Asked and answered: What’s the first step in zero trust?

Learning to trust—to feel safe with friends, dentists, a neighbor’s dog, that big coffee machine with all the buttons—can be difficult. Learning to not trust takes time, too, especially for IT teams who want to implement none of it.

An IT Brew reader asked: What’s the most important first step for a company on a journey to deploy a zero trust architecture?

Organizations building zero trust architectures need to do so one step at a time, and prepare to keep stepping. After all, it’s not the destination:

“It’s a journey for different organizations who will start with different types of maturity, start at different levels, but the journey will never end,” said Ismael Valenzuela, VP of threat research and intelligence at Blackberry and a SANS Institute instructor.

The Cybersecurity and Infrastructure Security Agency (CISA) released updated guidance saying just that: “The path to zero trust is an incremental process that may take years to implement.”

But some IT pros haven’t yet set out from The Shire.

What is zero trust? The consultancy Forrester defines zero trust as an “information security model that denies access to applications and data by default.” The philosophy calls for continuous, contextual, and risk-based verification.

A February 2023 Forrester survey found that 88% of CIOs and CTOs said their leadership was committed to a zero trust security strategy.

CISA later, alligator. CISA’s updated Zero Trust Maturity Model divides implementation into a range of practices, from “traditional” starting points, to “advanced” practices, to “optimal” end-goals.

The agency added “initial” strides to the framework.

“The journey of 1,000 miles starts with one step. And now we’ve made the first step a little bit easier, because we’ve gone from traditional to initial, instead of traditional to advanced,” said CISA director Jen Easterly during April’s CrowdStrike government summit.

Some initial steps in the model:

• Authenticating identity using multi-factor authentication (MFA)
• Logging user and entity activity
• Isolating critical workloads on the network.

Finding zero. Before deploying tools like identity federation, managed detection and response, and firewalls to support initial efforts, however, there’s another important objective at the top of the to-do list: Find critical assets and data.

“What is that data? What are the applications processing that data? How does that data flow? Who has access to that data? And then you will be in a position to start looking at the technology to implement a lot of the zero trust principles,” said Valenzuela.

Once high-priority objects are defined, a kind of mini-implementation can guard a crown jewel or two.

“If I can protect that, then I can expand and show that value…you can take that architecture and expand across the enterprise,” said Prakash Venkata, partner in PwC’s advisory cyber practice.

“As the attack surfaces change, and the threats are changing, immediately you have to continuously monitor this and continuously upgrade, so there is no end to it,” Venkata told IT Brew.

As technologies emerge, policies must adjust accordingly. The ongoing effort takes a lot of time.—BH