This document is the fourth in the six-part Technical Manager’s Guide to Zero Trust series, which articulates critical links between zero trust (ZT) and security strategy within each of the six ZT pillars: identity, devices, network, infrastructure, applications, and data.
Zero trust (ZT) often focuses on the “bookend” pillars of identity and data, expanding to include the adjacent pillars of devices and applications. But the central pillars of network and infrastructure (including both corporate compute/storage/virtualization and cloud-based platforms) are also critical to a complete ZT strategy.
Contemporary infrastructure often centers on outside-the-perimeter cloud resources, challenging security leaders tasked with establishing a resilient environment that provides confidentiality, integrity, and availability. To respond to the challenge of hybrid IT delivery, ZT infrastructure needs to support the identification of sensitive data. It must also establish the location of and protection for critical intellectual property assets potentially compromised by external vulnerabilities or by internal or external attacks that move laterally through the corporate IT environment.
Technical managers responsible for ZT infrastructure need to implement effective segmentation, standardized configuration management, consistent application of policies, and means of achieving needed visibility both across infrastructure and into links that connect with other ZT pillars. The combination of these measures enables ZT infrastructure managers to achieve key objectives:
By following a path that includes identifying the most urgent vulnerabilities before a breach – mitigating corporate risk by tying ZT infrastructure investments to business priorities, deploying technologies that enable ubiquitous auditing and alerting, and forging seamless connections to other ZT pillars – ZT infrastructure managers can address pillar-specific requirements and contribute meaningfully to the overall success of the organization’s ZT strategy.
One of the key drivers of zero trust as a necessary successor to the traditional “moat and castle” approach to security was cloud computing: Cloud’s omnipresence made protection predicated on a hardened perimeter obsolete. As one Stratascale SME noted, we no longer have just one “castle” to protect – a company could have hundreds of assets and environments to protect, all over the world.
Cloud is also the key link between infrastructure security and zero trust. Businesses are looking to establish what one contributing SME referred to as the “triad of confidentiality, integrity, and availability.” They are hampered in this by:
“The idea of ‘cloud first’ oftentimes is not backed up by having a documented strategy about how to move to the cloud,” one Stratascale SME observed. This can create “a huge blind spot” with respect to data locations, dependencies, and potential vulnerabilities, as top-down mandates collide with the day-to-day responsibilities of the infrastructure security team. To bridge this gap, the entire organization needs to agree on an adoption plan that spells out ways that the infrastructure security group can meet the combined objectives of cloud and zero trust strategies.
Businesses understand the need to align their security posture with the realities of hybrid infrastructure – to “transition from a perimeter-based model into one that's fully matured, and which considers the whole attack surface,” as one SME explained. From a zero trust perspective, infrastructure complexity extends well beyond cloud and on-premises, . It extends to an edge that includes a dizzying array of single-purpose IoT devices vulnerable to compromise, and to APIs, containers, microservices, and other logical infrastructure components that communicate both internally and externally. This increases the infrastructure attack surface, reduces the value of deploying security at a defined perimeter, and underscores the need for a zero trust approach that establishes the validity of each connection as it occurs.
Faced with these complex challenges, an infrastructure security team needs to connect deeply into the infrastructure management process. IT and security groups need to work in concert to ensure that internal teams are using hardened images, to keep configurations consistent with enterprise architectural designs, and to maintain workload identity management and access controls.
This process of connecting security principles, objectives, and activities to the workflows used in design and build of critical digital business components is replicated across each of the ZT pillars, as IT, security, and related business units look to isolate complicating factors, align processes to requirements, and develop task and target clarity, with each pillar’s actions and controls both achieving discrete outcomes and supporting overall ZT objectives. Infrastructure security (along with the security teams in the other ZT pillars) is wrestling with complex issues. Clarity, team collaboration, and alignment enable each group to address its particular issues while contributing to the overall ZT strategy, as illustrated in the following image.
At the same time, there is at least potential for another blind spot to arise in pursuit of resiliency. Resiliency dominates many security-related conversations, since it attaches to highest-priority business objectives: the ability to maintain business operations in the event of a cyberattack, the capacity to protect corporate data, and the need to defend against ransomware.
These are all essential corporate goals, but they don’t fully define how security approaches need to shift in response to changes in underlying technology. At a fundamental level, the security function needs to deliver confidentiality, integrity, and availability. This is a challenge in a hybrid environment where data is stored across cloud and on-premise facilities – a challenge that zero trust, which aligns data security with identities, across devices, applications, networks, and infrastructure, is uniquely able to address.
Takeaway: Cloud and the reality of hybrid IT delivery that places data in multiple locations – and corporate need for resiliency – create a critical link between infrastructure and a need to embrace ZT. In the words of a contributing SME, “We need to move beyond ‘cloud first – and security third.’”
