Trust Nothing and Verify Everything.

Mastering a Zero Trust Security Strategy

The concept of zero trust security is simple. Trust no one, every time. Regardless
of previous actions and permissions, zero trust demands revalidation for every
transaction, person, device, data access, network location or connection – every time.

WANING TRUST
Around the world trust is waning. With billions of transactions online daily, we ask customers to trust
our organizations with an ever-wider array of sensitive information. But with more sophisticated
breaches and scams, that trust is being tested. Adding to the complexity is consumer expectation to
access services, securely, across multiple devices.
Technology is advancing at such accelerated speed that even some of the largest tech companies
in the world are revisiting development that may put customer security and privacy at risk. Both
Facebook and IBM announced they will no longer develop facial recognition capabilities. Smaller tech
organizations may find themselves launched into the mainstream before they have robust protections
in place.

MANAGING RISK
Security professionals play an important role in
managing risk to protect customers, vendors and the
executive board.
A zero trust security
Organizations that fail to address advanced persistent
threats (APTs) and vulnerabilities open themselves up
architecture approach is
to mass exploitation from threat actors that can be based on the premise that
escalated and weaponized at speed. organizations should not
inherently trust any systems
Today, the volume of data and reliance on business
processes, both on premises and in the cloud, coupled
that connect to or interact with
with the complexity and interconnectedness of data their technical infrastructure
across multiple organisations, requires a zero trust and/or networks without
strategy and relevant control frameworks to protect verification and validation of
against security incidents. their need to connect and an
Pitfalls of existing security models can include: inspection of their security
posture and capabilities.
• It is impossible to identify “trusted” interfaces
— John P. Pironti, CISA, CRISC,
• The mantra “trust but verify” is not taken seriously CISM, CGEIT, CISSP, ISSAP, ISSMP,
President of IP Architects LLC
• Insider threats

BUILD A DATA CENTRIC PROTECTION STRATEGY

Financial gain is the motivation for most threat actors and data is the currency. So, the key to a
successful zero trust strategy is a robust data centric strategy.
According to Bruce R. Wilkins , chief executive officer of TWM Associates Inc., a data centric strategy
should include:

• A formal data architecture that defines data communities, associated users’ and users’ data paths

• Infrastructure that can separate data communities

• Use of servers, virtual machines and cloud services capable of separating data communities

• Protection strategies implemented properly in the data infrastructure

• Necessary cybersecurity and IT budgets required to protect data communities at risk

• A data recovery strategy for each data community

IMPLEMENTING A ZERO TRUST ARCHITECTURE: TRUST BUT VERIFY

We have to prove to our customers that we are secure.

One of the ways we do that is by implementing zero trust architecture.
– Brian Marshall, President of Vanguard Integrity Professionals.

Zero trust architecture includes three core components:

1 2 3

The policy engine is The policy administrator is The policy enforcement point
responsible for deciding to responsible for establishing is responsible for enabling,
grant access to a resource for and shutting down the monitoring, and eventually
a given subject. communication path between terminating connections
a subject and a resource. between a subject and an
enterprise resource.

FOUR ZERO TRUST ARCHITECTURE DEPLOYMENT MODELS

DEVICE AGENT/ RESOURCE DEVICE

GATEWAY-BASED ENCLAVE-BASED PORTAL-BASED APPLICATION
DEPLOYMENT DEPLOYMENT DEPLOYMENT SANDBOXING

The policy A variation of device The policy This variation of

enforcement point agent/gateway-based enforcement point is a the agent/gateway
is divided into two deployment, the single component that deployment model
components that gateway components acts as a gateway depends on only
reside on the resource may not reside on for subject requests. running trusted
or as a component assets or in front of The gateway portal applications as a
directly in front of a individual resources, can be for an sandbox. It provides
resource. This model but at the boundary individual resource compartmentalization
is most suitable for of a resource enclave. or a secure enclave of assets in the form
organizations with This model is useful for a collection of of virtualization and
a robust device in legacy applications resources used for containerization to
management program or on‑premises a single business protect the host.
that can be used to data centers when function. The
implement agent/ individually deploying limitation of this
gateway in issued an agent is considered model is the visibility
devices. a challenge. of the resource
activities, as it
depends on whether
the assets connect to
the portal.

SYSTEM ACCREDITATION
There will always be threats that diminish trust,
but mutual understanding and assurance still can While the cyberthreat
be accomplished using standards, frameworks landscape remains daunting,
and prioritizing improvements using objective the rise in awareness and
evaluations. adoption of zero trust serves
as an important source of
optimism in the security
community.
— Gregory J. Touhill, CISM, CISSP,
Brigadier General (ret.), ISACA
Board Chair
Source: Five Key Considerations When
Adopting a Zero Trust Security Architecture

Read more:
Does trust still matter in the era of zero trust?
Five key considerations when adopting a zero trust security architecture
Zero trust
Listen to “The rise of zero trust explained”