“Never trust, always verify” is the zero trust concept and modern-day approach to combatting cyberattacks. In part one of our zero trust series, we uncovered the what and why of zero trust. Naturally, it is time to dive into the how and learn the four steps to planning a zero trust strategy.
Since zero trust is all-encompassing and is executed through policies and workflows across tools and the environment, it is important to note that each organization’s zero trust journey is going to look different and dependent on the unique nuances to what is being protected.
However (and luckily), NIST (National Institute of Standards and Technology) created a basic framework with steps to planning a zero trust strategy to use a baseline. NIST-800-207 is a special publication that outlines how enterprises can implement zero trust. Here are the highlights.
Four steps to a zero trust strategy
Step 1: Define the attack (and protect) surface
This step is all about the big picture. Examine and define not only your attack surface but also the protect surface. It boils down to “You can’t protect what you can’t see” and intimately knowing what valuable users and data your organization needs to protect.
The mindset of zero trust is the assumption that there’s always an active breach. Ask yourself: What are the avenues in? What information are attackers after? How do we protect it?
Step 2: Implement controls around network traffic
With the attack and protect surfaces defined, it’s time to start getting granular. Implementing controls around network traffic allows for security teams to monitor and manage the environment.
Step 3: Plan your zero trust network
After completing the first two steps, security teams can use the insights gathered to plan a zero trust network. A key factor of zero trust is granular access control, so knowing traffic flows is essential to begin mapping as granular as possible.
Step 4: Design your zero trust strategy
Since zero trust is a set of policies and workflows, the final step is to write and design the strategy. The theme of each policy will be to only allow authorized users access to specific resources through designated applications at the right time and place. It is suggested to use the Kipling Method to create policies. The Kipling Methods answers the 5 W’s and 1 H: Who, What, Where, When and How.
Who should access a resource?
What application is used to access the resource?
When do users access the resource?
Where is the resource located?
Why is the data accessed – what is the data’s value if lost?
How should you allow access to the resource?
This method ensures that the policy is effective and always addresses the right information making your zero trust journey successful.
Following these four steps will put your team on the path towards building a zero trust architecture, which we share the six tenets in part three.