Examining Zero Trust From a Policy Perspective: Four Themes for CXOs

Originally published by CXO REvolutionaries.

Written by Brett James, Director, Transformation Strategy, Zscaler.

In many ways, an enterprise zero trust transformation is more about policy change than technology, an idea that may seem foreign to insiders contemplating change in the IT industry.

It’s easy to focus on the technology and to speak about zero trust in terms of networks or architecture, but for non-technology specialists, it’s often easier to grasp by thinking in terms of policy.

Having policies and procedures that prevent implicit trust in anything or anyone, and the capabilities to enforce those policies is what we really mean when we say “zero trust.” Once enterprises implement zero trust policies, they realize the flexibility, agility, and competitive advantages in their marketplace.

Let's explore four themes common to successful enterprise zero trust programs, focusing more on policy than technology:

Assume failure

More than “breach,” “failure” helps include a user’s actions in the zero trust framework. Because, more often than not, breaches occur due to the actions of an employee or third-party user. This may be a failure to follow a procedure, failure to recognize a fraudulent website, email, or message, or failure to use a tool properly.

Whichever is the case, it’s helpful to consider zero trust as also applying to users and their actions when mitigating enterprise risk. One solution is to implement distinct processes and technologies designed to detect user failures, especially where they may impact the business (see the next section). Users should not be able to deviate from critical processes without tripping alerts or being granted specific authorizations.

From a technology perspective, assuming failure means using defense-in-depth tactics to prevent failures that cause business harm, whether purposeful, accidental or the result of fraudulent behavior.

Automation and workflows

Unexpected employee actions and undefined processes for jobs can be readily abused. As an extreme (but not uncommon) example, if a money-wiring process is automated and protected via verification (to the extent that finance department employees don’t have access to account numbers), they cannot fall for a fraudulent text message from the CEO asking them to wire money.

Similar protections are widely available in the form of additional authorizations, verifications, or escalation options for impactful actions across all business functions, not simply IT ones. Enterprise workflow automation services can be used not only to reduce risk but also to improve efficiencies over the course of digital transformations.

Focusing more on technology teams, “shift left” is the current buzz phrase, taking zero trust towards manual infrastructure deployments and configurations, ensuring predictability and repeatability. Implementing infrastructure as code (IAC) and DevSecOps-style approaches significantly reduces the risk of exposing the enterprise through vulnerabilities and misconfiguration.

Least-privilege access

This topic is likely familiar to most readers, and I mention it here to build on the previous sections. It centers on giving the consumer the least amount of access to their applications and resources to do their job.

Reduce exposure of applications and resources to those authorized to use them. This means there should be zero visibility from the internet or corporate-controlled networks for all others. Applications and infrastructure have vulnerabilities that can be exploited even within corporate network boundaries. Reduce their exposure to attack to only those that use them.

Once an app is exposed to a consumer, they should only have the privileges within to perform their tasks, no more. Their machine may be compromised (giving attackers free rein), they might make a critical mistake, or they may have nefarious intentions. The goal is to reduce the blast radius when an incident happens. Least-privilege should not be limited to IT personnel, either. This principle applies to everyone, across the enterprise, including customers, contractors, and the supply chain.

The technology and resources required to achieve these goals are key to an enterprise's zero trust dreams and almost always extend past an IT organization's capabilities. The business must be involved in determining “who gets access to what,” preferably in the form of a modernized, role-based access strategy with automated entitlement attestations.

Governance

My final zero trust policy theme is governance. It is woven throughout each of the previous sections and should be considered the lynchpin of a zero trust program. Governance ensures that policies and procedures are created and followed. It is how actions and environments within the enterprise are monitored and measured for compliance and integrity. In other words, without governance, you have no idea if your zero trust program is effective.

While assigning appropriate resources and ensuring support from the top executives and the board is a requirement for success, technology is key to ensuring governance efficiently.

In sum, governance-related activities in a zero trust program include creating policies and assigning the resources to implement the following:

• Automation workflows that ensure the safety of impactful employee actions like wire transfers. These processes are continually improved through formal measures.
• Defense-in-depth security tools for defending working environments.
• Monitoring tools to ensure secure applications and infrastructures, especially for public cloud environments, including developer code scanning and vulnerability detection.
• Data loss protection strategies for all electronic employee and third-party communications to ensure actions are encrypted, monitored, and safe for the enterprise. These should also be capable of preventing data exfiltration from compromised devices.

As you’ve read, zero trust is much more than slotting a new appliance into your data center. It extends further than core IT functions and specific technologies. Zero Trust is a mindset that must be internalized and promoted across the enterprise to be effective.

What it is not is an IT project. Siloing zero trust initiatives in any single department is to condemn them to failure.