ZT Implementation -- (Private Sector)
Catone Networks.
URL: https://www.catonetworks.com/zero-trust-network-access/how-to-implement-zero-trust/
5 Steps (Tool-Based).
Deploy SASE. (3) -- BLUF: SASE (Secure Access Service Edge) helps unify SD-WAN and network security point solutions into a centralized cloud-native service. You can deploy SASE as part of your zero-trust strategy. SASE makes it much easier to implement the technologies below because it packages all of them in one managed service. Here are some aspects to consider when considering a SASE solution: (1) Integration—ideally, the SASE solution you choose should seamlessly integrate with your existing network architecture. For example, organizations that operate critical infrastructure on-premises should opt for a SASE solution offering zero-trust components that can securely connect to cloud resources and legacy infrastructure. (2) Features—your SASE solution should provide capabilities that enable you to stop potential threats and limit the damage caused by a breach. For example, the solution should enable you to implement micro-segmentation, patching, sandboxing, and identity and access management (IAM). (3) Containment—nothing can truly guarantee that a breach will not occur. Ideally, your SASE solution of choice should help you ensure that any threat that breaches the network is contained to reduce the overall impact.
Utilize microsegmentation. -- BLUF: Microsegmentation involves splitting security perimeters into smaller zones. It helps define separate access to certain parts of your network. This separation enables you to allow access to some users, applications, or services to certain relevant zones while restricting access to others.
Use Multi-Factor Authentication (MFA). (3) -- BLUF: MFA requires users to input two or more authentication factors, including (1) A knowledge factor—information only the user should know, such as a pattern, password, or PIN. (2) A possession factor—information or objects only the user has, such as a smart card, a mobile phone, or an ATM card. (3) An inherence factor—this factor relies on the biometric characteristics of a user, such as a retina scan, a face scan, or a fingerprint. ~ Note: The system authenticates only if all factors are validated.
Implement the Principle of Least Privilege (PoLP). -- BLUF: PoLP involves limiting user access and permissions to the minimum that enables users to perform their work. For example, you can grant users the least permissions to execute, read, or write only the resources and files. You can also apply the principle of least privilege to restricting access rights for non-human resources, such as systems, applications, devices, and processes. You can do this by granting these resources only the permissions needed to perform the activities they are authorized to do.
Validate All Endpoint Devices. -- BLUF: Do not trust devices that have not been verified. Zero trust security can help you validate your endpoints and extend identity-centric controls to the endpoint level. It usually involves ensuring that devices are enrolled before gaining access to your resources. Enrolling devices makes it easier to identify and verify each device. By implementing device verification, you can determine whether the endpoint attempting to access your resources meets your security requirements.
ZT Deployment Checklist (Q&A):
Fortinet.
URL: https://www.fortinet.com/resources/cyberglossary/how-to-implement-zero-trust
5 Steps (Goals and Objectives).
Define the Attack Surface. (4) -- BLUF: Defining your attack surface should be the first item on your zero trust checklist. To do this, you want to hone in on the areas you need to protect. This way, you will not be overwhelmed with implementing policies and deploying tools across your entire network. Focus on your most valuable digital assets. (1) Sensitive Data: This includes the data of customers and employees, as well as proprietary information you do not want to fall into the hands of a thief. (2) Critical Applications: These are the applications that play a central role in your most crucial business processes. (3) Physical Assets: Physical assets can range from point-of-sale (PoS) terminals to Internet-of-Things (IoT) devices to medical equipment. (4) Corporate Services: These include the elements of your infrastructure used to support the day-to-day work of employees and executives, as well as those that facilitate customer sales and interactions.
Implement Controls Around Network Traffic. -- BLUF: The way traffic flows through your network will often pivot on the dependencies each system uses. For example, many systems need to access a database holding customer, product, or service information. Requests, therefore, do not simply “go into the system.” Rather, they have to be routed through a database containing sensitive and delicate information and architecture. Understanding these kinds of details will help you decide which network controls to implement and where to position them.
Architect a Zero Trust Network. -- BLUF: A zero trust network is designed around your specific protect surface—there is never a one-size-fits-all solution. In most situations, your architecture may begin with a next-generation firewall (NGFW), which can act as a tool for segmenting an area of your network. Also at some point, you will want to implement multi-factor authentication (MFA) to ensure users are thoroughly vetted before being granted access.
Create a Zero Trust Policy. -- BLUF: After you have architected the network, you will want to design your zero trust policies. This is most effectively done using what is known as the Kipling Method. This involves asking who, what, when, where, why, and how for every user, device, and network that wants to gain access.
Monitor Your Network. (3) -- BLUF: Monitoring activity on your network can alert you to potential issues sooner and provide valuable insights for optimizing network performance—without compromising security. (1) Reports: Reports produced on a regular or ongoing basis can be used to flag abnormal behavior. You can also analyze them to assess how your zero-trust system impacts employee or system performance and ways you may be able to improve it. (2) Analytics: Analytics takes data generated by your system and provides insights regarding how well it functions. Insights are valuable when you need to monitor network traffic, the performance of components of the network, and patterns of user behavior. (3) Logs: The logs produced by your system provide you with a permanent, time-stamped record of activity. These can be analyzed manually or using analytical tools, such as machine-learning algorithms that can recognize patterns and anomalies.
Catone Networks.
URL: https://www.catonetworks.com/zero-trust-network-access/how-to-implement-zero-trust/
5 Steps (Tool-Based).
Non-CISA -- Using 8 Pillars
Pixelplex.
About the Company: They offer a comprehensive range of services, including IT consulting, custom software development, and specialized expertise in blockchain, machine learning, and data science.
StrongDM.
ZTNA. -- BLUF: (1) ZTNA is the most common implementation of the Zero Trust Model. Based on micro-segmentation and network isolation, ZTNA replaces the need for a VPN and grants access to the network after verification and authentication. (2) As Gartner defines it, under a ZTNA model, “access is restricted via a trust broker to a set of named entities. The broker verifies the identity, context, and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network.” This minimizes the attack surface, significantly reducing the security risk.