Automating for Zero Trust

By Andy Ruth, Notable Architect

Increasing automation and using change management techniques can help you integrate a Zero Trust strategy into a function SecOps environment.andy 1

 Some keys to modeling this workstream:

·       Start by creating security zones for high-value assets.

·       Determine what automation is already in use from a cybersecurity perspective. Everything that can be automated should. Start with orchestration (SAO – security automation and orchestration), governance enforcement (AAC – adaptive access control), and security monitoring, detection, and response (SIEM – security information and event management). Collaborate with the people that modeled the pillars to determine the maturity level of automation for each.   

·       Design a tokenization solution that reduces the threat surface area.

·       Identify the policy enforcement points (PEPs), and associated policy administration, decision, information, and retrieval points (PAPs, PDPs, PIPs, PRPs).

·       You can’t do it all at once and certainly won’t be able to get funding for everything, so put together and prioritize your automation wish list, and determine the alignment with business objectives and ROI compared to the other roadmap efforts.  

Modeling Security Zones

Security zones provide the framework or scaffolding to organize like-valued and like-requirements assets. They enable you to enforce fine-grained access controls, mitigate risks, and protect critical assets by compartmentalizing and isolating different parts of your IT environment based on trust levels and security requirements. A starting point might look like this:

andy 2

Don’t let having a perfect or complete catalog of data and assets get in the way of getting started or of a good enough improvement to have an incremental impact. Consider using an approach or process like the following:

1.     Create one or more zones for critical data and assets such as sensitive data and high-value assets. To do that, use the data you collected from the data modeling exercise to identify data and assets focused on customer information, intellectual property, financial records, and any other sensitive data. Create one or more security zones based on the criticality and potential impact if compromised.

2.     Create one or more zones for sensitive data. Sensitive data requires higher levels of protection due to legal obligations, industry regulations, and internal policies. For instance, personally identifiable information (PII) and trade secrets may demand stronger safeguards. Create one or more zones based on the risk posed by each data category.

3.     Map asset dependencies to determine if security zones or another approach is best suited to mitigate the risk. Identify the systems, applications, and infrastructure that rely on each other to function properly. By mapping these dependencies, you can identify potential weak points and ensure adequate protection is in place to maintain the integrity and availability of critical assets.

4.     Use the principle of least privilege (PoLP) to restrict resource access to only what is necessary for users and systems to perform their specific functions. By minimizing privileges and implementing granular access controls, you can reduce the attack surface and limit the potential impact of compromised credentials.

5.     Use network segmentation and micro-segmentation to divide your network into segments or zones based on trust levels and resource types. This segmentation helps contain potential breaches and limits lateral movement within your environment. Consider factors such as data sensitivity, user roles, and application dependencies when defining network boundaries and establishing connectivity rules.

6.     Use existing risk assessment data or perform risk assessments to understand the potential threats and vulnerabilities that might compromise your data and assets. Identify internal and external risks, such as unauthorized access, insider threats, malware, or physical theft. Prioritize risks based on their likelihood and potential impact, allowing you to allocate resources efficiently and implement targeted security controls.

7.     Use the results of your security zone exercise to update the initiative roadmaps. Based on the insights gained during this exercise, you can update the roadmap to include projects to update access controls, encryption, monitoring systems, intrusion detection, and incident response protocols based on the sensitivity and criticality of each data type and asset.

Modeling Automation Tools

The primary focus of this exercise is on modeling the tools for:

·       Governance enforcement

·       Monitoring assets and operations for compliance with the governance

·       Detection and response to anomalies such as breaches and attacks.

That said, it is also a good time to review the automation for identities, devices, networks, and infrastructure/services. Changes might be required to maintain alignment with changes to governance that enables your Zero Trust strategy. Additionally, performing evaluations between your current solution and other top-rated solutions to ensure you maintain the best cost performance and can plan for updates to platforms is critical. Automated environments that might need review include:

·       Infrastructure as code (IAC) and software-defined networking (SDN) automation

·       Identity and Access Management (IAM) tools

·       Role-based, attribute-based, and policy-based (RBAC, ABAC, PBAC) access control

·       Container, serverless, and no-code solutions

·       Endpoint security automation with an eye out for any opportunity to minimize the diversity and complexity of the landscape while maintaining a balance between useability and security.

