Read time 12 Minutes
The Definitive Guide to Zero Trust Security
Simply enter your email address and we’ll send your guide directly to your mailbox.
Simply enter your details below and we’ll contact you to arrange your free 30 minute consultation.
* All Fields Are Required
As well as talking through the concept, we will offer context around the importance of this topic and the processes and technology we can put in place to achieve Zero Trust.
In this guide:
If you’ve worked in the IT industry long enough, you’ll no doubt have seen various models and methodologies covering a wide range of technology sets.
Zero Trust is, at its core, an IT security framework that covers the following key concepts:
Of course, there are many moving parts here. But the key concept to take away from this diagram is that each part of the Zero Trust model works in unison to provide the protection companies require in the Information Age.
The term Zero Trust was coined in 2010 by Forrester Research Inc. Soon afterwards, Google suffered a breach which resulted in the loss of intellectual property (IP). Google understood that the traditional enterprise security model was problematic and developed its own Zero Trust model – BeyondCorp.
Google’s focus on Zero Trust provided the impetus required to bring this approach to the modern enterprise. In 2019, Gartner understood that the future is in the ‘cloud’ and coined the term secure access service edge (SASE).
Secure access service edge is the unification of Zero Trust security and Wide area network (WAN) capabilities to support dynamic, secure access.
New threats are continually emerging and existing threats are evolving. These threats can come from a variety of sources, both internally and externally.
The approach of protecting your business at the boundary no longer provides sufficient protection in today’s threat landscape. If you head off on holiday and leave your car in long-term parking you feel content in the knowledge that it’s safe. You’ve closed the windows, locked the doors and put all valuables out of sight.
Would you feel quite as content if you’d locked the doors but left the windows open and the keys in the ignition?
Achieving Zero Trust is a multi-stage process involving several teams. In this section, we’ll discuss the key steps your business needs to take.
The first step in the path to Zero Trust is crucial. Without the support of key stakeholders, promoting the shift to a Zero Trust environment will be extremely difficult. It is important to outline the business benefits and the critical goals of the Zero Trust Security Model.
Zero Trust is not only focused on the security teams. There’s going to be a lot of input from several departments within the business. So, you must have full visibility into all the moving parts that will be required. After all, you cannot protect what you cannot see or have no knowledge of. Understanding the devices, applications, flows and permissions in your existing estate will go a long way towards improving your network security.
With stakeholder buy-in and a full inventory of your existing estate, you can now begin to create the overall design that will lead you to implement Zero Trust. Be prepared, it’s going to be a large piece of work with input from several teams. Each section of the design requires careful consideration, giving specific attention to the potential impact that each component will have on one another.
Within the design, it will be essential to understand and call out the new components required for the shift to Zero Trust. Examples are identity management, multi-factor authentication (MFA), segmentation, encryption, SSO, certificates and so on.
If you don't have the technologies required, consider engaging with vendors who offer the solutions and can help you understand them fully. Within the design keep a focus on integration and avoid the use of standalone, disparate solutions that increase the workload of relevant support staff and decrease the efficacy of the data produced.
Where possible, all solutions should be thoroughly tested in a lab environment before any production roll-out. The key to lab testing is to have a representative environment that mimics your production environment as closely as possible. Build out the components required for Zero Trust and have a detailed plan in place to test all possible scenarios. It is important to understand what the business impact would be if one part of the Zero Trust architecture fails – will this mean users cannot access the resources they require and what mitigations are in place for this?
Use the lab testing to make informed design decisions and revise the overall design if needed. If the design is modified, test some more.
Only once full lab testing has been completed and design decisions have been taken, can you move on to the phased deployment of the Zero Trust Security Model. New hardware and applications can stand up during this phase and key test users should be selected. The critical test users will need to undertake training on the use and impact of the new solution and have a clear reporting structure to record any issues.
The tests users must make use of their machines/applications as they would on a typical business day. Use the feedback from this initial phased deployment to fine-tune the solution and iron out any issues. Once you’ve completed this, you can move on to phase two of the testing and bring in more users.
Once the phased deployment stages are complete, you need to take time to review all the results, understand any design decisions that were taken as part of the testing process and create a plan for the production roll-out based on these results.
