Five Considerations for a Zero Trust Architecture

PB 25 Rockwell newlogo 400

June 20, 2022

By Tony Baker, Chief Product Security Officer, Rockwell Automation

Zero Trust is everywhere. It’s covered in industry trade publications and events, it’s a topic of conversation at board meetings, and it’s on the minds of CISOs, CIOs, and even the President.

What is Zero Trust, and why is it important?

Zero Trust isn’t a cybersecurity solution in and of itself, but implementing a Zero Trust architecture will help mitigate and ultimately lower the number of successful cybersecurity attacks your organization might otherwise endure, greatly reducing operational and financial risk.

What is Zero Trust?

A Zero Trust security model, simply put, is the idea that anything inside or outside an organization’s networks should never implicitly be trusted. It dictates that users, their devices, the network’s components, and in fact any and every packet that holds a stated identity, should continuously be monitored and verified before anyone or anything is allowed to access the organization’s environment – especially its most critical assets.

This concept is the exact opposite of the old “trust everything if it’s in my zone” model that many IT models operated under in years past. Today, Zero Trust takes a “trust nothing unless it can be verified in multiple ways” approach to security.

How do you build a Zero Trust architecture?

If you’re considering implementing a Zero Trust model in your organization and want to better understand how to get started, John Kindervag, the creator of Zero Trust, outlines these five practical steps.

Step 1: Define your protect surfaces

Most organizations understand the concept of the attack surface, which includes every potential point of entry a malicious actor might try to access in an attempt to compromise an organization.

Protect surfaces are different. They encompass the data, physical equipment, networks, applications and other crucial assets your organization wants to deliberately protect, given how important they are to the business.

Why take the protect surface approach instead of looking at the entire attack surface? Kindervag puts it simply: “Protect surface becomes a problem that’s solvable, versus a problem, like the attack surface, that’s actually unsolvable. How could you ever solve a problem as big as the internet itself?”

It’s essential to first identify the assets within your environment that require protection. Where does the most sensitive data reside? What operational technology is most critical to your plant and production processes? Make a list of those assets that you absolutely must prioritize from a security and access management standpoint and prioritize them.

Step 2: Map the transaction flows

Once you’ve identified your protect surfaces, you can start to map their transaction flows.

This includes examining all the ways in which various users have access to those assets and how each protect surface interacts with all other systems in your environment. For example, a user might be able to access terminal services only if multi-factor authentication (MFA) is implemented and verified, the user is logging on at an expected time and from the expected place, and doing an expected task.

With your protect surfaces identified, prioritized and transaction flows mapped, you’re now ready to begin architecting a Zero Trust environment. Start with the highest priority protect surface and when completed, move to the next. Each protect surface with a Zero Trust architecture implemented is a high quality step toward stronger cyber resiliency and lowered risk.

Step 3: Architect a Zero Trust environment

Keep in mind: no single product delivers a complete Zero Trust architecture. Zero Trust environments take advantage of multiple cybersecurity tools, ranging from access controls like MFA and identity and access management (IAM), to technology that protects sensitive data through processes like encryption or tokenization.

Beyond a toolbox of security technologies, every Zero Trust architecture essentially starts with creating smart, detailed segmentation and firewall policies. It takes those policies and then creates multiple variations based on attributes like the individual requesting access, the device they’re using, the type of network connection, the time of day they’re making the request and more – step by step, building a secure perimeter around each protect surface.

Step 4: Create a Zero Trust policy

This step focuses on creating the policies that govern activities and expectations related to things like access controls and firewall rules. 

Think beyond posting those new policies to your organization’s intranet, too. Consider educational programs you may need to implement throughout the organization to promote strong security practices among your employees, vendors, and consultants. Frequent cyber awareness training has moved into the mainstream, becoming a necessity that will help reduce risk.

Step 5: Monitor and maintain the network

The final step in Kindervag’s process focuses on verifying that your Zero Trust environment and the policies governing it are working the way you intended, identifying gaps or areas for improvement and course-correcting as necessary. This can be done by selecting a trusted MSSP partner with deep experience and knowledge in OT cybersecurity and deploying security measures at scale, globally.

Start your Zero Trust security journey today

Zero Trust security represents a mindset shift and a new approach – one that will ultimately strengthen your organization’s security posture and reduce the potential for your most sensitive data and production systems falling into the wrong hands.

