Though Zero Trust is here to stay, that doesn’t mean implementation is easy. Rob Maas is one of the leading Zero Trust consultants and the Field CTO at ON2IT. In this blog series, he’ll provide background and tips based on his years of practical experience implementing Zero Trust.
In this first blog of the series: Zero Trust can only succeed if business people and IT specialists work together from the start.
Over a decade of evolution of Zero Trust has resulted in a number of practical tools and practices to operationalize this strategic approach. The so-called Five Step Model to implement Zero Trust is generally considered to be the best general approach for organizations to start their Zero Trust journey.
The steps in the model looks deceptively simple, starting with defining the protect surfaces and consequently building and monitoring a Zero Trust environment.
But when we take a closer look at all activities involved in the five steps, a diverse range of stakeholders come into play. In the first step, where we are documenting the most valuable digital assets of most importance to the company, we encounter the business leaders and business units.
As we progress from step one to step five, IT operations take the spotlight.
Architects are the natural intermediaries between these distinct domains. They bridge the gap by translating intricate business (security) requisites into a high-level blueprint. IT and security specialists can then operationalize and maintain these demands.
For the next steps, ensuring business alignment is crucial for a successful implementation of Zero Trust.
The so-called Five Step Model to implement Zero Trust is generally considered to be the best general approach for organizations to start their Zero Trust journey.
In the business realm, C-level executives and key staff members have the most acute insights of what digital crown jewels demand safeguarding. For instance, consider “Customer Relationship Management” (CRM) as a prime exemplar of a protected surface, something warranting often extensive security measures.
In most organizations the sales team (like a sales director) is the owner and most intensive user of the data in the CRM system.
In the Zero Trust model, these custodians have the responsibility of describing the value and details of the domain to be safeguarded, and at the same time charting the course for security measures to be enabled. Such an undertaking necessitates alignment with overarching business prerequisites, such as compliance mandates.
In this phase and the following steps, unequivocal and easy to understand guidance becomes imperative.
This is where the security team and/or Chief Information Security Officer (CISO) come into play, lending their expertise to offer guidelines on pivotal high-level controls pertinent to diverse scenarios.
They consider factors like the presence of Personally Identifiable Information (PII) or the necessity for aligning the protective layer with standards like ISO 27001.
The architects act as the glue between the business requirements and IT operations. To operationalize Zero Trust, the controls defined earlier by the business stakeholders should be implemented. However these controls are described on a high level, making sure they are understandable by non-technical people.
As an example, they state “Segmentation” and “Multi Factor Authentication”. They will not say anything on how this is accomplished. This is the daunting task for the architect: translate these control requirements into an architecture that fits in the organization. Often, large parts of the current IT landscape can be (re)used to accomplish this.
The architects function as the pivotal linkage between the business needs and the intricacies of IT operations. To bring into practice the principles of Zero Trust, the previously delineated controls must be effectuated.
IT and Security Operations
Once the architecture, whether newly defined or modified, is available, the focus shifts to the operations team. Their mandate encompasses not only implementation but also the ongoing guardianship and monitoring of outcomes.
Evidently, the pursuit of actualizing Zero Trust requires an assembly of diverse stakeholders. Yet, when these stakeholders work in harmony, Zero Trust seamlessly becomes interwoven into the organizational processes.
Only then will the strategic choices yield their maximum preventive power.