"Trust but verify" is a security concept of the past. Today, organizations increasingly adopt zero-trust architecture to better manage risk. True to its name, a zero-trust security model requires organizations to never trust and always verify.
The Forrester Zero Trust eXtended framework includes seven different foundational pillars. One of these pillars covers how security administrators create policy and deploy tools for the various workloads a business uses to operate. In the context of a zero-trust security model, workloads refer to any application or service that operates in private data centers or public clouds. This diverges from typical security methodologies because it moves away from a perimeter-based security architecture to one that protects each individual workload or resource.
Below, examine the process of determining which workloads should be protected and what level of risk can and should be tolerated in a zero-trust architecture context.
Identify and categorize workloads
The first step in the process is to identify each workload. The workload should be categorized based on its purpose, who needs access to it and how critical it is to the business overall. This step requires input from business stakeholders in departments that use IT workloads. The more critical and sensitive the workload, the more security controls should be put in place to protect it.
Next, create a digital identity for each workload. This not only identifies the application or service, but also creates an isolation point where access controls, data storage and data encryption policies can be applied.
Implement access control policies
Finally, based on this vetting process, purpose-driven security policies and tools must be put in place to permit or deny access. Keep in mind that access requests may come from autonomous IoT devices, users or other workloads. As a result, multiple layers of security tools may be required within the zero-trust security model.
A zero-trust architecture can be adapted to fit any business vertical and any technology workload. That said, it is only useful if the proper time and effort are dedicated to identifying critical workflows and wrapping the necessary security around them. Additionally, regular workload audits are necessary to ensure current and new technologies meet the necessary levels of security based on the overall importance to the business.
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Andrew Froehlich
An IAM system introduces risks to the enterprise, but the consensus is the benefits of IAM outweigh the drawbacks. What are some of the issues that ... Continue Reading
The network edge is where an enterprise network connects to third-party network services. Edge computing is a distributed architecture that processes... Continue Reading
PAP uses a two-way handshake to authenticate client sessions, while CHAP uses a three-way handshake. Both authentication processes are common, but ... Continue Reading