- Many IT and security leaders struggle to understand zero trust and how best to deploy it with their existing IT resources.
- The need to move from a perimeter-based approach to security toward an “Always Verify” approach is clear. The path to getting there is complex and expensive.
- Zero trust as a principle is a moving target due to competing definitions and standards. A strategy that adapts evolving best practices must be supported by business stakeholders.
- Full zero trust includes many components. Performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.
Our Advice
Critical Insight
Apply zero trust to key protect surfaces. A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.
Impact and Result
Every organization should have a zero trust strategy and the roadmap to deploy it must always be tested and refined. Our unique approach:
- Assess resources and determine zero trust readiness.
- Prioritize initiatives and build out roadmap.
- Deploy zero trust and monitor with zero trust progress metrics.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.3/10
Overall Impact
$66,949
Average $ Saved
40
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
Flight Centre Australia
Workshop
9/10
$116K
35
Worst: discovering how fragmented and siloed our knowledge of Zero Trust and our environment was Best: seeing how the facilitated session drove co... Read More
Fujitsu Caribbean Jamaica
Guided Implementation
10/10
$12,999
10
I greatly appreciated how clear all the engagements were in terms of what should be expected at the end and being able to get clarifications along ... Read More
NASA
Workshop
10/10
$129K
110
Each workshop participant with whom I spoke relayed how valuable an experience it was to work through the exercises. The best part of the experienc... Read More
FirstRand Bank Ltd.
Guided Implementation
8/10
$7,799
5
The material was very practical and easy to operationalise. Thank you Victor!
Workshop: Build a Zero Trust Roadmap
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Define Business Goals and Protect Surfaces
The Purpose
Align business goals to protect surfaces.
Key Benefits Achieved
A better understanding of how business goals can map to key protect surfaces and their associated DAAS elements.
Activities
Outputs
Understand business and IT strategy and plans.
Define business goals.
Identify five critical protect surfaces and their associated DAAS elements.
Map business goals and protect surfaces.
- Mapping of business goals to key protect surfaces and their associated DAAS elements.
Module 2: Begin Gap Analysis
The Purpose
Identify and define zero trust initiatives.
Key Benefits Achieved
A list of zero trust initiatives to be prioritized and set into a roadmap.
Activities
Outputs
Assess current security capabilities and define the zero trust target state for a set of controls.
- Security capabilities current state assessment
- Zero trust target state
Identify tasks to close maturity gaps.
- Tasks to address maturity gaps
Assign tasks to zero trust initiatives.
Module 3: Complete Gap Analysis
The Purpose
Complete the zero trust gap analysis and prioritize zero trust initiatives.
Key Benefits Achieved
A prioritized list of zero trust initiatives aligned to business goals and key protect surfaces.
Activities
Outputs
Align initiatives to business goals and key protect surfaces.
- Zero trust initiative list mapped to business goals and key protect surfaces
Conduct cost/benefit analysis on zero trust initiatives.
Prioritize initiatives.
- Prioritization of zero trust initiatives
Module 4: Finalize Roadmap and Formulate Policies
The Purpose
Finalize the zero trust roadmap and begin to formulate zero trust policies for roadmap initiatives.
Key Benefits Achieved
A zero trust roadmap of prioritized initiatives.
Activities
Outputs
Define solution criteria.
Identify candidate solutions.
Evaluate candidate solutions.
Finalize roadmap.
- Zero trust roadmap
Formulate policies for critical DAAS elements.
- Zero trust policies for critical protect surfaces
- Method for defining zero trust policies for candidate solutions
Establish metrics for high-priority initiatives.
- Metrics for high-priority initiatives
Build a Zero Trust Roadmap
Leverage an iterative and repeatable process to apply zero trust to your organization.
EXECUTIVE BRIEF
Analyst Perspective
Internet is the new corporate network.
For the longest time we have focused on reducing the attack surface to deter malicious actors from attacking organizations, but I dare say that has made these actors scream “challenge accepted.” With sophisticated tools, time, and money in their hands, they have embarrassed even the finest of organizations. A popular hybrid workforce and rapid cloud adoption have introduced more challenges for organizations, as the security and network perimeter have shifted and the internet is now the corporate network. Suffice it to say that a new mindset needs to be adopted to stay on top of the game.
The success of most attacks is tied to denial of service, data exfiltration, and ransom. A shift from focusing on the attack surface to the protect surface will help organizations implement an inside-out architecture that protects critical infrastructure, prevents the success of any attack, makes it difficult to gain access, and links directly to business goals.
Zero trust principles aid that shift across several pillars (Identity, Device, Application, Network, and Data) that make up a typical infrastructure; hence, the need for a zero trust roadmap to accomplish that which we desire for our organization.
Victor Okorie
Senior Research Analyst, Security and Privacy
Info-Tech Research Group
Executive Summary
Your Challenge
- Many IT and security leaders struggle to understand zero trust and how best to deploy it with their existing IT resources.
- The need to move from a perimeter-based approach to security toward an “Always Verify” approach is clear. The path to getting there is complex and expensive.
Common Obstacles
- Zero trust as a principle is a moving target due to competing definitions and standards. A strategy that adapts evolving best practices must be supported by business stakeholders.
- Full zero trust includes many components. Performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.
Info-Tech’s Approach
- Every organization should have a zero trust strategy and the roadmap to deploy it must always be tested and refined.
- Our unique approach:
- Assess resources and determine zero trust readiness.
- Address barriers and identify enablers.
- Prioritize initiatives and build out roadmap.
- Identify most appropriate vendors via vendor selection framework.
- Deploy zero trust and monitor with zero trust progress metrics.
Info-Tech Insight
A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.
Your challenge
This research is designed to help organizations:
- Understand what zero trust is and decide how best to deploy it with their existing IT resources. Zero trust is a set of principles that defaults to the highest level of security; a failed implementation can easily disrupt the business. A pragmatic zero trust implementation must be flexible and adaptable yet maintain a consistent level of protection.
- Move from a perimeter-based approach to security toward an “Always Verify” approach. The path to getting there is complex without a clear understanding of desired outcomes. Focusing efforts on key protection gaps and leveraging capable controls in existing architecture allows for a repeatable process that carries IT, security, and the business along on the journey.
On this zero trust journey, identify your valuable assets and zero trust controls to protect them.
Top three reasons for building a zero trust strategy
44%
Reduce attacker’s ability to move laterally
44%
Enforce least privilege access to critical resources
41%
Reduce enterprise attack surface
Common obstacles
These barriers make this challenge difficult to address for many organizations:
- Due to zero trust’s many components, performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.
- To feel ready to implement and to understand the benefits of zero trust, IT must first understand what zero trust means to the organization.
- Zero trust as a set of principles is a moving target, with many developing standards and competing technology definitions. A strategy built around evolving best practices must be supported by related business stakeholders.
- To ensure support, IT must be able to “sell” zero trust to business stakeholders by illustrating the value zero trust can bring to business objectives.
43%
Organizations with a full implementation of zero trust saved 43% on the costs of data breaches.
(Source: Teramind, 2021)
96%
Zero trust is considered key to the success of 96% of organizations in a survey conducted by Microsoft.
(Source: Microsoft, 2021)
What is zero trust?
It depends on who you ask…
- Vendors use zero trust as a marketing buzzword.
- Organizations try to comprehend zero trust in their own limited views.
- Zero trust regulations/standards are still developing.
“A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”
Source: NIST, SP 800-207: Zero Trust Architecture, 2020
“An evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
Source: DOD, Zero Trust Reference Architecture, 2021
“A security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.”
Source: NSA, Embracing a Zero Trust Security Model, 2021
“Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
Source: CISA, Zero Trust Maturity Model, 2021
“The foundational tenet of the zero trust model is that no actor, system, network, or service operating outside or within the security perimeter is trusted.”
Source: OMB, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, 2022
What is zero trust?
From Theoretical to Practical
Zero trust is an ideal in the literal sense of the word, because it is a standard defined by its perfection. Just as nothing in life is perfect, there is no measure that determines an organization is absolutely zero trust. The best organizations can do is improve their security iteratively and get as close to ideal as possible.
In the most current application of zero trust in the enterprise, a zero trust strategy applies a set of principles, including least-privilege access and per-request access enforcement, to minimize compromise to critical assets. A zero trust roadmap is a plan that leverages zero trust concepts, considers relationships between technical elements as well as security solutions, and applies consistent access policies to minimize areas of exposure.
Info-Tech Insight
Solutions offering zero trust often align with one of five pillars. A successful zero trust implementation may involve a combination of solutions, each protecting the various data, application, assets, and/or services elements in the protect surface.
Zero trust business benefits
Reduce business and organizational risk
Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organizations practice.
36% of data breaches involved internal actors.
Source: Verizon, 2021
Reduce CapEx and OpEx
Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
Source: SecurityBrief - Australia, 2020.
Reduce scope and cost of compliance
Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.
Scope of compliance reduced due to segmentation.
Reduce risk of data breach
Reduced risk of data breach in any instance of a malicious attack as there’s no lateral movement, secure segment, and improved visibility.
10% Increase in data breach costs; costs went from $3.86 million to $4.24 million.
Source: IBM, 2021
Info-Tech’s methodology for Building a Zero Trust Roadmap
1. Define Business Goals and Protect Surfaces |
2. Assess Key Capabilities and Identify Zero Trust Initiatives |
3. Evaluate Candidate Solutions and Finalize Roadmap |
4. Formulate Policies for Roadmap Initiatives |
5. Monitor the Zero Trust Roadmap Deployment |
|
---|---|---|---|---|---|
Phase Steps |
Define business goals Identify critical DAAS elements Map business goals to critical DAAS elements |
|
|
|
|
Phase Outcomes |
Mapping of business goals to protect surfaces |
Gap analysis of security capabilities |
Evaluation of candidate solutions and a roadmap to close gaps |
Method for defining zero trust policies for candidate solutions |
Metrics for measuring the progress and efficiency of the zero trust implementation |
Protect what is relevant
Apply zero trust to key protect surfaces
A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.
Align protect surfaces to business objectives
Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.
Identify zero trust capabilities
Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.
Roadmap first, not solution first
Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.
Create enforceable policies
The success of a zero trust implementation relies on consistent enforcement. Applying the Kipling methodology to each protect surface is the best way to design zero trust policies.
Success should benefit the organization
To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.
Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Key deliverable:
Zero Trust Communication Deck
Present your zero trust strategy in a prepopulated document that summarizes the work you have completed as a part of this blueprint.
Zero Trust Protect Surface Mapping Tool
Identify critical and vulnerable DAAS elements to protect and align them to business goals.
Zero Trust Program Gap Analysis Tool
Perform a gap analysis between current and target states to build a zero trust roadmap.
Zero Trust Candidate Solutions Selection Tool
Determine and evaluate candidate solutions based on defined criteria.
Zero Trust Progress Monitoring Tool
Develop metrics to track the progress and efficiency of the organization’s zero trust implementation.
Blueprint benefits
IT Benefits
- A mapped transaction flow of critical and vulnerable assets and visibility of where to implement security controls that aligns with the principle of zero trust.
- Improved security posture across the digital attack surface while focusing on the protect surface.
- An inside-out architecture that leverages current existing architecture to tighten security controls, is automated, and gives granular visibility.
Business Benefits
- Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organization’s practice.
- Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
- Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.
- Reduced risk of data breach in any instance of a malicious attack.
Measure the value of this blueprint
Save an average of $1.76 million dollars in the event of a data breach
- This research set seeks to help organizations develop a mature zero trust implementation which, according to IBM’s “Cost of a Data Breach 2021 Report,” saves organizations an average of $1.76 million in the event of a data breach.
- Leverage phase 5 of this research to develop metrics to track the implementation progress and efficacy of zero trust tasks.
43%
Organizations with a mature implementation of zero trust saved 43%, or $1.76 million, on the costs of data breaches.
Source: IBM, 2021
In phase 2 of this blueprint, we will help you establish zero trust implementation tasks for your organization.
In phase 3, we will help you develop a game plan and a roadmap for implementing those tasks.
Executive Brief Case Study
National Aeronautics and Space Administration (NASA)
INDUSTRY: Government
SOURCE: Zero Trust Architecture Technical Exchange Meeting
NASA recognized the potential benefits of both adopting a zero trust architecture (including aligning with OMB FISMA and DHS CDM DEFEND) and improving NASA systems, especially those related to user experience with dynamic access, application security with sole access from proxy, and risk-based asset management with trust score. The trust score is continually evaluated from a combination of static factors, such as credential and biometrics, and dynamic factors, such as location and behavior analytics, to determine the level of access. The enhanced access mechanism is projected on use-case flows of users and external partners to analyze the required initiatives.
The lessons learned in adapting zero trust were:
- Focus on access to data, assets, applications, and services; and don’t select solutions or vendors too early.
- Provide support for mobile and external partners.
- Complete zero trust infrastructure and services design with holistic risk-based management, including network access control with software-defined networking and an identity management program.
- Develop a zero trust strategy that aligns with mission objectives.
Results
NASA implemented zero trust architecture by leveraging the agency existing components on a roadmap with phases related to maturity. The initial development includes privileged access management, security user behavior analytics, and a proof-of-concept lab for evaluating the technologies.
Case Study Source: NASA, “Planning for a Zero Trust Architecture Target State,” 2019
Info-Tech offers various levels of support to best suit your needs
DIY Toolkit
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
Guided Implementation
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
Workshop
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
Consulting
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Diagnostics and consistent frameworks used throughout all four options
Guided Implementation
What does a typical GI on this topic look like?
Phase 1 | Phase 2 | Phase 3 | Phase 4 | Phase 5 |
---|---|---|---|---|
Call #1: Scope requirements, objectives, and your specific challenges. |
Call #3: |
Call #5: Identify and evaluate solution criteria. |
Call #7: |
Call #8: |
Call #2: Identify business goals and protect surfaces. |
Call #4: |
Call #6: |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 8 to 12 calls over the course of 2 to 4 months.
Workshop Overview
Contact your account representative for more information.workshops@infotech.com 1-888-670-8889
Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
---|---|---|---|---|---|
Define Business Goals and Protect Surfaces |
Begin Gap Analysis |
Complete Gap Analysis |
Finalize Roadmap and Formulate Policies |
Next Steps and |
|
Activities | 1.1 Understand business and IT strategy and plans. 1.2 Define business goals. 1.3 Identify five critical protect surfaces and their associated DAAS elements. 1.4 Map business goals and protect surfaces. |
2.1 Assess current security capabilities and define the zero Trust target state for a set of controls. 2.2 Identify tasks to close maturity gaps. 2.3 Assign tasks to zero trust initiatives. |
3.1 Align initiatives to business goals and key protect surfaces. 3.2 Conduct cost/benefit analysis on zero trust initiatives. 3.3 Prioritize initiatives. |
4.1 Define solution criteria. 4.2 Identify candidate solutions. 4.3 Evaluate candidate solutions. 4.4 Finalize roadmap. 4.5 Formulate policies for critical DAAS elements. 4.6 Establish metrics for high-priority initiatives. |
5.1 Complete in-progress deliverables from previous four days. 5.2 Set up review time for workshop deliverables and to discuss next steps. |
Deliverables |
|
|
|
|
|
Phase 1
Define Business Objectives and Protect Surfaces
Build a Zero Trust Roadmap
This phase will walk you through the following activities:
- Identify and define the business goals.
- Identify the critical DAAS elements and protect surface.
- Align the business goals to the protect surface and critical DAAS elements.
This phase involves the following participants:
- Security Team
- Business Executives
- Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
Analyze your business goals
Identifying business goals is the first step in aligning your zero trust roadmap with your business’ vision.
- Security leaders need to understand the direction the business is headed in.
- Wise security investments depend on aligning your security initiatives to business objectives.
- Zero trust, and information security at large, should contribute to your organization’s business objectives by supporting operational performance, ensuring brand protection and shareholder value.
- For example, if the organization is working on a new business initiative that requires the handling of credit card payments, the security organization needs to know as soon as possible to ensure the zero trust architecture will be extended to protect the PCI data and enable the organization to be PCI compliant.
Info-Tech Insight
Security and the business need to be in alignment when implementing zero trust. Defining the business goal helps rationalize the need for a zero trust implementation.
1.1 Define your organization’s business goals
Estimated time 1-3 hours
- As a group, brainstorm the business goals of the organization.
- Review relevant business and IT strategies.
- Review the business goal definitions in tab “2. Business Objectives” of the Zero Trust Protect Surface Mapping Tool, including the key goal indicator metrics.
- Record the most important business goals in the Business Goal column on tab “3. Protect Surfaces” of the Zero Trust Protect Surface Mapping Tool. Try to limit the number of business goals to no more than five primary goals. This limitation will be critical to help map the protect surface and the zero trust roadmap later.
Input
- Business and IT strategies
Output
- Prioritized list of business objectives
Materials
- Whiteboard/Flip Charts
- Zero Trust Protect Surface Mapping Tool
Participants
- Security Team
- IT Leadership
- Business Stakeholders
- Risk Management
- Compliance
- Legal
Download the Zero Trust Protect Surface Mapping Tool
Info-Tech Insight
Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.