sdecoret - stock.adobe.com
"Trust but verify" is a security concept of the past. Today, organizations increasingly adopt zero-trust architecture to better manage risk. True to its name, a zero-trust security model requires organizations to never trust and always verify.
The Forrester Zero Trust eXtended framework includes seven different foundational pillars. One of these pillars covers how security administrators create policy and deploy tools for the various workloads a business uses to operate. In the context of a zero-trust security model, workloads refer to any application or service that operates in private data centers or public clouds. This diverges from typical security methodologies because it moves away from a perimeter-based security architecture to one that protects each individual workload or resource.
Below, examine the process of determining which workloads should be protected and what level of risk can and should be tolerated in a zero-trust architecture context.
Identify and categorize workloads
The first step in the process is to identify each workload. The workload should be categorized based on its purpose, who needs access to it and how critical it is to the business overall. This step requires input from business stakeholders in departments that use IT workloads. The more critical and sensitive the workload, the more security controls should be put in place to protect it.
Next, create a digital identity for each workload. This not only identifies the application or service, but also creates an isolation point where access controls, data storage and data encryption policies can be applied.
Implement access control policies
Finally, based on this vetting process, purpose-driven security policies and tools must be put in place to permit or deny access. Keep in mind that access requests may come from autonomous IoT devices, users or other workloads. As a result, multiple layers of security tools may be required within the zero-trust security model.
A zero-trust architecture can be adapted to fit any business vertical and any technology workload. That said, it is only useful if the proper time and effort are dedicated to identifying critical workflows and wrapping the necessary security around them. Additionally, regular workload audits are necessary to ensure current and new technologies meet the necessary levels of security based on the overall importance to the business.
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Andrew Froehlich
Social media and social networking appear to be interchangeable terms, but they serve different use cases. Learn the difference between social media ... Continue Reading
LoRa vs. 5G technologies differ in terms of cost, use cases and technology types. However, LoRa and 5G may complement each other well for IoT ... Continue Reading
IT leaders determining which UC devices and endpoints to support organizationwide should look for a UC-certified label, which is an indicator of ... Continue Reading