Introduction
Zero Trust is a term that gets IT folk’s blood rushing with fantasies of playing with new tools and technologies that will once and forever solve all their cybersecurity problems. Implementing it may involve some new IT purchases, but you may find that in many cases, your existing tools can be applied in service of Zero Trust. In any case, Zero Trust is not about new tools, but a different way of thinking–one that views your IT assets not as residents of your sovereign secure network, but as global citizens for whom your network is just one stop among many. Your users and the devices assigned to them use wifi at home, coffee shops, public transportation, airports, and other places that are out of your control and that may contain dangers that could affect—or infect—your information technology resources when those users eventually reconnect to your systems. This is exactly the contemporary, location-agnostic way of working that Zero Trust is designed to secure.
This post summarizes the actions required to establish a Zero Trust environment. Please see Implementing a Zero Trust Architecture | NCCoE and Implementing a Zero Trust Architecture: Full Document – Implementing a Zero Trust Architecture Project documentation for more comprehensive guidance.
A Zero Trust Recap
Never trust, always verify is the core of Zero Trust and is key to setting up a Zero Trust environment. Looking at each application and system in your environment, you should ask:
- Who should have access to which resources or functionality within the system, and when?
- How do we verify the identity of a user attempting to access the system?
- What measures are in place to ensure that a system session started by an authenticated user remains in their control and that their access does not exceed their authorized level of access?
- Does the location from which the resource is being accessed authorized or make sense in the context of the user in question?
Every system owner should ask these questions about all of their systems, regardless of the system’s perceived importance. Then, they should find and document the answers.
Starting Your Zero Trust Journey
Moving to Zero Trust is a journey that is best taken one system at a time, but where to begin? One may choose to start with the highest-value systems or with the systems most at risk of attack. Both options can be solid starting points, but if you are on your Zero Trust maiden voyage, starting small with a low-impact and less complicated target for transformation may make the most sense. Missteps here will be more forgiving and less disruptive. This allows you to move a low-stakes system to Zero Trust, document the lessons learned, and apply them to a higher-value, higher-risk system later.
Identify Your IT Assets
Securing your IT assets begins with knowing what you have. This requires an in-depth discovery process that includes hardware, software, and data. To prepare for Zero Trust, you’ll need to know what data your organization processes, what systems and software touch it, and who owns it. The latter is especially important because data owners are the ones who tell you the sensitivity and degree of protection required for the data they own.
Determine Attack Surface
Your attack surface includes all exposures and vulnerabilities for your systems and applications that threat actors could exploit. This includes unpatched system flaws, open ports, phishable application credentials, even just an application’s login screen, and anything that could provide a foothold for an attacker.
Identify Stakeholders
I mentioned earlier in this post one critical stakeholder category: system owners. It is critical to identify all stakeholders for each system before attempting to migrate it to Zero Trust. These may include:
- System users
- IT staff
- Cybersecurity staff
- Identity teams
- Executive leadership
Once you have identified your stakeholders, you can determine who is responsible or accountable for Zero Trust implementation tasks who needs to be consulted, or just kept informed of work, progress, and decisions.
It is crucial to have appropriate stakeholder communication. Peppering executive leadership with play-by-play status updates from the implementation team would be inappropriate. At the same time, failing to convey information that could help assist end users during the migration process to the IT staff would be problematic. Similarly, there is value in not having system users involved in all steps of the implementation process. Their input is critical and they should certainly be kept informed, but consulting them throughout the process poses a risk of unnecessarily slowing down the implementation.
Determine Risks and Business Impact
With your stakeholder team assembled, you can begin a risk and impact analysis. At a minimum, this analysis should provide answers to the following questions:
- What business process does it support?
- Who uses the system?
- What is the monetary impact if those tasks cannot be performed?
- What are the critical time periods for availability?
- What is the maximum tolerable downtime during both critical and noncritical time periods?
- How quickly could the system be restored if a problem occurred in the Zero Trust migration process?
Armed with information from this analysis, you will be better positioned to make decisions about how to map out your Zero Trust journey geared to minimize disruption to business activities.
Solution Selection
Tech folks, myself included, can get really excited about new tools and there are lots of great ones out there for Zero Trust. But there is a reason solution selection is near the end of this post: picking solutions to problems you don’t fully understand is a mistake. Further, the equipment you already use—sometimes requiring only relatively low-cost add-ons—can often be pressed into service for Zero Trust.
For example, organizations that already have Microsoft 365 licenses may only need to upgrade to a higher license level to access critical Zero Trust components like Defender to provide device risk scores and the conditional access policies to orchestrate risk-based access decisions. Similarly, organizations with Fortinet Firewalls may already have access to Secure Access Service Edge (SASE) to provide Zero Trust resource access.
In short, review your system and application inventory and scrutinize it for in-place solutions that may help you meet your Zero Trust goals. Then research options that fill the remaining gaps or provide less expensive functionality.
Conclusion
Zero Trust is more than a security trend—it’s a critical North Star guiding organizations toward a modern, resilient cybersecurity posture. As information moves beyond traditional firewalls into an interconnected world, Zero Trust ensures protection amid both the conveniences and risks of this new landscape.