For governance enforcement, key tools are your security automation and orchestration tools. If you have a solution in place, verify that it is still fit for function to enable your Zero Trust initiative. As you evaluate your current solution and other tools that are available, you’ll want to consider budget, support and maintenance, vendor reputation, and future roadmap along with the following:

·       Ease of use and user experience – If the solution is good but not easy to use, more time is spent manipulating the tool than operating the usage and output provided. Additionally, logs are great, but critical data can quickly get lost in a sea of logs if logging options and filtering capabilities are not useful. Evaluate its interface, customization options, and reporting capabilities. A user-friendly and intuitive tool allows security teams to quickly adopt and leverage its functionalities. Look for features like customizable dashboards, visual workflow builders, and comprehensive reporting to facilitate efficient and effective security operations.

·       Integration capabilities – Verify that your current solution is still a good fit for your future state and evaluate other solutions to determine if there is a better solution based on your criteria for use. Evaluate its compatibility with the range of security products and technologies you currently use, such as firewalls, endpoint protection, identity and access management (IAM) systems, and SIEM platforms. Robust integration capabilities enable seamless information sharing, automated workflows, and coordinated responses across your security ecosystem.

·       Automation and orchestration features – With all the modeling and new information uncovered, you must verify that the SAO tool that you use is still the best choice. Assess the tool’s automation and orchestration capabilities in the context of Zero Trust. Look for features such as workflow automation, playbook creation, incident response automation, and policy enforcement. The tool should support the automation of security processes, such as access control, authentication, threat detection, and incident response, while enabling customization to align with your Zero Trust architecture.

·       Scalability and performance – With digital transformation and the evolution of the workplace and products, the digital workload you must secure and support has increased exponentially. Evaluate its ability to handle the volume of security events, alerts, and workflows generated by your environment. Ensure that the tool can efficiently process and respond to events in real time without significant delays. Scalability is particularly important for larger organizations or those with complex infrastructures and high event volumes.

·       Analytics and threat intelligence – A key feature for you to consider when you evaluate your SAO tools are their ability to provide advanced analytics and threat intelligence capabilities. These features enable you to gain insights from security events, identify patterns, and detect anomalies. The tool should leverage machine learning, behavior analytics, and threat intelligence feeds to enhance threat detection and response. The ability to correlate and analyze security data across your environment can significantly strengthen your Zero Trust implementation.

Modeling a Tokenization Solution

As you model your tokenization solution, make sure and have the right team assembled to ensure the solution and implementation. The skills needed across the team members must enable them to:

·       Consider the scope and sensitivity of the data.

·       The methods and controls are aligned with initiative goals.

·       Integrate with current and planned authentication and authorization systems.

The team you assemble should include the following roles:

·       Security Architect

·       Data Architect

·       Cryptography expert

·       Identity and access management specialist

·       Compliance officer

The team should be sized and skilled to enable speed in decision-making with minimal friction based on personal biases. While the specific roles and titles may vary across organizations. Some roles may overlap or be fulfilled by individuals with multiple responsibilities. Effective collaboration and coordination among these roles, along with input from other stakeholders such as IT administrators and application developers, contribute to a well-designed tokenization solution for a Zero Trust initiative.

As you start your modeling exercise start with the following three objectives and add others and discovery uncovers any gaps that might hamper success:

·        Data sensitivity and tokenization scope – Tokenization replaces sensitive data with randomly generated tokens while maintaining referential integrity. The efficiency of tokenization has a significant impact on the cost and efficiency of the solution. Thoroughly assess the sensitivity of the data that requires protection and determine the scope of tokenization. As part of identifying the appropriate scope for tokenization, consider the most critical and sensitive information that requires tokenization while minimizing the impact on business processes. Identify the specific data elements or fields that need to be tokenized to minimize risk exposure. Scope creep is bad, but expansion might be easier than deflation of scope.

