitive data lives and the transactional flow of that data between users, systems, and applications.

Next, direct your attention to user governance and device trust. These two items will provide you the most value, quickly.

Last, create a business plan outlining all the areas of return on investment. Include a reduction of IT spending associated with technologies that are no longer needed once your zero-trust implementation is complete, such as firewalls, VPNs, and Active Directory. Then detail the process optimizations and automations with IT that not only reduce the need to manage the legacy environment but also automate areas where IT spends the most time and resources. This is a wonderful way to show a recoup of your initial spending on zero trust.

The chart below maps out our progress and recommendation for how to prioritize the phases of your journey. The time frame for moving through each phase and the associated costs will depend on things such as size and complexity of the organization, available resources, and existing cybersecurity technologies. The graphic below depicts what it will cost LogRhythm — a 600-employee, software-as-a-service–driven, security product development company.

 

Source: LogRhythm
Source: LogRhythm

Phase 1/Year 1: In the first phase, focus on security basics and shoring up your compliance program, if needed. In addition, the initial phase should identify potentially sensitive data and business-critical applications that store or have access to sensitive data. Then, map out the data flows and update application inventories. This will be the basis for the governance of your users, systems, applications, roles, and so forth as you move forward.

Phase 2/Year 2: Select a single source of truth, such as a human resource management system (HRMS), where you can provision roles, applications, entitlements, and access. In addition, implement single sign-on solution (SSO) and multifactor authentication (MFA) to critical applications, if you have not already deployed them in your organization. Selecting a single source of truth provides opportunities to recoup costs associated with multiple directory technologies, and implementing SSO and its self-service capabilities (password reset, for example) can reduce help desk costs, as well as improve efficiencies in provisioning and deprovisioning (to include move, add, change requests).

Phase 3/Year 3: Implement and integrate mobile device management (or unified endpoint management) and privileged access management to only allow sensitive data to be accessed by trusted devices. The Identity Defined Security framework provides guidance on use cases and integrations needed to bring your existing identity and security technologies together.

Phases 4 and 5: These start to bring in more advanced use cases, such as a cloud access security broker (CASB) to protect sensitive data in the cloud and advanced user and entity behavior analytics (UEBA) capabilities to detect and respond to anomalous user behaviors. However, as you can see after implementing the first three phases, our perspective is that you are more than 50% of the way on the path to maturity. 

In developing the business case for the first three phases, there are several opportunities to recoup costs. In our situation, 60% of our IT help desk tickets were dealing with moves, additions, and changes associated with people. By building an integration between our identity access management system and ADP (our single source of truth), we reduced our help desk volume by 60%. With zero trust, architectural components such as backup directories, on-premises firewalls, and VPN solutions — and even Active Directory — are no longer needed, providing an opportunity to shift money in the budget to support spending on technologies that may not already be deployed, such as UEM, CASB, and UEBA.

While a zero-trust approach is not a security silver bullet, it is the best thing we have today. I jokingly compare it to the Titanic (obviously not from an execution perspective!). The Titanic was built around the concept that if a breach took place, it would flood one compartment and not the entire boat. When you look at a separate identity domain and how you authenticate, and authorize it separately, it's the same concept. You may have a user that gets compromised, you may have a system that gets compromised, but it shouldn't affect the rest of the organization — or it should buy you enough time to contain it before it does.

Bottom line: Zero trust is a phased approach, but if you start by focusing on users, data, access, and managed devices, you will make major steps in achieving better security. The business case can be a slam dunk when including all elements, including process optimization, efficiency gains, and recouped technology and infrastructure costs.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Turning Vision to Reality: A New Road Map for Security Leadership."

James Carder is the CISO and VP of Labs for LogRhythm and an IDSA Customer Advisory Board Member. He brings more than 22 years of experience working in corporate security and consulting for the Fortune 500 and US government. At LogRhythm, he oversees the company's governance, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15815
PUBLISHED: 2019-11-12
ZyXEL P-1302-T10D v3 devices with firmware version 2.00(ABBX.3) and earlier do not properly enforce access control and could allow an unauthorized user to access certain pages that require admin privileges.
CVE-2019-17360
PUBLISHED: 2019-11-12
A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.7.0-00 allows an unauthenticated remote user to trigger a denial of service (DoS) condition because of Uncontrolled Resource Consumption.
CVE-2018-21026
PUBLISHED: 2019-11-12
A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.6.5-00 allows an unauthenticated remote user to read internal information.
CVE-2012-1572
PUBLISHED: 2019-11-12
OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space
CVE-2019-17234
PUBLISHED: 2019-11-12
includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows unauthenticated arbitrary file deletion.