Source

Related Articles


Changing Scene

  • Tri-Mach Announces the Purchase of an Additional 45,000 sq ft. Facility

    Tri-Mach Announces the Purchase of an Additional 45,000 sq ft. Facility

    Recently, Tri-Mach Inc. was thrilled to announce the addition of a new 45,000 sq ft. facility. Located at 285 Union St., Elmira, ON, this facility expands Tri-Mach’s capabilities, allowing them to better serve the growing needs of their customers. Positioning for growth, this additional facility will allow Tri-Mach to continue taking on large-scale projects, enhance product performance testing, and provide equipment storage for their customers. Read More…

  • HELUKABEL Group Builds New Facility for Automation Cable Solutions

    HELUKABEL Group Builds New Facility for Automation Cable Solutions

    The HELUKABEL Group recently announced it is going to build a new facility in Haan, Germany that will house its robotic dress pack and drag chain system subsidiaries under one roof. The new building will also serve as the headquarters of HELUKABEL’s Rhine-Ruhr sales branch, and is planned to be completed by 2025. Robotec Systems’ core business is robotic dress pack solutions and has been a HELUKABEL subsidiary since 2012 operating out of Duisburg, a suburb of Duesseldorf in northwest Germany. Read More…


Sponsored Content
Fire Protection for Lithium-ion Battery Energy Storage Systems

Lithium-ion storage facilities contain high-energy batteries combined with highly flammable electrolytes. In addition, they are prone to quick ignition and explosion in a worst-case scenario. Such fires can have a significant financial impact on organizations. Rapid detection of electrolyte gas particles and extinguishing are the key to a successful fire protection concept. Since December 2019, Siemens has been offering a VdS-certified fire protection concept for stationary Li-ion battery storage systems.

Click HERE to learn more.


For a Multiplied Value Unified

PB-62-Excelpro-MultipliedValue-400.jpg

During the last few years, the Excelpro Group has welcomed AIA Automation, Envitech Automation and Conrad Lavoie Electrical, all of which have become ‘Member of the Excelpro Group’.

It was with great excitement that in November of 2022, Excelpro announced that these three companies officially became Excelpro. This decision is part of a strategy to enhance the Excelpro Group’s brand in its market.

These companies already collaborate on various client projects. This merger brings together the complementary strengths of the employees and ensures a global synergy of the activities throughout the Group.

Read More


Service Wire Co. Announces New Titles for Key Executives

Bruce Kesler and Mark Gatewood have been given new titles and responsibilities for Service Wire Co.

Bruce Kesler has assumed the role of Senior Director – Business Development. Bruce will be responsible for Service Wire’s largest strategic accounts and our growing Strategic Accounts Team.

Mark Gatewood has been promoted to the role of Vice President – Sales & Marketing. In this role, Gatewood will lead the efforts of Service Wire Company’s entire sales and marketing organization in all market verticals.

Read More


Modern Niagara Partners with Global Sustainability Platform Worldfavor

Worldfavor is a global sustainability platform, digitizing and automating the collection, calculation, aggregation and visualization for analysis and reporting of ESG data. Now, Worldfavor is proud to welcome Modern Niagara as a new customer. Modern Niagara is the first Canadian construction company to partner with Worldfavor.

“Worldfavor was founded to be the best platform for sharing, accessing and gaining insights from corporate ESG information. Worldfavor’s mission is to make sustainability mainstream and with that we offer solutions to accelerate sustainability through the value chain. Modern Niagara is the first Canadian construction company to partner with Worldfavor. 

Read More


JMP Parent Company, CONVERGIX Acquires AGR Automation, Expanding Global Reach

Convergix Automation Solutions has completed the acquisition of AGR Automation (“AGR”), a UK-based provider of custom, high-performance automation design and systems integration primarily to the life sciences industry.

Following Convergix’s acquisitions of JMP Solutions in August 2021 and Classic Design in February 2022, AGR marks the third investment in Crestview’s strategy to build Convergix into a diversified automation solutions provider targeting the global $500+ billion market, with a particular focus on the $70 billion global systems integration and connectivity segments. Financial terms of the transaction were not disclosed.

Read More


Latest Articles