Back when I was a contract firewall installer for Trusted Information Systems, we had a phrase for the way a lot of companies looked at connected networks: Mallomars. If you’re not familiar, Mallomars are a cookie with a hard, crunchy outer layer of graham cracker and chocolate and soft gooey marshmallow inside. And “Mallomar” companies thought that if they installed a strong enough firewall -- that hard, crunchy outer layer -- they didn’t need to worry about security on the inside. What happened? Internal networks were not secured—like the gooey marshmallow in the center of a Mallomar.
Even back then, most network security experts recognized that, no matter how good a firewall may be, there’s more to network security than a single gateway. That’s why most security pros recommended a “defense-in-depth” approach. Rather than looking at the internal network as a wide-open trusted space, I worked with companies to determine where additional layers of segmentation and authentication made sense, turning networks from Mallomars into Jawbreakers that are hard all the way through.
Fast-forward to the early 2000s when the Jericho Forum and de-perimeterization started to break down traditional Mallomar (perimeter-based) thinking. The most recent evolutionary adaptation is Zero Trust, a term coined by John Kindervag while he was working at Forrester. Zero Trust pushes protection out to every resource and is particularly well-suited to a distributed workforce and cloud-first architectures. No more soft, trusted inside: every act and access are untrusted until verified.
The great news here is that if you’ve been practicing security for awhile and have a healthy appreciation for defense-in-depth (DiD), adopting a Zero Trust Architecture (ZTA) mindset should be pretty easy for you. Companies with segmentation, robust hardware and software asset management, privilege account/identity management, and a resource-aware protection strategy already have many of the foundational components for ZTA. And technical advancements like software-defined networking (SDN) and secrets management make DiD and ZTA much easier to implement and manage.
Late to the DiD and ZTA party? No worries. On the plus side, you have a green field to design your ZTA from scratch: you can build out a resource-centric ZTA program without legacy constraints to hold you back.
Whether you’re starting from scratch or updating a traditional perimeter (Mallomar) type company to ZTA, make sure you do these three things first:
1. Inventory - The old saying “you can’t manage what you don’t know” is more resonant than ever in ZTA because protecting your resources means you need to know what those resources are. As a baseline, ensure you’ve got a way to keep live updated asset inventories for all of your:
- Cloud servers
- Cloud workloads
- People (we humans are resources too!)
2. Write - OK, a lot of people hate writing policy, but they’re the foundation for what is and isn’t allowed in an organization’s environment. And if you need to go through any formal security assessments, policies are the first thing most assessors will request. Another benefit of having policies for your ZTA deployments is that they will help you think through what is and isn’t possible on paper and whiteboard before the most expensive phase of buying new technology or upgrading/reconfiguring existing ones.
3. Win Small - Now that your inventory is up-to-date and you know the policies, it’s time to pick one or two candidates for ZTA before doing a full roll out. There are multiple deployment options for ZTA, so pick one that is a best fit for your candidate. For example, some ZTA solutions require having an agent deployed on endpoints. In some BYOD environments, that may not be an option -- but a cloud gateway policy enforcement point could be the perfect fit. Whatever you decide, the big win comes with a carefully deployed small candidate. Once your test candidates are up and running smoothly, take those lessons learned and organizational goodwill to expand the operationalization of your ZTA.
For a deeper exploration of how to make ZTA work for your organization, tune into my on-demand webinar: Zero Buzz - Zero Trust.
Diana Kelley, CTO, Executive Mentor, Research Analyst, Security Keynote Speaker
Diana Kelley’s security career spans over 30 years. She is Co-Founder and CTO of SecurityCurve and donates much of her time to volunteer work in the cybersecurity community, including serving on the ACM Ethics & Plagiarism Committee, as CTO and Board member at Sightline Security, Board member and Inclusion Working Group champion at WiCyS, Cybersecurity Committee Advisor at CompTIA, and RSAC US Program Committee.
Diana produces the #MyCyberWhy series, hosts BrightTALK’s The Security Balancing Act, and is a Principal Consulting Analyst with TechVision Research and a member of The Analyst Syndicate.
She was the Cybersecurity Field CTO for Microsoft, Global Executive Security Advisor at IBM Security, GM at Symantec, VP at Burton Group (now Gartner), and a Manager at KPMG.
She is a sought after keynote speaker, the co-author of the book Cryptographic Libraries for Developers, has been a lecturer at Boston College's Masters program in cybersecurity, the EWF 2020 Executive of the Year, and one of Cybersecurity Ventures 100 Fascinating Females Fighting Cybercrime.