Our Zero trust architecture design principles have been launched to help you securely build this cutting edge network architecture.
How to build this cutting edge network architecture
Network architecture is changing. More services are moving to the cloud and there is continued growth in the use of Software as a Service (SaaS).
Meanwhile, many organisations are embracing flexible working, meaning your systems may see numerous types of devices connecting from a variety of locations. It’s also increasingly common for organisations to share data with their ‘partners’ and guest users, necessitating granular access control policies.
Zero trust architecture is designed to cope with these changing conditions by enabling an improved user experience for remote access and data sharing. With this in mind, our new zero trust guidance is intended to help organisations design and build a zero trust architecture.
Our 8 zero trust principles
The eight principles outlined in our guidance will help you to implement your own zero trust network architecture in an enterprise environment.
The principles are:
- Know your architecture, including users, devices, services and data.
- Know your User, Service and Device identities.
- Assess your user behaviour, device and service health.
- Use policies to authorise requests.
- Authenticate & Authorise everywhere.
- Focus your monitoring on users, devices and services.
- Don’t trust any network, including your own.
- Choose services designed for zero trust.
Our guidance has been written as a set of principles because this provides a more flexible way to offer and consume advice. The eight we have finalised here represent the main building blocks and architectural considerations involved in moving towards a zero trust architecture.
Everyone’s way of achieving Zero trust will be somewhat different. This is driven by the technology you are using and the threats you are facing. However, we feel most zero trust approaches should still link back to theses eight core principles.
It’s a phased approach
While transitioning to a zero trust architecture, don’t start immediately decommissioning the traditional security controls that your zero trust components are replacing. Ensure that you have fully implemented and tested your zero trust components before doing any decommissioning.
Due to the nature of a zero trust architecture, you may leave your systems exposed and at considerable risk if your new controls haven’t been properly configured and tested. For example, don’t remove your VPN connection until you are satisfied that the new zero trust architecture is mitigating all the threats the VPN was covering.
It’s also worth remembering that as you make your changes to your architecture, some fundamentals may change, such as your monitoring strategy and the way your enforce internet usage polices.
Use zero trust products and services that have been designed with zero trust in mind. We firmly believe everyone’s zero trust journey can be a bit different, producing different solutions to fulfil each principle.
Every step counts
You can start to gain security benefits by working though the principles, taking the first steps on your zero trust journey. Naturally, a more complex environment will have a longer and more challenging journey to make.
It could be the case that not all principles can be achieved in one go. In fact, depending on your use case, it may be possible that the current commercial offerings are unable to satisfy all the principles.
It might be that the maturity of the technology needed to support your use case just isn’t there yet. If this is so, zero trust can still be your strategic goal, allowing you to start working on the principles you can achieve right now. A future blog on zero trust migration will look to address some of the challenges in this area.
The next stage in our zero trust guidance series will be a set of blog posts covering some key topics for migration to a zero trust architecture, as defined by our principles. We are hoping to releases these blogs over the next few months, so please do keeping looking out for our future publications.