Applying Zero-Trust Principles: Case Studies and Lessons From the Field – Source: securityboulevard.com

As cloud architectures, software-as-a-service and distributed workforces have increasingly become the dominant reality of today’s modern organization, the zero-trust security model has risen to prominence as the preferred security paradigm.

As a result, there’s an almost paralyzing number of publications and resources that describe zero-trust security principles and the components that make up a zero-trust architecture (ZTA). What the industry lacks is a diverse library of examples that showcases the adjustments and decisions practitioners make when applying zero trust to existing environments and use cases. 

In the interest of addressing this gap, the non-profit organization Advanced Cyber Security Center interviewed its membership to understand how organizations of different sizes and across industries were implementing zero-trust and what lessons they could share with others seeking to do the same. 

After talking to more than a dozen real-world practitioners representing a diverse cross section of organizations who had differing levels of zero-trust maturity, three foundational themes emerged as the most critical to the success of implementing zero-trust principles.

1. Define your zero-trust perimeter. While an optimal scenario would result in an entire organization’s infrastructure operating under zero-trust principles, the reality is that for many, such an endeavor is either prohibitively expensive (particularly for an existing operational environment) or would introduce unacceptable impediments to business velocity—or both. Clearly defining the edges of what can be tightly controlled and what cannot is critical to ensuring that those areas don’t “bleed” into each other and compromise the integrity of your zero-trust architecture. Interviewees highlighted a handful of different ways to draw the perimeter:

• Regulatory-dictated perimeter: In the case of one Fortune 100 insurance company, regulatory pressures around payment card information (PCI) drove the adoption of zero-trust principles and the resulting scope of the zero-trust environment. 
• Risk-based perimeter: One Global 500 energy company represented the approach of many of our panel members, with the head of cybersecurity innovation, technology and architecture stating, “Base your zero-trust strategy, priorities and initial perimeter on the current state of your highest-risk environments.”
• Opportunistic perimeter: A multinational technology company with a highly federated enterprise architecture had neither the interest nor corporate structure to enforce zero-trust across all or even most aspects of the organization. That said, zero-trust is a desired state, so this company has taken an opportunistic approach. As the senior manager of enterprise security architecture put it, “Zero-trust can thrive in greenfield projects. But for most situations, you need to be opportunistic and focus on ‘next-gen’ projects to adhere to zero-trust principles.”
• Technology-defined perimeter: Of the inhibitors to zero-trust adoption, technology limitations are the most straightforward. One example highlighted by an IT and cybersecurity solutions provider was an external system such as a software-as-a-service (SaaS) application that doesn’t support single sign-on (SSO) through its chosen identity provider. When faced with such a scenario, they make a risk determination based on the classification of the data that will be stored or processed within the system.

2. Use an incremental implementation strategy designed for organizational impact. What stood out in our panel was how differently organizations defined the journey. Some chose to implement individual zero-trust elements sequentially across their organization, while others implemented all zero-trust best practices at once, but to small groups at a time. 

• Sequential approach: Begin with identity. For one global insurance company, zero-trust was a corporate strategy and would be deployed across its multiple global platforms. As a result, harmonizing identity needed to be the first step to controlling access. 
• Small group approach: Incremental progress through successive implementations. A large federal agency with dozens of groups had a federal mandate to adopt zero-trust principles. They elected to implement the CISA model in its entirety, group by group. By starting with the most technologically advanced organization rather than the weakest, they were able to focus on unanticipated hiccups in the project without distraction.

In either case, an incremental approach can produce faster, more frequent “wins” that build organizational momentum. That said, regardless of how incremental implementation is broken up, our panel emphasized the importance of defining a governance model to oversee incremental implementations, especially over time, as initiatives could stretch for years. Such governance need not remain a wholly separate initiative but instead can leverage existing governance structures such as regularly scheduled architectural reviews and sign-off processes.

3. Identify and sustain an internal evangelism strategy to assure long-term success. To be successful in zero-trust, organizational buy-in needs to be obtained both for initial adoption and for long-term accountability. No matter how you approach zero-trust at the outset, your goal should not just be to implement a zero-trust architecture, but also to sustain zero-trust principles over time through active management and accountability. 

• Associate Zero-Trust with Business Objectives: For a not-for-profit member with government connections, the zero-trust initiative was tied to an immediate need: The ability to securely support remote work. For a national corporation, there was a widely accepted business imperative around cloud transformation. As an organization-wide initiative, the cloud transformation initiative provided a golden opportunity to strengthen security during the architectural redesign.
• Operationalize accountability for long-term success: For companies that don’t have full organizational buy-in, the long-term success of a zero-trust environment is entirely dependent on the accountability structure. Our panel warns zero-trust leaders to consider what kind of support system will be needed after deployment for accountability and incremental improvements—and to build that structure in during implementation rather than after.

Zero-trust transformation is best understood as a journey—one that is likely to require years of concentrated effort and, in many cases, may never achieve full adoption. Despite that, there are immense security and operational benefits to transitional implementations of zero-trust, including shrinking trust boundaries, gaining granular control over access requests and increasing visibility into an organization’s sprawling perimeter of users, devices, applications and platforms. By moving your organization away from the traditional location-based security model (however incrementally) and toward a continuous and adaptive system of explicitly and automatically validating access controls, you will naturally, and in most cases, dramatically, improve your security posture. 

Additional insight from ACSC’s member organizations can be found in the full report, “Adapting Zero-Trust Principles: Case Studies and Lessons from the Field,” which is available for free on ACSC’s website.