sdecoret - stock.adobe.com
"Trust but verify" is a security concept of the past. Today, organizations increasingly adopt zero-trust architecture to better manage risk. True to its name, a zero-trust security model requires organizations to never trust and always verify.
The Forrester Zero Trust eXtended framework includes seven different foundational pillars. One of these pillars covers how security administrators create policy and deploy tools for the various workloads a business uses to operate. In the context of a zero-trust security model, workloads refer to any application or service that operates in private data centers or public clouds. This diverges from typical security methodologies because it moves away from a perimeter-based security architecture to one that protects each individual workload or resource.
Below, examine the process of determining which workloads should be protected and what level of risk can and should be tolerated in a zero-trust architecture context.
Identify and categorize workloads
The first step in the process is to identify each workload. The workload should be categorized based on its purpose, who needs access to it and how critical it is to the business overall. This step requires input from business stakeholders in departments that use IT workloads. The more critical and sensitive the workload, the more security controls should be put in place to protect it.
Next, create a digital identity for each workload. This not only identifies the application or service, but also creates an isolation point where access controls, data storage and data encryption policies can be applied.
Implement access control policies
Finally, based on this vetting process, purpose-driven security policies and tools must be put in place to permit or deny access. Keep in mind that access requests may come from autonomous IoT devices, users or other workloads. As a result, multiple layers of security tools may be required within the zero-trust security model.
A zero-trust architecture can be adapted to fit any business vertical and any technology workload. That said, it is only useful if the proper time and effort are dedicated to identifying critical workflows and wrapping the necessary security around them. Additionally, regular workload audits are necessary to ensure current and new technologies meet the necessary levels of security based on the overall importance to the business.
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Andrew Froehlich
Even though they have common traits, there is a difference between a Layer 3 switch and a router. Each plays a key role in making sure packets get ... Continue Reading
Unified communications interoperability is gaining more attention as more employees work from home. But, while some progress is being made, there is ... Continue Reading
Andrew Froehlich breaks down how authentication and identity management differ and how each of them are intrinsic to an identity and access ... Continue Reading