Build a Zero Trust Roadmap

Leverage an iterative and repeatable process to apply zero trust to your organization.

EXECUTIVE BRIEF

Analyst Perspective

Internet is the new corporate network.

For the longest time we have focused on reducing the attack surface to deter malicious actors from attacking organizations, but I dare say that has made these actors scream “challenge accepted.” With sophisticated tools, time, and money in their hands, they have embarrassed even the finest of organizations. A popular hybrid workforce and rapid cloud adoption have introduced more challenges for organizations, as the security and network perimeter have shifted and the internet is now the corporate network. Suffice it to say that a new mindset needs to be adopted to stay on top of the game.

The success of most attacks is tied to denial of service, data exfiltration, and ransom. A shift from focusing on the attack surface to the protect surface will help organizations implement an inside-out architecture that protects critical infrastructure, prevents the success of any attack, makes it difficult to gain access, and links directly to business goals.

Zero trust principles aid that shift across several pillars (Identity, Device, Application, Network, and Data) that make up a typical infrastructure; hence, the need for a zero trust roadmap to accomplish that which we desire for our organization.

Victor Okorie
Senior Research Analyst, Security and Privacy
Info-Tech Research Group

Executive Summary

Your Challenge

• Many IT and security leaders struggle to understand zero trust and how best to deploy it with their existing IT resources.
• The need to move from a perimeter-based approach to security toward an “Always Verify” approach is clear. The path to getting there is complex and expensive.

Common Obstacles

• Zero trust as a principle is a moving target due to competing definitions and standards. A strategy that adapts evolving best practices must be supported by business stakeholders.
• Full zero trust includes many components. Performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.

Info-Tech’s Approach

• Every organization should have a zero trust strategy and the roadmap to deploy it must always be tested and refined.
• Our unique approach:
• Assess resources and determine zero trust readiness.
• Address barriers and identify enablers.
• Prioritize initiatives and build out roadmap.
• Identify most appropriate vendors via vendor selection framework.
• Deploy zero trust and monitor with zero trust progress metrics.

Info-Tech Insight

A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

Your challenge

This research is designed to help organizations:

• Understand what zero trust is and decide how best to deploy it with their existing IT resources. Zero trust is a set of principles that defaults to the highest level of security; a failed implementation can easily disrupt the business. A pragmatic zero trust implementation must be flexible and adaptable yet maintain a consistent level of protection.
• Move from a perimeter-based approach to security toward an “Always Verify” approach. The path to getting there is complex without a clear understanding of desired outcomes. Focusing efforts on key protection gaps and leveraging capable controls in existing architecture allows for a repeatable process that carries IT, security, and the business along on the journey.

On this zero trust journey, identify your valuable assets and zero trust controls to protect them.

Top three reasons for building a zero trust strategy

44%

Reduce attacker’s ability to move laterally

44%

Enforce least privilege access to critical resources

41%

Reduce enterprise attack surface

Common obstacles

These barriers make this challenge difficult to address for many organizations:

• Due to zero trust’s many components, performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.
• To feel ready to implement and to understand the benefits of zero trust, IT must first understand what zero trust means to the organization.
• Zero trust as a set of principles is a moving target, with many developing standards and competing technology definitions. A strategy built around evolving best practices must be supported by related business stakeholders.
• To ensure support, IT must be able to “sell” zero trust to business stakeholders by illustrating the value zero trust can bring to business objectives.

43%

Organizations with a full implementation of zero trust saved 43% on the costs of data breaches.
(Source: Teramind, 2021)

96%

Zero trust is considered key to the success of 96% of organizations in a survey conducted by Microsoft.
(Source: Microsoft, 2021)

What is zero trust?

It depends on who you ask…

• Vendors use zero trust as a marketing buzzword.
• Organizations try to comprehend zero trust in their own limited views.
• Zero trust regulations/standards are still developing.

