5 Best Practices from Industry for Implementing a Zero Trust Architecture
Zero trust (ZT) architecture (ZTA) has the potential to improve an enterprise’s security posture. There is still considerable uncertainty about the ZT transformation process, however, as well as how ZTA will ultimately appear in practice. Recent executive orders M-22-009 and M-21-31 have accelerated the timeline for zero trust adoption in the federal sector, and many private sector organizations are following suit. In response to these executive orders, researchers at the SEI’s CERT Division hosted Zero Trust Industry Days in August 2022 to enable industry stakeholders to share information about implementing ZT.
In this blog post, which we adapted from a white paper, we detail five ZT best practices identified during the two-day event, discuss why they are significant, and provide SEI commentary and analysis on ways to empower your organization’s ZT transformation.
Best Practice 1: Inventories
Develop and maintain comprehensive inventories that include data, applications, assets (emphasizing high-value assets [HVAs]), services, and workflows.
When considering a ZT transformation effort, it is important to develop and maintain a comprehensive inventory of data, applications, assets, and services (DAAS) per the National Security Telecommunications Advisory Committee (NSTAC) and Department of Defense (DoD) Zero Trust Reference Architecture. This inventory helps organizations understand their baseline enterprise architecture, as well as the steps necessary for ZT transformation. This practice aligns with NIST’s position described in SP 800-207, which states that “all data sources and computing services are considered resources.”
As discussed in the June 2022 SEI Blog post The Zero Trust Journey: 4 Phases of Implementation, organizations must conduct a wide variety of inventories prior to engaging in ZT transformation efforts. These include inventories of enterprise assets, subjects within the network, data (and subsequent flows), and the workflows for typical user activities. These inventories strengthen the organization’s understanding of its current network architecture, which serves as the foundation for the organization’s future architecture (developed in alignment with ZT tenets). Organizations must strive to update these inventories continually to ensure their continued accuracy and effectiveness.
During the Appgate presentation at the SEI’s Zero Trust Industry Day, Jason Garbis suggested that inventories should be conducted within the first 90 days of a ZT transformation effort. The first 90 days should be focused on “establishing a baseline of assets and device inventory,” developing a “baseline of identity provider services,” and inventorying/validating practices such as multi-factor authentication (MFA) and patching. These inventories provide organizations with a better understanding of their enterprise devices, networks, and related interdependencies.
At the event, Ericom, another major vendor in the ZT space, reaffirmed the importance of inventories to identify “assets, access, and control points” to define the organization’s device inventory and “asset interception.”
Jose Padin, Jeremy James, and Bob Smith from ZScaler also asserted the importance of developing reliable asset inventories by ensuring that the organization participates in CISA’s Continuous Diagnostics and Mitigation (CDM) program.
Best Practice 2: Auditing/Logging
Auditing and logging are critical, considering the dynamic nature of ZT.
Logging and auditing of inventories are key components of implementing dynamic ZT policies. At the event, Zscaler’s Jose Padin, Jeremy James, and Bob Smith discussed how inventories are used to “understand which assets and events need to be monitored, and why,” leading us to consider logging and auditing capabilities during ZT transformation. Cimcor’s Mark Allers discussed how maintaining a full audit trail is essential for ensuring proper functionality and governance over a ZT network, ultimately bolstering “integrity, security, and operational availability.”
Zscaler speakers also discussed how traditional logging mechanisms often collect an exceptional amount of data, making it difficult to “separate signal from noise.” In response, organizations must focus on logging data in a way that emphasizes key indicators of compromise, such as user activity and firewall allow-block policies. These logs should be properly structured, fine-tuned in scope, and continually leveraged for real-time monitoring/alerts. These considerations are exponentially more important when considering the dynamic nature of ZTA, where the policy decision points (PDPs) and policy enforcement points (PEPs) rely on actionable intelligence gathered from inside and outside the network to help inform ZT decision making.
1Kosmos’s Mike Engle and Blair Cohen discussed how audit immutability is an especially important consideration since a proper audit trail “mitigates the risk of bad actors changing their log files to cover their tracks.” The threat to logging and auditing must be a key consideration when deciding on ZT strategy and implementation. This threat has led vendors such as 1Kosmos to adopt distributed ledgers to protect enterprise log files in meeting ZTA requirements. Log retention policies are also important to keep in mind; Zscaler recommends that organizations keep 12 months of active logs on hand and 18 months of logs in cold storage.
Best Practice 3: Governance and Risk
ZT is a complex paradigm with a relatively long journey from introduction to maturity. Organizations should leverage governance and risk management to help plan, implement, and support the ZT journey.
During a ZT transformation effort, organizations encounter barriers to progress during different stages of the journey. Many of these barriers arise when the organization lacks a solid and comprehensive understanding of ZT. The organization must have a realistic sense of what the transformation effort will accomplish and understand which parts of the organization will be affected. These and other elements factor into the organization’s ZT strategy, which provides the foundation for its approach throughout the entire process.
Organizations must have proper funding/budgeting, a roadmap, and the necessary personnel to carry out major ZT initiatives. A roadmap identifies when specific capabilities are envisioned to be implemented within a specific timeframe. Creating such a roadmap requires appropriate funding and budgeting, as well as ensuing appropriately trained personnel are available to support the implementation.
At the event, Appgate’s Jason Garbis discussed how ZT initiatives are often best performed in segments, which can be divided into 90-day and yearly increments. The first 90 days are crucial for developing a solid foundation for the initiative, while the subsequent years focus on implementation, modification, and operation/optimization.
Organizations can also conduct small-scale pilot inventories during the ZT initiative, allowing them to reduce their risk as they figure out their practices and processes. This will enable the organization to be more effective as it rolls out the ZT implementation on a large scale.
