sdecoret - stock.adobe.com
"Trust but verify" is a security concept of the past. Today, organizations increasingly adopt zero-trust architecture to better manage risk. True to its name, zero trust requires security programs to never trust and always verify.
The Forrester Zero Trust eXtended framework includes seven different foundational pillars. One of these pillars covers how security administrators create policy and deploy tools for the various workloads that a business uses to operate. In the context of zero-trust architectures, workloads refer to any application or service that operates in private data centers or public clouds. This is a divergence from typical security methodologies, as it moves away from a perimeter-based security architecture to one that protects each individual workload or resource.
Here, examine the process of determining which workloads should be protected and what level of risk can and should be tolerated in a zero-trust architecture context.
Identify and categorize workloads
The first step in the workload process is to identify each workload. The workload should be categorized based on its purpose, who needs access to it and the overall criticality to the business. This step requires input from business stakeholders in the various departments that use IT workloads. The more critical and sensitive the workload is, the more security controls should be put in place to protect it.
Next, a digital identity is created for each workload. This not only identifies the application or service, but also creates an isolation point where access controls, data storage and data encryption policies can be applied.
Implement access control policies
Lastly, based on this vetting process, purpose-driven security policies and tools must be put in place to permit or deny access. Keep in mind that access requests may come from autonomous IoT devices, users or other workloads. Thus, multiple layers of security tools may be required within the zero-trust architecture.
A zero-trust architecture can be adapted to fit any business vertical and any technology workload. That said, it is only useful if the proper time and effort are dedicated to identifying critical workflows and wrapping the necessary security around them. Additionally, regular workload audits are necessary to ensure current and new technologies meet the necessary levels of security based on the overall importance to the business.
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Andrew Froehlich
Migrating to UCaaS doesn't mean organizations need to leave legacy hardware behind. But organizations must ensure UC devices are compatible with ... Continue Reading
Cost, complexity and interoperability issues with existing network components are some of the weaknesses of SD-WAN that organizations need to ... Continue Reading
A migration from WPA2 to WPA3 is not simple. Organizations may need to update their hardware extensively to accommodate the newer Wi-Fi encryption ... Continue Reading