“A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”

Source: NIST, SP 800-207: Zero Trust Architecture, 2020

“An evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”

Source: DOD, Zero Trust Reference Architecture, 2021

“A security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.”

Source: NSA, Embracing a Zero Trust Security Model, 2021

“Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”

Source: CISA, Zero Trust Maturity Model, 2021

“The foundational tenet of the zero trust model is that no actor, system, network, or service operating outside or within the security perimeter is trusted.”

Source: OMB, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, 2022

What is zero trust?

From Theoretical to Practical

Zero trust is an ideal in the literal sense of the word, because it is a standard defined by its perfection. Just as nothing in life is perfect, there is no measure that determines an organization is absolutely zero trust. The best organizations can do is improve their security iteratively and get as close to ideal as possible.

In the most current application of zero trust in the enterprise, a zero trust strategy applies a set of principles, including least-privilege access and per-request access enforcement, to minimize compromise to critical assets. A zero trust roadmap is a plan that leverages zero trust concepts, considers relationships between technical elements as well as security solutions, and applies consistent access policies to minimize areas of exposure.

Info-Tech Insight

Solutions offering zero trust often align with one of five pillars. A successful zero trust implementation may involve a combination of solutions, each protecting the various data, application, assets, and/or services elements in the protect surface.

Zero trust business benefits

Reduce business and organizational risk

Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organizations practice.

36% of data breaches involved internal actors.
Source: Verizon, 2021

Reduce CapEx and OpEx

Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
Source: SecurityBrief - Australia, 2020.

Reduce scope and cost of compliance

Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.

Scope of compliance reduced due to segmentation.

Reduce risk of data breach

Reduced risk of data breach in any instance of a malicious attack as there’s no lateral movement, secure segment, and improved visibility.

10% Increase in data breach costs; costs went from $3.86 million to $4.24 million.
Source: IBM, 2021

Info-Tech’s methodology for Building a Zero Trust Roadmap

Protect what is relevant

Apply zero trust to key protect surfaces

A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

Align protect surfaces to business objectives

Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

Identify zero trust capabilities

Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

Roadmap first, not solution first

Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

Create enforceable policies

The success of a zero trust implementation relies on consistent enforcement. Applying the Kipling methodology to each protect surface is the best way to design zero trust policies.

Success should benefit the organization

To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key deliverable:

Zero Trust Communication Deck

Present your zero trust strategy in a prepopulated document that summarizes the work you have completed as a part of this blueprint.

Zero Trust Protect Surface Mapping Tool

Identify critical and vulnerable DAAS elements to protect and align them to business goals.

Zero Trust Program Gap Analysis Tool

Perform a gap analysis between current and target states to build a zero trust roadmap.

Zero Trust Candidate Solutions Selection Tool

Determine and evaluate candidate solutions based on defined criteria.

Zero Trust Progress Monitoring Tool

Develop metrics to track the progress and efficiency of the organization’s zero trust implementation.

Blueprint benefits

IT Benefits

• A mapped transaction flow of critical and vulnerable assets and visibility of where to implement security controls that aligns with the principle of zero trust.
• Improved security posture across the digital attack surface while focusing on the protect surface.
• An inside-out architecture that leverages current existing architecture to tighten security controls, is automated, and gives granular visibility.

Business Benefits

• Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organization’s practice.
• Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
• Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.
• Reduced risk of data breach in any instance of a malicious attack.

Measure the value of this blueprint

Save an average of $1.76 million dollars in the event of a data breach

• This research set seeks to help organizations develop a mature zero trust implementation which, according to IBM’s “Cost of a Data Breach 2021 Report,” saves organizations an average of $1.76 million in the event of a data breach.
• Leverage phase 5 of this research to develop metrics to track the implementation progress and efficacy of zero trust tasks.

43%

Organizations with a mature implementation of zero trust saved 43%, or $1.76 million, on the costs of data breaches.
Source: IBM, 2021

In phase 2 of this blueprint, we will help you establish zero trust implementation tasks for your organization.

