Key Takeaways

To be successful at anything, and especially in cybersecurity, you need a strategy to achieve your goals. In cybersecurity, the goal is to avoid being breached. Zero Trust is that strategy for success. But what makes a successful strategy? A strategy is a plan to achieve your goals. But you also need to know when you’re making progress toward your goals, which is why the best strategies are measurable. There are a number of concepts in cybersecurity that sound like strategies but actually aren’t:

· Defense in depth—Often, defense in depth is compared to an onion; it has multiple layers. But how many layers do you need before you’re secure? In this way, defense in depth fails as a strategy because it’s not measurable.

· Compliance—Many businesses are required to be in compliance with many different compliance frameworks. Although being compliant may be measurable, the goal isn’t to be secure. Compliance is often a minimum starting place that regulators can agree on, but the unique needs of each business require a more tailored approach.

· Best of breed—Best of breed versus platform is more of a philosophical debate about the effectiveness of tools. The goal of this approach isn’t to prevent a breach; it’s to find the best vendors.

The Four Zero Trust Design Principles

The first and most important principle of your Zero Trust strategy is to ensure that you understand how the business makes money and what the organization hopes to achieve. Zero Trust should align with business outcomes, not prevent the business from operating effectively. There are a huge number of tools or products available to help you along in your Zero Trust journey, but it’s important to always keep these four principles in mind to stay focused on the big picture:

1. Focus on business outcomes.

2. Design from the inside out.

3. Determine who/what needs access.

4. Inspect and log all traffic.

The Five-Step Zero Trust Design Methodology

To make your Zero Trust journey achievable, you need a repeatable process to follow. The first step is to break down your environment into smaller pieces that you need to protect. Many organizations focus on reducing the scope of their attack surface. An attack surface is all the possible points of attack a threat actor could leverage to access a system and steal or exfiltrate data. In practice, the attack surface for a global organization with users working remotely could encompass the whole world. Rather than focusing on your “attack surface,” which is huge and hard for you to control, the Zero Trust design methodology focuses on what you can control: protect surfaces. Each protect surface helps you limit the blast radius of any attack to just that portion of your environment by doing the following five steps:

· Define the protect surface.

· Map the transaction flows.

· Architect a Zero Trust environment.

· Create Zero Trust policies.

· Monitor and maintain.

The Zero Trust Implementation Curve

When beginning your Zero Trust journey, you’ll need to start by going through the five-step methodology on non-business-critical systems. You want to create an environment for learning where making a mistake won’t impact your organization. If you already have a Business Continuity Plan (BCP) or a Business Impact Assessment (BIA), these documents should have already categorized the applications that are most important to your business. Once you are ready to begin working on critical protect surfaces, you should focus on the most important systems first to protect your crown jewels as quickly as possible:

· Learning protect surfaces

· Practice protect surfaces

· The “crown jewels” (aka business-critical protect surfaces)

· Secondary protect surfaces

· Tertiary protect surfaces