Today’s cybersecurity landscape has promoted zero trust to the top of the agenda for teams and CISOs alike. Nitin Uttreja, CISSP, shares his experience and a plan for implementing zero trust in an organization.

Nitin Uttreja, CISSPIn the cybersecurity community, there's a growing buzzword: zero trust. It’s as if everyone has suddenly woken up to the idea that perimeter-based security to protect our digital environment just isn’t cutting it anymore. As cyber threats evolve and become more sophisticated, zero trust has emerged as a not-so-new school of thought, offering a proactive and nuanced approach to keeping our digital spaces safe. So, what’s the big deal with zero trust?

Imagine your network as a large corporate headquarters: a sprawling campus with multiple buildings. In the old days, the focus was on the main gate, checking badges as employees and visitors enter. But what if an intruder manages to sneak inside? That's the wake-up call zero trust brings to the table. It's not just about guarding the perimeter; It's about having security protocols at every door, elevator and server room – constant verification that each person is where they should be and accessing only what they need and are authorized to touch, at every moment they're on the premises.

As the name suggests, zero trust takes a “trust-no-one” approach, whether someone is accessing an application from inside or outside of the network. It’s about verifying everything – every user, every device – every time someone tries to access something.

Building a Defensible Security Architecture

Establishing a zero trust framework requires a strategy. And the key to this strategy is understanding the importance of safeguarding sensitive data and implementing rigorous access controls. I’m going to explain how, in my roles, I’ve navigated this paradigm shift towards zero trust security.

Define What to Protect

The first step in aligning with zero trust principles is understanding what needs protection. Cybercriminals are primarily motivated by financial gain, targeting data that carries value on the dark web. Determine what your organization's sensitive information and systems are – these are the assets that, if compromised, could cause significant damage. Prioritizing the protection of your most valuable assets is a critical step before you define the roadmap for zero trust architecture.

Locate Sensitive Data

Sensitive information may reside in various locations within an organization, such as laptops, servers, databases, and cloud solutions. Knowing where your sensitive data resides is critical in building a zero trust strategy.

Map the Transaction Flows

Understanding how data moves within your network, from one asset to another, is another key. Mapping transaction flows reveals the paths users and systems take to access data; knowing these has enabled me and my teams to develop targeted security measures.

Build and Implement a Zero Trust Policy

Develop and apply a zero trust policy that limits access to resources according to a strict need-to-know standard. You need to ensure robust authentication for all access efforts, to reinforce your network's defense against unauthorized access.

Log and Continuously Monitor

Forward all logs to a central location for anomaly detection and decrypt layer 7 traffic at gateways to inspect for malicious activity. This comprehensive approach is crucial for maintaining a zero trust framework.

Implementing Zero Trust: Key Solutions

In my experience, several technologies and strategies have been pivotal in transitioning organizations I’ve worked at towards a zero trust architecture. A few of them are as follows:

Network Access Control (NAC)
NAC solutions can play a vital role in ensuring that devices connecting to the network are compliant with security policies. A NAC solution can authenticate and authorize endpoints, conduct security posture assessments to ensure devices are equipped with necessary protections like antivirus and disk encryption. Further integration with configuration management databases (CMDB) can enhance visibility into unmanaged devices.

Flat networks tend to fail miserably. By contrast, micro-segmentation is a strategy to break down a network into smaller, more manageable zones, and to control east-west traffic with firewalls. Such an approach establishes protected areas within the network, preventing threats from propagating from one segment to another in the event of a breach.

Creating a solid identity framework is pivotal in shaping a zero-trust architecture, integrating principles like the least privilege, role-based access control (RBAC), and multi-factor authentication (MFA). Define your RBAC with the minimum level of access, and users/systems should consume these roles to access resources. Subsequently, MFA adds an essential layer of security.

Secure Web Gateways (SWG) / Secure Access Service Edge (SASE)
The shift to remote work has highlighted the limitations of traditional VPNs. SWGs and SASE solutions address these gaps by providing secure, direct-to-cloud connections, and – in my experience – have ensured that remote employees can access resources safely without the need for a VPN.

Privileged Access Management (PAM)
The notion of privileged access management (PAM) plays a pivotal role in zero trust by addressing the security risks associated with privileged accounts. PAM ensures that only authorized users are able to access sensitive resources, minimizing the risk of unauthorized access.

Next-Generation Firewalls (NGFW) and Endpoint Detection and Response (EDR)
NGFWs and EDR solutions can enhance the overall resilience and efficacy of a zero trust security framework, ensuring comprehensive protection against evolving cyber threats across the network and endpoints. NGFWs differ from and go beyond traditional firewalls by incorporating capabilities like deep packet inspection, application-level filtering, and threat intelligence integration. EDR solutions, meanwhile, provide real-time monitoring and response to threats on endpoints.

The reality is that zero trust is much more than just a buzzword. In fact, I’ve found it to be an effective security strategy against modern-day attacks. To transition your organization to zero trust, use the functionality of your existing security solutions and consider additional technologies for a comprehensive architecture. Embracing zero trust principles and architecture, you can proactively secure digital assets and sensitive data, and ensure resilience against evolving cyber threats.

Nitin Uttreja, CISSP, has over 15 years of specialized experience in cybersecurity. As Director, Global Cybersecurity at Estee Lauder, he currently spearheads the Security Architecture and Engineering team, where his responsibilities encompass the evaluation, design and deployment cybersecurity solutions.