In phase 3, we will help you develop a game plan and a roadmap for implementing those tasks.

Executive Brief Case Study

National Aeronautics and Space Administration (NASA)

INDUSTRY: Government

SOURCE: Zero Trust Architecture Technical Exchange Meeting

NASA recognized the potential benefits of both adopting a zero trust architecture (including aligning with OMB FISMA and DHS CDM DEFEND) and improving NASA systems, especially those related to user experience with dynamic access, application security with sole access from proxy, and risk-based asset management with trust score. The trust score is continually evaluated from a combination of static factors, such as credential and biometrics, and dynamic factors, such as location and behavior analytics, to determine the level of access. The enhanced access mechanism is projected on use-case flows of users and external partners to analyze the required initiatives.

The lessons learned in adapting zero trust were:

• Focus on access to data, assets, applications, and services; and don’t select solutions or vendors too early.
• Provide support for mobile and external partners.
• Complete zero trust infrastructure and services design with holistic risk-based management, including network access control with software-defined networking and an identity management program.
• Develop a zero trust strategy that aligns with mission objectives.

Results

NASA implemented zero trust architecture by leveraging the agency existing components on a roadmap with phases related to maturity. The initial development includes privileged access management, security user behavior analytics, and a proof-of-concept lab for evaluating the technologies.
Case Study Source: NASA, “Planning for a Zero Trust Architecture Target State,” 2019

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 8 to 12 calls over the course of 2 to 4 months.

Phase 1

Define Business Objectives and Protect Surfaces

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Identify and define the business goals.
• Identify the critical DAAS elements and protect surface.
• Align the business goals to the protect surface and critical DAAS elements.

This phase involves the following participants:

• Security Team
• Business Executives
• Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management

Analyze your business goals

Identifying business goals is the first step in aligning your zero trust roadmap with your business’ vision.

• Security leaders need to understand the direction the business is headed in.
• Wise security investments depend on aligning your security initiatives to business objectives.
• Zero trust, and information security at large, should contribute to your organization’s business objectives by supporting operational performance, ensuring brand protection and shareholder value.
• For example, if the organization is working on a new business initiative that requires the handling of credit card payments, the security organization needs to know as soon as possible to ensure the zero trust architecture will be extended to protect the PCI data and enable the organization to be PCI compliant.

Info-Tech Insight

Security and the business need to be in alignment when implementing zero trust. Defining the business goal helps rationalize the need for a zero trust implementation.

1.1 Define your organization’s business goals

Estimated time 1-3 hours

1. As a group, brainstorm the business goals of the organization.
2. Review relevant business and IT strategies.
3. Review the business goal definitions in tab “2. Business Objectives” of the Zero Trust Protect Surface Mapping Tool, including the key goal indicator metrics.
4. Record the most important business goals in the Business Goal column on tab “3. Protect Surfaces” of the Zero Trust Protect Surface Mapping Tool. Try to limit the number of business goals to no more than five primary goals. This limitation will be critical to help map the protect surface and the zero trust roadmap later.

Input

• Business and IT strategies

Output

• Prioritized list of business objectives

Materials

• Whiteboard/Flip Charts
• Zero Trust Protect Surface Mapping Tool

Participants

• Security Team
• IT Leadership
• Business Stakeholders
• Risk Management
• Compliance
• Legal

Download the Zero Trust Protect Surface Mapping Tool

Info-Tech Insight

Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

What does zero trust mean for you?

For a successful implementation, focus on your zero trust outcome.

Regardless of whether the user is accessing resources internally or externally, zero trust is posed to authenticate, authorize, and continuously verify the security policies and posture before access is granted or denied. Many network architecture can be local, cloud based, or hybrid and with users working from any location, there is no network perimeter as we knew it and the internet is now the corporate network.

Zero trust framework seeks to extend the perimeter-less security to the present digital transformation.