Zero Trust architecture is the wave of the future. Eventually, most organizations will have something like this in place, and it is definitely the new buzzword in the cybersecurity industry.
In all the excitement, the reality of how to shift to a zero-trust architecture tends to get lost in the discussion. But you can’t enjoy the benefits of zero trust until you get there, so mapping your transition plan is potentially the most important (and least exciting) step in the process.
Why do we need Zero Trust?
Let’s begin by diving into why we really need Zero Trust architecture in the first place.
The technology landscape for most enterprises has shifted substantially over the last couple of years. If you are like most, you probably have applications in all of the following three categories.
Cloud SaaS Applications
These applications live 100% in the cloud and may include things like:
- Office 365
- Gmail
- OneDrive
- Salesforce
- Slack
- Microsoft teams
On-Premise Applications
These applications live 100% in your physical network and may include things like:
- Sharepoint
- Internal file servers
- Internal business logic servers
Cloud Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and serverless
These applications live in the cloud and are meant to control your technology infrastructure. They may include things like:
- Amazon AWS
- Microsoft Azure
- Google GCP
The position the majority of enterprises find themselves in today is that of a hybrid environment. The applications they use are spread across multiple different places, with different access methods and requirements.
The traditional model is one of a network-centric structure in which everything comes back to a centralized, protected network. In this model, securing the network was enough to keep the applications running on that network secure. This caused you to use more bandwidth than necessary and increased the latency of using applications for your team without real risk reduction.
This is no longer the case.
In today’s connected world, filled with cloud-based applications and a hybrid approach to data storage, the centralized network architecture goes out the window.
Instead, today’s world requires a user-centric architecture where policy-based access controls who can access each of the different applications and storage methodologies employed by an organization.
How it will work in the future
Your employees will connect to all applications through a single-sign-on authorization tool. They will have one account for everything. This account will also need to have multi-factor authentication turned on for security purposes.
From a system perspective, your zero trust architecture will be smart enough to discern the difference between a cloud-based application and an on-premise application, and it will route the user to that application the correct way all on its own.
For instance, if a user chooses to access an on-premise application, it will fire up a VPN or secure connection and connect that way. If they chose a cloud-based application, they will be routed straight to the cloud without going through your on-prem network.
And a user sees none of this. Their experience will be:
Click on the application and go. And occasionally they will be prompted for their 2-factor authentication code.
Over time your architecture will mature to do even more, as you level up your technology and architecture stack. Your zero trust tools may even be able to start checking that the user accessing the application has no malware on their device, that they are geographically located in the US, or that they are running the latest operating system.
Every time they access an application. All without changing the user experience.
Who wouldn’t want that?
Making the transition
Ok, now that we’ve got you excited, it is time for the reality check. While there are many of the pieces available to build a zero-trust architecture today, getting there isn’t as simple as flipping a switch.
In reality, it may not be feasible for your organization to wholesale throw out old equipment and buy cool new stuff. Or it may. It depends on your goals, your users, your ability to manage change, and where your current tech is in its lifecycle.
Slow and steady
This is more commonly the approach that enterprises have to take for a change like this. Keeping the business running on a day to day basis is just as important as the switch in technology. The larger your organization, the more likely you are to fit into this category.
To achieve the dream you see above, you’ll likely need what NIST refers to as a policy engine and a policy enforcement point. In this example, we can use modern identity management services as the policy engine and a VPN capable of next gen functionality as a policy enforcement point.
It is easiest to get started by finding an identity management engine or services like Azure Active Directory, Okta, AuthZero or Duo. Getting this service up and running is going to be the most painful part of the switch, and the piece users will feel the most.
For the most part, tools like this will still work with existing VPN hardware, so everything can still work together to support your current operations before making the switch in VPN technology to support zero trust.
Once this piece is in place, you can begin to replace your VPN technology with next-gen VPN technology as your appliances reach the end of life (making it much more cost-effective as well). In this process, you’ll typically start with replacing the gateways that sit in front of your networks or those that sit closest to your applications with ones that allow for greater control. (e.g. session-based application access, real-time policy enforcement, etc.)
Once you have the base technology in place, you can go through the process of stepping up each level in your zero trust architecture described in this article.
Rip and replace
It may be entirely possible for you to do a rip and replace of your current technology with all new tech. Usually, this is a more likely fit for smaller organizations that have much of their current technology close enough to end of life to make it worthwhile.
If you find yourself here, the most important thing to consider is how hard the switch will be. The biggest challenge will be getting all the pieces of your architecture working together seamlessly. It is much easier to do this if you source all of the different components from the same vendor to ensure they are built to work together.
An example might be combining Windows laptops with Azure Active Directory, Azure Cloud Infrastructure and an Office365 instance.
You’ll find a much larger hill to climb if you're trying to integrate solutions from multiple different vendors together. It isn’t impossible, it will just take a lot more troubleshooting and effort in setup.
Final Thoughts
The future of VPN technology is no doubt exciting, but getting there should be a measured process. It is easy to look at the theory, but much harder to gaze through the lens of reality at how that theory can be applied to your organization.
Considering the change to Zero Trust in steps or stages makes it a much more manageable process, and ultimately gets you to the same place.