“Investment in ZT pillars is all about zero trust for a business objective. It is not a security process.”
Zero trust success requires security leaders to connect their focus areas to business priorities.1 And from a ZT perspective, interest in infrastructure security starts with data. “The data is the key piece to this,” one contributor stated. “You know you have to protect your data whether it's at rest or in flight. Who has or had access to it, when did they have access to it, and what's being done with it?”
These questions extend throughout the technology stack; it would be fair for an IT or business executive to ask an infrastructure security manager questions like, “we have a zero trust approach to storage – but is our backup zero trust, too?”
Contributors to this document stressed the need to position ZT infrastructure in business terms. “You have to get all the way down to the product owners and the portfolio managers,” one Stratascale SME insisted. “Those are the real business influencers – the people who take business strategy and try to operationalize it. And that's where ZT-responsible infrastructure security managers need to be fitting in. Because if the product owner for an application or a service is shouting, ‘hey, we need to comply with GDPR,’ that really sets the tone, prompting business staff to reach out to a security champion in search of expertise, or to just ask the question, ‘how do we secure this entire process?’”
Despite the guidance above, with very rare exceptions, business product owners will not understand the connection between taking a ZT approach to infrastructure and achieving better compliance and security for their application or process: They are most apt to focus on data and applications and, secondarily, on devices and identity.
The “infrastructure is essential to our overall ZT approach” message may resonate with more technical stakeholders, but security leaders will need to connect the dots – with top-down support for the overall strategy from the executive team or board – to obtain buy-in for strategies focused on ZT’s “middle pillars,” particularly infrastructure and potentially network as well.
In discussion with the Stratascale research team, a client CISO stated that “most companies with at least 10 to 15 years of history, if they’re honest with you, will tell you that they have three problems:
The CISO went on to explain that in their organization, “ZT is mostly a means of limiting the blast radius when something bad happens.” In particular, attention needs to be paid to dependencies between applications and how the infrastructure can securely support these connections. “You have to start looking at, what are the integrations, what are the touch points. And again, for a company that's been around for a number of years, you've got touch points nobody knows about, you're moving data around that nobody had thought about for 10 years – is it still moving or not?” Zero trust gives security managers a way “to segregate those pieces and get to something that is tolerable for the average user.”
Stratascale SMEs reviewing this section noted that it highlights an underlying problem that is common across many different environments: “the infrastructure group has been tasked with supporting too much. There is a proliferation of components as line of business, product, application, and business owners continue to pile on more new technology without sloughing off the old.” This leads to ever-increasing complexity – and, as one SME stated, “all sorts of hidden risk. Infrastructure doesn't get more headcount; they are just continually asked to do more with less. As a result, infrastructure teams drop problem management and vulnerability management because they don't have the time” to both support critical systems and systematically address a backlog of potential flaws. But, the SME continued, “the business doesn't care because that risk is all invisible. It doesn't see the effect.”
There is no silver bullet approach to redressing these issues, but ZT infrastructure teams can look to advance one or more of the following practices:
Takeaway: From the perspective of effectively extending ZT to infrastructure, security managers need to establish standardized configuration management, consistent application of policies, and a means of achieving needed visibility. The technical manager needs to be able to answer questions like, “Have we consistently provisioned devices?” “Are security policies consistently applied when these devices are being deployed?” “Have we mandated that we unplug devices that are no longer needed but which represent a potential attack vector, or which create vulnerabilities that are disproportionate to their continued utility?”
One contributor observed that this is “a great plug for infrastructure as code, which provides you with visibility and standardization. If you let the process handle acquiring and configuring the infrastructure, you don’t have the human error problems that we see a lot in configurations,” and you can readily identify opportunities for rationalizing infrastructure.
It can be difficult to separate ZT infrastructure security priorities from the approach used to secure the business as a whole: Infrastructure is so intrinsic to a digital business that vulnerabilities here are vulnerabilities for the entire organization, and ZT infrastructure priorities map directly on top of overall ZT strategy. Drilling into issues that are within the control of a technical manager charged with infrastructure security, though, contributors to this document offered concrete advice on three core issues:
Takeaways: ZT infrastructure priorities underscore a need for continuous improvement. In the words of a Stratascale SME, “Nobody will ever be purely secure. But if every day I take on a problem and solve one aspect of it and move the needle…you don't have to make huge jumps to move that needle – to have a large cumulative impact. I think a lot of people forget that. Start with the fundamentals, keep building on them. It goes back to a culture with everyone continuously asking how do we get better?”