Personnel allocation and expertise can be problematic during a ZT initiative. The organization must ensure that it has qualified personnel who can support the initiative throughout the entire lifecycle. The organization must then identify what competencies it has, what gaps exist, and how it will address these gaps through training and/or external expertise with regards to zero trust.
Vendors such as 1Kosmos offer a “self-evident administrative experience,” which theoretically allows “any IT administrator that is proficient with existing software concepts to utilize [the ZT solution],” with the caveat that they will require several hours to become familiar with the solution’s capabilities and configuration. 1Kosmos includes extensive documentation and training materials that organizations can use to fill knowledge gaps.
Overall, at the Zero Trust Industry Day event, vendors suggested that compatibility and interoperability should be considered throughout the transformation process. Leveraging application programming interfaces (APIs) will facilitate integration and support the dynamic, continuous nature necessary for zero trust.
Best Practice 4: Cloud and Virtual Solutions
Leverage cloud and virtual solutions when they reasonably fit into an organization’s ZT journey to decrease overall risk.
Solutions exist to shift many core functionality services from on-premises resources to cloud and virtual resources. Cloud solutions are not universally deemed as more efficient or less expensive, but cloud service providers assert that they are ideal for handling complex operational capabilities that are part of ZT, particularly within the Identity and Device pillars of the CISA Zero Trust Maturity Model. One notable example of a properly leveraged cloud solution is the implementation of authentication and access management across the cloud (identity providers), onsite infrastructures, and external devices/capabilities. Cloud solutions can also reduce the prevalence of Shadow IT throughout the enterprise and increase the visibility of assets and inventory (Shadow IT refers to software and/or hardware that is used within an organization without the approval or knowledge of the organization’s IT department).
1Kosmos’s Mike Engle and Blair Cohen stated that remote access, operating systems, and single sign-on (SSO) gateways make up 80 percent of the MFA surface. All of the vendors participating in Zero Trust Industry Day 2022 seemed to agree on the importance of MFA and offered a variety of services leveraging MFA using cloud/virtual computing.
Some vendor solutions allow organizations to move their PDPs/PEPs into the cloud and include capabilities to increase the organization’s visibility of network traffic and other activity. These ZT edge solutions can observe traffic between subjects and cloud or on-premises resources, enabling cloud solutions to perform access-related decision making in real time. Some vendors also offer hardware solutions to tie resources into the cloud, providing IT personnel with an improved perspective over all enterprise resources. These integration solutions can increase the organization’s compliance with ZT requirements, help or improve DAAS inventories, and provide logging and auditing data.
Best Practice 5: Automation, Orchestration, and API
Use automation, orchestration, and API to optimize maturity.
Optimal ZT maturity includes features, such as the continuous validation of identities, device monitoring and validation, encrypted traffic, and dynamic data policies (e.g., leveraging machine learning for data tagging). Without automation and APIs, it is significantly harder to perform the practices described in this post effectively, such as collecting and updating an inventory, auditing and logging, implementing security guardrails as part of governance and risk management, or leveraging cloud and virtual solutions that must automatically communicate with multiple other inventory components to function properly.
For example, during their presentation, Zscaler’s speakers recommended automation of data categorization using tagging to help manage access to sensitive data. Logging is another example where organizations can use automation and orchestration to augment cybersecurity detection and response. With logging, organizations perform some amount of analysis to help triage and respond to events in a manner that requires minimal interaction with system users. It is also important to remember, however, that people cannot be removed from the loop completely in many cases. Moreover, it is possible to pursue automation beyond what is feasible and efficient. Although PDPs/PEPs can make decisions automatically without human input, automation in functions such as auditing and logging are likely used to preprocess data to give people access to information that is more useful and contextual than the original data (e.g., providing data tags, related contextual events, and other information that would normally be needed to understand the event being reviewed).
Automation can be particularly useful during the second and fourth phases of the four-phase ZT journey—Prepare, Plan, Assess, and Implement. Although there is room in every phase for automation, orchestration, and APIs to reduce manual tasks, automation can greatly help:
• in the Plan phase to improve the speed and efficiency of inventorying resources
• during the Implementation phase to operate and perform change management
The key to using automation effectively is empowering staff to make effective and accurate policy decisions without the need for manual intervention (except in extreme cases that result in organizational disruption).
Transitioning to the Federal Realm
The SEI Zero Trust Industry Day 2022 provided a scenario for industry stakeholders to react to and demonstrate how they would tackle practical problems when a federal agency is adopting ZT. As a result, the SEI identified several best practices discussed by these stakeholders that help government organizations plan their ZT journey. Presenters at the event showcased various solutions that could address the many common challenges faced by federal agencies with limited resources and complex network architectures, as described in the scenario. Their insights should also help all government organizations better understand the perspectives of various vendors and the ZT industry as a whole and how those perspectives fit into overall federal government efforts. We at the SEI are confident that the insights gained from SEI Zero Trust Industry Day 2022 will support organizations as they assess the current vendor landscape and prepare for their ZT transformation.
Read the SEI white paper on which this blog post is based, Industry Best Practices for Zero Trust Architecture, by Timothy Morrow, Matthew Nicolai, and Nathanial Jacob Richmond.
Read the SEI Blog post The Zero Trust Journey: 4 Phases of Implementation by Timothy Morrow and Matthew Nicolai.
View the SEI Podcast The 4 Phases of the Zero Trust Journey with Timothy Morrow and Matthew Nicolai.
View the webcast Zero Trust Journey by Tim Morrow and Geoffrey Todd Sanders.