05/07/2021 | Press release | Distributed by Public on 05/07/2021 08:15
Zero Trust (ZT) is a popular term seen everywhere lately, but it's not a new concept. The Zero Trust Network, or Zero Trust Architecture model was created in 2010 by John Kindervag,who was a Forrester analyst. Eleven years later, CISOs and CIOs are increasingly adopting and implementing the Zero Trust security model into their organizations.
The Zero Trust model suggests we shift security from a perimeter-based model to a model that's based on continuous verification of trust. Actually, this model assumes that a network has already been breached. A key recommendation is to create micro-perimeters or micro-segments to control access to sensitive assets, and limit the potential damage from attackers.
Over the years, Forrester extended the original model beyond its segmentation focus to include other elements to ensure only the right people or resources have the right access to the right data and services, such as:
As a CISO, I've often been asked how I translate ZT principles into practice. So, here's my take on the Forrester ZT 5-step implementation method.
ZT Implementation: 5-Step Method
The first step is about identifying and prioritizing the most valuable assets, which also require the highest level of protection (aka, the protect surface vs. the attack surface). This is where I involve other business stakeholders to help me identify what and where these assets are. Keep in mind, this process is complete only after management team approval.
Here's how I think and how I'd also present ZT to the board:
The first step is about identifying and prioritizing the most valuable assets, which also require the highest level of protection (aka, the protect surface vs. the attack surface). This is where I involve other business stakeholders to help me identify what and where these assets are. Keep in mind, this process is complete only after management team approval.
Here's how I think and how I'd also present ZT to the board:
Figure 1: Stored sensitive data within systems and their related security controls for security posture overview
Department |
System |
Line of Business/process |
Stored sensitive data |
Users |
SaaS/on-premise |
Security controls |
HR |
HR SW |
|
|
|
SaaS |
|
Sales |
CRM |
|
|
|
SaaS |
|