Looking back on 2023, it would be hard for organizations to say that standing still in the technology industry is a recipe for cybersecurity success. Beginning in the first half of the year, threat actors heavily leveraged Generative AI solutions like ChatGPT to build clever social engineering campaigns, achieve near real-time exploitation of zero-day vulnerabilities like MOVEit file transfer and continue pilfering stolen credentials to ravage organizations with ransomware across the globe.
Throughout history and well into recent times, humans have been hesitant toward change. Clinging to normalcy bias or avoidance of the unknown, when standard routines become threatened, innate psychological defense mechanisms kick in, compelling people to pause or simply resist the inevitable change. In a security context, traditional approaches to securing the organization remain valid in some cases but require some rebalancing and shifting of resources, including the addition of next-generation technology like artificial intelligence to effectively mitigate key technology risks heading into 2024.
Adoption of a Zero Trust Architecture (ZTA) provides a novel approach to handling today’s pressing cybersecurity and audit concerns by first instilling the core principles of “Never Trust, Always Verify” and “Assume Breach,” ushering in a new cybersecurity standard aimed to heavily reduce the chances of a successful cyber incident. Zero trust should be perceived as an upgrade or architecture complement, using most of what already exists in the security technology stack and making gradual improvements through solution additions, service provider expansions, integrations or strategic capability consolidations over time.
This blog post will inform practitioners and organizations looking to start the zero trust journey with necessary planning and prerequisite considerations that should be addressed prior to commencing zero trust technology or process initiatives, while also providing additional resources to internal audit departments to fulfill their role as trusted advisor to the business as zero trust efforts unfold. The below infographic provides summary details of the core pillars of zero trust, its maturity levels, and some of the primary control areas needed to achieve the standard, including widespread adoption of automation, orchestration, monitoring visibility and data analytics.
Figure 1 – The core pillars of zero trust include Data, Devices, Identities, and Networks, including the underlying Infrastructure, Applications, and their associated workloads. Automation, Orchestration, Visibility, and Analytics capabilities are required across each pillar to help drive protections across the zero trust architecture.
What solutions does zero trust provide?
With recent expansions of remote work opportunities, Bring Your Own Device (BYOD), and shifts to cloud resource providers, the traditional “castle and moat” approach to network defense is both incredibly blurry and, at worst, highly ineffective heading into 2024. This traditional approach would include an attempt to secure all critical corporate assets behind few network perimeters where the emphasis of security was placed. Then, via username and password authentication or remote VPN access, expansive access is granted to resources. These conditions stretch security and IT teams thin as more administrative overhead is required to manage devices, additional device profiles, rogue applications and unknown external networks.
Zero trust architectures and the prescriptive methods of controlling Data, Identities, Devices, Networks, Infrastructure and Applications are far more fluid and focused. Departing from the “authenticate once at the perimeter, then grant broad resource access inside” zero trust requires ongoing and adaptive authentication for users or devices attempting to access organizational resources. If user or device behavior changes, zero trust dynamic monitoring, policy orchestration and security automation tools can be positioned to shift security as needed to keep resources secure. The below table helps illustrate a progressive adoption of zero trust controls departing from the traditional network architecture to an optimized zero trust architecture.
Figure 2 – A subset of focused control activities that allow an organization to transition from the traditional network security architecture to a zero trust architecture.
Initial questions management may begin to consider that typically arise when a paradigm shift of this nature arises may include “What’s the first step?” or “Where should we start exactly?” Included below are five key areas that senior management should consider when implementing a zero trust architecture, along with some high-level discussion points for each area that should be undertaken internally and with external business partners where appropriate.
- Strategy Alignment and Executive Buy-in
- Understanding Business Goals: Align the zero trust framework or its implementation with overall business objectives and long-term strategy.
- Executive Support: Engage top management to understand the importance of zero trust and get their commitment early in the process.
- Communication Plan: Develop a comprehensive communication strategy to ensure that all levels of the organization understand the upcoming changes and their roles to help ensure continual success.
- Technology and Architecture Planning
- Assessment of Current Infrastructure: Review the organization’s existing systems, technologies and security protocols to determine what needs to be upgraded, replaced or expanded upon.
- Integration Requirements: Identify tools and technologies that will integrate seamlessly within the Zero Trust model and if any gaps exist that may undermine the transition.
- Scalability Considerations: Ensure that the chosen technology stack or leading solution providers can scale with the organization’s growth.
- Policy Development and Governance
- Creating Clear Policies: Develop well-defined policies around access control, user authentication, data protection and other aspects of zero trust outlined above.
- Compliance Alignment: Align policies with regulatory requirements such as GDPR, HIPAA or other industry-specific regulations the organization must adhere to.
- Training and Change Management
- User Training: Develop curriculums to train employees about the new security protocols and their operational responsibilities within the zero trust framework.
- Change Management Strategies: Use change management techniques to guide the organizational transition to zero trust smoothly and with purpose.
- Feedback Mechanism: Establish avenues for employees to provide feedback and ask questions during the transition.
- Monitoring, Analysis, and Continuous Improvement
- Real-time Monitoring and Analytics: Implement tools to monitor user device and network activity continuously.
- Incident Response Plan: Integrate with or develop zero trust-focused incident response plans to address any breaches or issues promptly.
- Ongoing Improvement: Regularly review the zero trust implementation to identify opportunities for refinement and enhancement. Utilize metrics and KPIs to measure success and guide ongoing improvement.
By considering the key areas outlined throughout this blog post, senior management can work toward the successful implementation of a highly functional zero trust architecture that aligns with core business objectives and leverages the appropriate technology, all while ensuring compliance and governance remain intact. Internal audit departments exist to consult senior management and ensure the organization remains aware of the core risks facing the business and impacting the achievement of core objectives.
ISACA has developed a zero trust audit program spanning nearly 60 core zero trust control activities that can help ease the transition from a traditional network security architecture that is poised to produce ongoing security challenges to one that is primed to repel security threats while fully assisting necessary assurance efforts. Download the audit program here.