sdecoret -

Manage Learn to apply best practices and optimize your operations.

What should I protect with a zero-trust architecture?

Never trust, always verify. Learn how to implement a zero-trust architecture to help manage risk and protect IT workloads at your organization.

"Trust but verify" is a security concept of the past. Today, organizations increasingly adopt zero-trust architecture to better manage risk. True to its name, zero trust requires security programs to never trust and always verify.

The Forrester Zero Trust eXtended framework includes seven different foundational pillars. One of these pillars covers how security administrators create policy and deploy tools for the various workloads that a business uses to operate. In the context of zero-trust architectures, workloads refer to any application or service that operates in private data centers or public clouds. This is a divergence from typical security methodologies, as it moves away from a perimeter-based security architecture to one that protects each individual workload or resource.

Here, examine the process of determining which workloads should be protected and what level of risk can and should be tolerated in a zero-trust architecture context.

Identify and categorize workloads

The first step in the workload process is to identify each workload. The workload should be categorized based on its purpose, who needs access to it and the overall criticality to the business. This step requires input from business stakeholders in the various departments that use IT workloads. The more critical and sensitive the workload is, the more security controls should be put in place to protect it.

Next, a digital identity is created for each workload. This not only identifies the application or service, but also creates an isolation point where access controls, data storage and data encryption policies can be applied.

Implement access control policies

Lastly, based on this vetting process, purpose-driven security policies and tools must be put in place to permit or deny access. Keep in mind that access requests may come from autonomous IoT devices, users or other workloads. Thus, multiple layers of security tools may be required within the zero-trust architecture.

A zero-trust architecture can be adapted to fit any business vertical and any technology workload. That said, it is only useful if the proper time and effort are dedicated to identifying critical workflows and wrapping the necessary security around them. Additionally, regular workload audits are necessary to ensure current and new technologies meet the necessary levels of security based on the overall importance to the business.

This was last published in February 2020

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.