Zero-trust implementation begins with choosing an on-ramp Zero-trust model case study: One CISO's experience

Planning a zero-trust strategy in 6 steps

Launch a zero-trust strategy in six steps. Learn how to form a dedicated team, ask questions about existing security controls and evaluate the priority of zero-trust initiatives.

Zero trust isn't a turnkey proposition. Enterprises must create a zero-trust strategy that addresses how the organization will approach the move and who will lead the effort, among other important factors.

Before planning starts, however, make sure the cybersecurity team is on the same page about the attributes of zero trust.

  • Zero trust is highly granular. Only the minimum possible access is granted to the smallest resource unit.
  • Zero trust is dynamic. Trust is constantly reassessed through the interaction between user and resource.
  • Zero trust is end to end. Security extends from the requesting entity to the resource requested.
  • Zero trust is independent of preexisting classifications. The terms inside the perimeter and outside the perimeter have no meaning in the world of zero trust.

Once everyone is set on the foundation of zero trust, cybersecurity teams can create a strategy based on six steps.

Step 1. Form a dedicated zero-trust team

Zero trust is one of the most important initiatives an enterprise can undertake. So, rather than making "move to zero trust" a task that ranks below everyone's top to-dos, dedicate a small team tasked with planning and implementing the zero-trust migration.

This team should include members from applications and data security, network and infrastructure security, and user and device identity because those areas are the three easiest on-ramps to zero trust. The team should also include members from security operations -- particularly the security operations center -- and risk management.

Once everyone is set on the foundation of zero trust, cybersecurity teams can create a strategy based on six steps.
Johna Till JohnsonCEO, Nemertes

Step 2. Assess the environment

Understanding the controls across the environment will make deploying a zero-trust strategy more straightforward. Here are some questions to ask.

Where are the security controls?

In a network environment, these controls include firewalls, web application gateways and the like. In a user/identity environment, the controls might be endpoint security -- endpoint detection and response or extended detection and response -- and identity and access management (IAM). In an applications and data environment, these include container security, data loss prevention, microservices authorization and similar controls.

To what extent do these controls provide dynamic, granular, end-to-end trust frameworks that don't depend on preexisting classifications?

Firewalls typically aren't granular, end-to-end or dynamic and rely on simplistic classifications -- outside = bad and inside = good.

What are the knowledge gaps?

It's impossible to provide granular access to data if you don't understand the security classification of that data. Unclassified data represents a knowledge gap that will need to be addressed in a zero-trust strategy.

Step 3. Review the available technology

Either at the same time or following the assessment, review emerging technologies for your zero-trust initiative's on-ramp. Next-generation networking equipment includes capabilities like deep segmentation -- or microsegmentation -- virtual routing and stateful session management that can turn these devices into key components of a zero-trust architecture. IAM capabilities are quickly becoming more granular and dynamic.

Step 4. Launch key zero-trust initiatives

Compare the results of your technology review with the technologies you need. The comparison will inform how to develop, prioritize and launch initiatives such as "upgrade existing network infrastructure to equipment capable of deep network segmentation" or "deploy microservices authentication."

Step 5. Define operational changes

Zero-trust strategy can fundamentally change security operations. For example, as tasks are automated, corresponding manual tasks might need to be modified or automated to keep pace and prevent gaps in security.

Step 6. Implement, rinse and repeat

As the organization deploys new technologies, assess their value according to security KPIs, including the mean total time to contain incidents, which should decrease dramatically the closer an organization moves to zero trust.

This was last published in October 2020

Dig Deeper on Risk management