Manage your business expectations by ensuring that key stakeholders are aware of the progress at every stage. Before the production roll-out, we recommend having a detailed, structured plan in place, as well as back-out strategies and company-approved timescales. As with phased testing deployment, user training is also vital. Users need to be fully aware of what will change, what the new requirements are, how they report issues and receive the required level of support.
The production roll-out should follow a similar methodology to the phased testing deployment. For example, if you have 50 sites – deploy one at a time and have a clear structure in place to roll-out to the least critical locations first. Be sure not to deploy all components of the Zero Trust solution at once. Take the time to roll-out individual pieces and gather as much feedback and data as you can. For example, you could stagger the roll-out of least privileged access and MFA, begin to bring in some micro-segmentation and network access policy enforcement.
Data gathering is critical to enable a successful Zero Trust deployment. It should be taking place at all stages of the deployment, so any issues can be proactively identified and managed to create the best possible user experience. Ensure that what you’re attempting to protect is being protected and the new measures you‘ve put in place have the desired effect.
Here at Forfusion, we focus primarily on the Cisco portfolio of networking and security products. Keep an eye out for our new blog posts that will go into further detail on the technologies mentioned in this section. But in the meantime, you can find a brief overview below.
Cisco Software Defined-Access delivers policy-based automation of users and devices, from the edge to the cloud. Microsegmentation is made possible by the coupling of the SD-Access fabric and Identity Services Engine. Read our white paper here .
Cisco Identity Services Engine (ISE) is a policy management and control platform for wired, wireless, and VPN. It supports BYOD, guest access, and Cisco TrustSec services. Cisco TrustSec simplifies policy management by providing a unified tag to sessions enabling the ability to provide access based on a tag irrespective of user location, rather than constantly changing IP addresses.
Cisco Firepower Threat Defence (FTD) combines the Cisco ASA and FirePOWER feature sets into one unified image. Traditional ASA features are now complemented by NGIPS, Application Visibility & Control, Advanced Malware Protection, URL and DNS filtering - and much more. Firepower Threat Defence also provides remote access VPN features using the AnyConnect client as well as site-to-site VPN connectivity. It’s all managed through the Firepower Management Centre, a single pane of glass view into your FTD estate.
Cisco Advanced Malware Protection is an intelligence-powered, integrated enterprise-class advanced malware analysis and protection solution. You get comprehensive protection for your organization across the attack continuum: before, during and after an attack.
Cisco Duo is a user-centric access security platform that provides two-factor authentication, endpoint security, remote access solutions and more.
Cisco Stealthwatch provides enterprise-wide visibility, from the private network to the public cloud. It applies advanced security analytics to detect and respond to threats in real-time. Using a combination of behavioural modelling, machine learning and global threat intelligence, Stealthwatch can quickly and confidently detect threats such as C&C attacks, ransomware, DDoS attacks, illicit crypto mining, unknown malware and insider threats. With a single, agentless solution, you receive comprehensive threat monitoring across your data centre, branch, endpoint, cloud and even encrypted traffic.
Cisco Web Security Appliance (WSA) addresses the need for a corporate web security policy by offering a combination of web usage controls with category and reputation-based control, malware filtering and data protection. Cisco Email Security is your complete defence mechanism against phishing, business email compromise and ransomware. Get threat intelligence updates every three to five minutes through Cisco Talos for the most up-to-date protection.
Cisco Application Centric Infrastructure (ACI) is the SDN of the Data Centre world. Offering a holistic architecture with centralised automation and policy-driven application profiles, ACI delivers software flexibility with the scalability of hardware performance. By using segmentation, Cisco Tentration enables a zero-trust model that offers comprehensive workload protection for multi-cloud data centres.
Cisco Umbrella unifies firewall, secure web gateway, DNS-layer security cloud access security broker (CASB), and threat intelligence solutions into a single cloud service to help businesses of all sizes secure their network. Cisco also offers Cloudlock, featuring data loss prevention (DLP) technology that continuously monitors cloud environments to detect and secure sensitive information. It provides countless out-of-the-box policies as well as highly tuneable custom policies.
Cisco SecureX is the broadest, most integrated security platform that connects the breadth of Cisco's integrated security portfolio and the customer's infrastructure for a consistent experience. It unifies visibility, enables automation and strengthens your security across network, endpoints, cloud, and applications - all without replacing your current security infrastructure or layering on new technology.