·       Tokenization method and security controls – Evaluate different tokenization methods and select the one that aligns with your Zero Trust architecture and security requirements. There are various approaches to tokenization, including format-preserving tokenization (FPT), tokenization with encryption, and secure vault-based tokenization. Each method has its strengths and weaknesses in terms of security, performance, and maintainability. Consider factors such as the strength of tokenization algorithms, key management, and the ability to maintain data privacy and compliance standards.

·       Integration with existing and planned authentication and authorization systems – Consider how the tokenization solution integrates with your authentication and authorization systems. Tokenization should support the secure exchange and validation of tokens between trusted parties. It should integrate with your identity and access management (IAM) infrastructure to ensure that only authorized users or services can access tokenized data. Seamless integration with authentication protocols such as OAuth or OpenID Connect enables secure and trusted exchanges and supports the Zero Trust principles of strict access control and authentication.

Ensure that the tokenization solution integrates effectively with your data storage and retrieval systems. This enables efficient token-to-data mapping, ensuring that authorized parties can retrieve the original data when necessary while maintaining the security and privacy benefits of tokenization.

Modeling Policy Enforcement Points

With earlier efforts, most of the information you need to model a policy enforcement mechanism you have. However, you still need to process the data to determine the primary points where policy enforcement is required. You also must ensure that you can implement and operate your enforcement points given the greater detail you uncovered while modeling the pillars. After that, you must validate that what you’re proposing aligns with the Zero Trust strategy and business objectives. The three primary objectives for this modeling exercise might be the following. We recommend that you break your team for this initiative into three small groups and run the efforts concurrently.

·       Identify key entry and exit points – Identify the key entry and exit points within your infrastructure where policy enforcement is necessary. Include network gateways, firewalls, web application gateways, cloud access security brokers (CASBs), identity and access management (IAM) systems, and API gateways. Evaluate the network architecture, data flows, and user access patterns to determine the critical points where policy enforcement is required.

·       Assess existing security infrastructure – Evaluate your existing security infrastructure to identify components that can serve as policy enforcement points. Determine if any existing solutions, such as firewalls or IAM systems can be leveraged to enforce access control policies effectively. Assess their capabilities, compatibility, and scalability in the context of Zero Trust principles. This evaluation helps identify gaps that might require additional solutions or enhancements.

·       Select policy enforcement mechanisms – Identify existing mechanisms and choose additional mechanisms to enforce access control policies at the identified points. Examples include technologies like network firewalls, web application firewalls (WAFs), micro-segmentation solutions, IAM systems with fine-grained authorization capabilities, and cloud-native security services. Evaluate their capabilities, integration options, scalability, and compatibility with your infrastructure.

Gather the team and review the findings and recommendations. Once some level of agreement is reached throughout the team, ensure that alignment with the Zero Trust strategy is maintained and document the measurable achievement expected along with the constraints and assumptions used in the estimation.

Modeling the Policy Pieces

This is the point where all the other work and modeling come together to ensure your overall automation considers the information and insights collected and the operationalized solution achieve the goals of the Zero Trust initiative in a measurable and meaningful way.

The tool(s) you keep and the ones you replace must be able to enforce security policy in an automated fashion, be transparent enough to be monitored and tuned, and provide the information needed to inform incident responses and provide the hunter team to complete their mission.

Validate the alignment of the tools you select with the mechanisms modeled as part of this initiative as well as mechanisms that are already in place. Examples include:

·       Resource and security zones

·       Least privilege access mechanisms

·       Attribute-based access control (ABAC) and other access controls in use

·       Policy enforcement points (PEPs), and associated policy administration, decision, information, and retrieval points (PAPs, PDPs, PIPs, PRPs)

·       Automation and Orchestration tools (SAOs)

·       Continuous monitoring and adaptive policies enablers and mechanisms

Consider reviewing SIEM templates or Sigma rule sets to verify you have a complete and holistic view of your environment and the security controls needed to achieve your initiative’s goals. Regular policy reviews and updates are an absolute must.