There’s been a lot of talk in the past few months about zero-trust networking and security. Zero-trust is a loaded term that screams marketing hype and makes networking and security professionals bristle at the idea of something so simplistic being the solution to all their problems regarding access and trust. How can you look at what zero trust offers and make it work for you?
Making Zero Trust Work
The critical step in operationalizing zero-trust is making it work for you. Yes, it does sound like some Zen philosophy on the surface. However, the key message is that you need to bend zero-trust to what you need to accomplish rather than just hoping that the magic box you bought from the vendor does everything it’s supposed to do.
You need to have a concrete use case for zero-trust in your network. You can’t just wave your hand in the air and hope that whatever it does is what you need. This is one of the biggest fallacies in vendor-driven product installations. You would never show up at a car lot and say, ‘Give me one of those things over there. I’m sure whatever it’s best at is exactly what I need.’
When you go car shopping, you have specific features in mind and goals to accomplish. Do you need passenger capacity? Cargo hauling capabilities? Do you want something that goes super fast and lets you feel the wind in your hair?
One of the companies that does a great job of defining the zero trust model use cases well is Illumio. During Tech Field Day 22, they showed off several very specific use cases. The theme was around Masterpiece Theater-style vignettes, which was hilarious and memorable for sure. This video might have been my favorite of the bunch:
This example use case is how you would make the case to your engineering teams. Here’s the cool stuff we can do specifically with this new tool. Here are the problems we can solve. That’s the easy part. The hard part is taking it to management. Why? Because you’re going to deal with two problems right away: money and potential for disruption. Management doesn’t like spending money unless they have to. Resource investment only makes sense to them with a payoff, either in increased productivity or more customers. The other problem feeds directly into increased productivity. If you disrupt what’s going on right now for something new, they’re going to be hesitant to implement it.
It’s almost better to sell your zero-trust deployment on the idea that you’re not just solving problems that are occurring today but also to set up that you can better anticipate issues that might come up tomorrow or in the near future. Investment is all about playing a long game. If you can convince your management team that they’re looking into the future to solve problems, you’re going to hook them and hopefully get the sign off you need to make this project work.
Easing Into Zero-Trust
Now that you have your sign off, you need to make a plan for getting this fancy new zero-trust deployment implemented. What’s your gameplay? If you said that you’re going to roll it out in a massive deployment to the entire company and get everyone on board with the new security paradigm all at once, you should start updating your resume right now. You might want to leave that last part out when you do. Huge massive cutover-style rollouts aren’t going to work here.
You need a phased approach to get zero-trust working the way you want. You need to identify your problem areas and make sure that you address them in a way that fixes their issues without breaking other things. If you aim small for your deployment, you’ll miss small, with hiccups in the rollout. It’s better to triage one or two applications or departments slowly than it would be to roll everything back at the eleventh hour during your big cutover because you hit a showstopper of a bug that you don’t have time to fix adequately. You need to do the small work first and figure out the best workflow to make it happen quickly with the right info.
One of the big things you can do to help with this is picking a solution that offers you the chance to map out your applications and security needs before you flip the switch to make it all live. Thankfully, Illumio has you covered there as well. They can build a real-time dependency map to show you what your applications are doing and their requirements. That way, when you develop your zero-trust policies and implement them, you can be assured that everything will work correctly from the software side. Reducing the number of bugs you need to troubleshoot during a phased rollout helps you focus on the user experience and ensure that it is seamless. Fewer user complaints mean fewer management meetings to justify your decision to implement this new tool.
Catching Exceptions Down the Road
Once you’ve got this new system in place and you’re phasing it in for more and more users, you need to start paying close attention to the data that you’re getting back in the system. Projects like this are a great way to surface issues that you didn’t know were present before or even cause situations to occur that you hadn’t anticipated.
Let me give you a very concrete example that has come up in recent weeks: monitoring programs. Before December 2020 we had just assumed that most monitoring programs had the run of the network. They could collect data from any device they wanted to talk to and then send that data along to wherever it needed to go. However, if those programs get compromised and used for nefarious purposes, the access that they have been given could spell disaster for your organization.
With a solution like Illumio, you can easily profile the behavior of the monitoring solution. Does it need to talk on a different port than standard SNMP? Should the connection be authenticated with a special user account that has no other privileges? Why is the monitoring server talking to so many other DNS locations that aren’t the company that made it?
These are all things that could come about because your new security solution has found things you weren’t supposed to be seeing. Zero-trust means you don’t trust anyone or anything until you can prove who or what it is and who or what it needs to talk to. Finding out that you have other issues going on under the surface is another great way to sell the solution to your management team.
Bringing It All Together
Zero-trust isn’t marketing hype. It’s a tool that you should be considering to make your network more secure and easier to manage. You need to sell it properly as the investment that it is, deploy it in stages to ensure that the rollout is smooth, and then be ready to keep an eye on things and expect the unexpected.
Thankfully, the team at Illumio has done a great job of planning out several specific use cases to help you with the selling part. They have the expertise and resources to help you ease through your implementation. Like all good security companies, they expect that they will face some interesting challenges in the future and plan accordingly. These keys lead to the best plan you can have to operationalize zero-trust in your environment.
For more information about Illumio and their zero-trust security solution, please visit their website at http://Illumio.com