However, continuous improvement requires access to resources – time, staff, technologies – that support ongoing progress. Infrastructure may not be (often, is not) a key priority for security upskilling/upleveling, but the requirement to applications and data and the components needed to support and deliver them is clear. ZT infrastructure managers need to work with CISOs and IT leaders to ensure that skills and investment plans extend to areas needed to maintain currency and build capability in ZT infrastructure.
Each document in the Technical Manager’s Guide to Zero Trust series incorporates a roadmap providing practical guidance to readers looking to implement ZT within their areas. The advice offered by contributors to this document addresses four key steps:
ZT infrastructure security offers compelling benefits, and the graphic above defines a workable path for technical managers responsible for its execution. However, no strategy is immune to real-world challenges. Where are these most likely to arise on the path to establishing ZT infrastructure? Stratascale SMEs contributing to this document identified five impediments that infrastructure security managers may encounter during their ZT journey.
As part of its Executive Guide to Zero Trust research series, Stratascale published the report, Key Zero Trust Technologies and Management Imperatives. The ZT Infrastructure section of this report highlights the following as technologies that managers should understand as they plot their ZT infrastructure strategies:
CMDB is seen as a non-negotiable starting point for ZT infrastructure. As one contributor said, “You’d better have a list of all of your servers, all of your domain name system (DNS) services, your domain controllers, directory services, your services in Azure and AWS…you can’t function without it.”
Stratascale’s SMEs emphasized that configuration management, separate from the CMDB, is also a crucial capability to operate within a ZT framework. Configuration management enables security teams and their IT counterparts to establish system hygiene: for example, to ensure that systems have an approved operating system, that they have approved EDR (extended detection and response) protection, and that the systems are connected to the correct subnet. Configuration management provides an important ZT infrastructure control.
Cloud workload protection touches on both infrastructure and application security, stretching across two ZT pillars. Infrastructure and applications are tightly coupled, and application monitoring is important to each area. CWPP, which protects workloads as they move from one cloud environment to another, is positioned within infrastructure because it provides a critical monitoring capability to organizations that need to ensure cloud-based functions or applications can support complex processes – those involving extensive interactions between separate applications or software functions and associated data – without introducing vulnerabilities.
Cloud infrastructure entitlements management – “the other CIEM (SIEM)” – is an important tool in the ZT infrastructure management toolkit. One of the complicating factors with hybrid delivery platforms is that different suppliers may define access rights inconsistently and these rights may not align with internal controls. CIEM gives ZT infrastructure management insight into areas that might not be visible in tools that tie to specific environments.
Physical factors are easy to overlook in an industry swamped by digital vulnerabilities. But security leaders need to restrict access to systems to avoid both malfeasance and accident while also ensuring that their own staff can perform hands-on fixes if required.
No senior executive would be pleased to learn that their organization suffered a loss or outage because of an unplugged power line or data cable, or because a technician was able to attach a device to a server that provided access to unencrypted internal data. It can be difficult to establish physical access and security across on-premises, managed, colocation, and cloud environments, but this is a meaningful consideration in infrastructure planning and in support of a ZT infrastructure strategy.
As part of its zero trust research program, the Stratascale team has developed the Stratascale Zero Trust Metrics in Context and Action (Stratascale ZT-MICA) tool. This tool embeds a robust set of metrics that combine to provide strategic insights to executives, operational perspectives to IT and security management, and tactical data to managers responsible for ZT within each of the six pillars.
Metrics contained within Stratascale ZT-MICA for ZT infrastructure security management include:
Collectively, these measurements help infrastructure security managers assess readiness and progress over time and identify and respond to areas of need before they are exploited.
At the end of the research discussion, contributing SMEs were asked to propose recommendations that will help Stratascale client managers to succeed in establishing zero trust infrastructure security. These recommendations included:
In its “Zero Trust Vendors to Watch, Know, Understand: ZT Infrastructure” series, Stratascale experts reviewed 128 vendors to identify those that could be important to ZT infrastructure strategies in the four product-defined areas: CMDB, Configuration Management, CWPP, and CIEM. These areas are covered in the “important ZT infrastructure technologies and management imperatives” section of this document.
Caveats to consider in reviewing the lists below:
Results of these analyses are available in individual reports (linked via the section headers below). Vendors discussed in these reports include:
This is the fourth of six documents included in Stratascale’s “Technical Manager’s Guide to Zero Trust” research series. We have also published an eight-part companion series (“The Executive Guide to Zero Trust”) which is available on the Stratascale website.
Readers interested in specific manager-level perspectives on zero trust may wish to explore the other deliverables in this series:
[1] This topic is explored at length in the Zero Trust Sponsorship and Commitment section of Stratascale’s Executive Guide to Zero Trust: Drivers, Objectives, and Strategic Considerations series.