Zero trust architecture addresses some of the security challenges that complex IT environments in today’s businesses create. Most teams access applications and data in multiple clouds – from multiple worksites or their homes at any time of day, using various devices. In addition to providing businesses with greater flexibility, however, it also makes securing the network, systems, applications and data more difficult.
Businesses are waking up to the fact that perimeter-based security strategies, such as a firewall, aren’t enough to protect data used in home networks or accessed by personal mobile devices. Moreover, cybercriminals are finding their ways past perimeter-based security, either by finding vulnerabilities or using social engineering to get login credentials to come in through the front door.
In addition to the need for Zero Trust at your user’s businesses, however, you also need to take a hard look at whether adopting Zero Trust architecture is the right move to strengthen security at your software company. Steve Winterfeld, Advisory CISO at Akamai, answers questions that you may have as you evaluate your current security posture and plan next steps.
How do you define Zero Trust architecture in a development environment?
Winterfeld: First, to define Zero Trust, I like to use NIST SP 800-207 “Zero Trust Architecture” from August 11, 2020: “Zero Trust refers to an evolving set of security paradigms that narrows defenses from wide network perimeters to individual or small groups of resources. Its focus on protecting resources rather than network segments is a response to enterprise tends that include remote users and cloud-based assets that are not located within an enterprise-owned network boundary.”
That said, there are two approaches: micro-segmentation (MSNA) and application access (ZTNA). Think of it as moving from layer 3/4 (VPN) to layer 7. ZTNA is the more modern approach.
If you are using ZTNA, the developer team could provision applications and users on their own. If the company uses MSNA, you would have to deal with VPN provisioning, so you have a blocker to clear. ZTNA also provides role-based access by default.
Why is Zero Trust necessary in 2021?
Winterfeld: Companies are leveraging their developer teams to rapidly deploy competitive capabilities, which has made them a critical part of the business. In that case, protecting access to what they are doing and ensuring they have smooth access is vital.
Additionally, privacy laws and other regulations include the need for secure access, and Zero Trust is one of the more effective ways to be a complaint.
Are there benefits of Zero Trust beyond security?
Winterfeld: Depending on deployment, Zero Trust can provide a better user experience. It also streamlines provisioning and adds more flexibility due to power being put in developers’ hands. Finally, the architecture can provide better situational awareness across a multi-cloud environment
What advice do you have for developers implementing Zero Trust?
Winterfeld: The first step is to define the set of tools (software development, collaboration, project tracking, and administration) you need access to, then develop a phased approach to moving them to Zero Trust architecture.
Finally, developers should ensure they are compliant with processes like deprovisioning employees when they leave the company.
Resources to Learn More About Zero Trust Architecture
There are several resources available that can help you learn more about Zero Trust architecture and implement this model, including: