Going from Concept to Deployment
It is often said that Zero Trust is a journey. As with any journey, there are twists and turns. And each organization can, and probably will, approach implementing a Zero Trust Architecture a little differently. But by following a proven methodology, you can get there.
Create Story-led Use Cases
Before you can build a Zero Trust Architecture, you first need to create (or revise) your use cases. Use cases are the “stories” of your organization. They lay out how work is done and by whom, and specify the resources needed to accomplish tasks. And they form the basis of authorization to systems, data, and actions.
The Cybersecurity and Infrastructure Security Agency (CISA) offers a framework for Zero Trust maturity.3 The framework is built on five key pillars: identity, device, network/environment, application workload, and data—which just happen to be the fundamental elements of any use case.
Figure 2. Zero Trust Story Board
When creating your use cases, you are in effect telling a story about how work is done in your organization and the business outcome. The use case template will include the following elements:
- User: the function, role, and permissions
- Context: device and location
- Target: workload and data set
- Session type: repeatable versus one-time use
- Audit and management: attributes for continuous assessment of access posture
These stories should also be built against your risk profile and backdrop. For example, the NIST 800-53 guidance provides insight into determining risk level according to Low, Moderate, and High impact. Keeping this alignment in mind will assist in prioritizing the development, rollout, and monitoring of your use-case stories.
As shown in figure 2, the more detail you put into your use cases the better, because it will ensure you understand the workflow and the security requirements and make the next step in the process much easier to accomplish.
Assumptions of Zero Trust
1
The entire enterprise private network is not considered an implicit trust zone.
2
Devices on the network may not be owned or configurable by the enterprise.
3
No resource is inherently trusted.
4
Not all enterprise resources are on enterprise-owned infrastructure.
5
Remote enterprise subjects and assets cannot fully trust their local network connection.
6
Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture.
Align Use Cases with Your Technology Roadmap
As stated earlier, Zero Trust is not a single platform; it is a set of capabilities and functions that, when configured properly and designed to operate together according to established principles, deliver Zero Trust Network Access within your organization.
This is where storyboarding comes in again. Assemble your team, take your use cases, and walk through each of them, following your existing procedures for identity and access management. Map dependencies and interoperability across domains. Note what happens and what needs to change within your workflow to comply with the principles of Zero Trust. This will show you where your gaps are and give you the information you need to move forward.
Gather Support and Take Action
Once you understand your environment and what is required for Zero Trust, you can now form a plan and gather support from your stakeholders. Executive sponsorship is important for any significant project, and this is certainly true for Zero Trust. To be successful, you will need support from influential figures in your organization to secure funding and execute your plan.