Zero Trust Guiding

Principles v1.1

Zero Trust Research Working Group Original Release Date: 7/19/2023

ZT1 - Zero Trust as a Philosophy & Guiding Principles
Workgroup
What is Discussed?

1 Zero Trust Background and Drivers General Background Information

2 Zero Trust Implementation Methodology General Background Information

3 Zero Trust Guiding Principles Specific Topical Information

4 Resources and References What to Read Next

2
 Zero Trust Background and Drivers

Various treatises Jericho Forum John Kindervag

discussed trust as a In 2023 Government
challenged traditional consolidated Zero
human and social mandates and guidance from
network perimeter Trust concepts in
phenomenon. NIST and President Biden.
security. 2010.

OSSTMM in 2001 ZTN concepts DoD embraced

labeled 'trust' as a developed by DoD Zero Trust in 2019
vulnerability in IT. and evolved into due to evolving
ZTNA and SDP. cyber threats.

● Zero Trust principles based on ● Not a prescriptive architecture, but

established security concepts. a strategy based on business needs.

3
 Zero Trust Implementation Methodology

For more detailed information on the 5 step process reference the CSA ZT Implementation Primer: The 5 Step Process and the NSTAC Report to the
President on Zero Trust and Trusted Identity Management.

4
 Zero Trust Guiding Principles

Begin with the End in Mind Breaches Happen

(Business / Mission Objectives)
Understand your Risk Appetite
Do Not Overcomplicate Ensure the tone from the top

Products are Not the Priority

Instill a Zero Trust Culture

Access is a Deliberate Act Start Small and Focus on Quick Wins

Inside Out, not Outside In Continuously Monitor

5
 Begin with the End in Mind
(Business/Mission Objectives)
Having a clear vision of your desired direction and destination fosters alignment between the business
strategy, the operational model, and the security architecture. Desired outcomes include:

6
 Do Not Overcomplicate
Zero Trust is a collection of long-standing principles applied in a way that aligns the security architecture with the way we work and live. Zero Trust builds
on core principles by making controls more granular and more sensitive

Continuous Authentication and

Authorization

User and Entity Behavior Analytics

(UEBA)

Dynamic Policy Enforcement Points

7
 Products Are Not the Priority
Zero Trust recognizes the holistic relationship between people, processes, organizations, and technology

A strategy that relies heavily on products without

factoring in the people, process, and organizational PROCESS
dimensions will not be successful.

PEOPLE ORGANIZATION
Zero Trust

If you address the other dimensions first, you will

TECHNOLOGY
better understand your requirements, supporting
a stronger long-term Zero Trust strategy and
increasing the likelihood of choosing the right
products(s), if any are required.

8
 Access Is a Deliberate Act

Organizations today are more reliant

on what exists outside the walls
Traditional Access Model Remote Workers Zero Trust Access Model
(Fortress Model) Third Parties (e.g. Cloud)
Complex Supply Chain Identity must be explicitly
Being granted access to the verified and access only
network was deemed granted after authorization
sufficient to grant access to has gone through that
other assets verification process
UEBA, Device, Network, and
Application signals provide context
for access decisions

AI can be leveraged to learn what

safe access is within a context and
react to it in real time

9
 Inside Out, not Outside In
Move from “What are we trying to defend against?” to “What are we trying to protect?”
Once you know the assets to be protected and their relationships, you can identify both the protect and attack surfaces.

Kipling Method:
What we are trying to protect:

10
 Breaches Happen

Once it is understood that breaches will happen, the practitioner’s

mindset shifts from a focus on Being Secure to a focus on Resilience:

Limit the blast radius when breaches occur

Reduce a hacker’s ability to move laterally across your organization

Reduce the impact by limiting which assets can be damaged by a single event

The ability to more effectively correlate identity, actions, and assets greatly enhances Data Loss Prevention (DLP)
efforts. AI, combined with UEBA, can be used to automate the process of correlating identity, action, and asset
data to detect and respond to anomalous activity and make contextual DLP decisions

11
 Understand Your Risk Appetite

All organizations need to determine their risk appetite. That determination goes far beyond just their Zero Trust
journey.

As part of that journey, it is well advised to understand what has been agreed upon, the role of Zero Trust, and the
tools regularly used by the organization.

At its core, Zero Trust is used to reduce risk to acceptable levels.

Risk Appetite is the level of risk an organization is willing to accept while pursuing its objectives.
Inherent Risk is the level of risk that exists before actions (e.g., treatments) are taken.
The objective is to treat the risk to reduce it to a level below the Risk Appetite.
This is called Acceptable Risk.

12
 Ensure the Tone from the Top
Zero Trust is an organizational effort that requires cooperation throughout all levels of the organization to be successful. This can only be
achieved with the proper executive sponsor and clear messaging from the top.

Sponsorship should be at the

A Responsible, Accountable, Communication is key for a successful
highest level possible in the
Consulted, Informed (RACI) diagram Zero Trust effort. A Communications
organization, depending on scope:
mapping stakeholders with their roles Plan structured to ensure alignment
● Board of Directors
provides clarity regarding between participants and stakeholders
● Senior Leadership
responsibilities for a successful Zero through a consistent and traceable
● Business Unit Leadership
Trust effort. flow of information should be used.
● Geographic Leadership

Leaders should set the tone by fully supporting the Zero Trust model and emphasizing its
importance to the organization. This should be actively communicated and include alignment with
business strategy, proper capital allocation, and corporate policies.

13
 Instill a Zero Trust Culture
“Culture is what people do when no one is looking.” - Herb Keller

What is a Zero Trust culture?

● Employees should be keenly aware of what has to be protected and to what

degree.
● All staff understand authorization to access is never implied.
● All employees and individuals an organization does business with should
know how to identify suspicious activities and report any cyber-related
concerns to the appropriate authorities (internal and external), as well as
understand why certain security controls are in place.
● A Zero Trust culture is adaptable and not married to any particular technology
How to start:
or architecture.
● People are empowered to protect assets in the way that makes the most
● Incorporate Zero Trust Guiding Principles
sense for the present and into the future.
in Security and Awareness training
● Understand what roles are considered
high risk and/or high value
● Tailor Awareness training for those roles

14
 Start Small and Focus on Quick Wins
Obtaining and maintaining buy-in from leadership is easier when a small, low-cost protect surface is selected as a pilot so its metrics can be leveraged to
highlight the change to the security paradigm and demonstrate business value

Taking on too much too quickly can

mire a project and correlate Zero
Trust efforts with failure
A Zero Trust strategy can enable teams to achieve success
incrementally without large upfront expenditures. To do
so, identify and prioritize protect surfaces based on size
and impact.

15
 Continuously Monitor
Monitoring and maintaining a Zero Trust infrastructure involves regular auditing of access privileges, continuous monitoring of network behavior,
maintaining up to date security patches, conducting risk assessments, and reinforcing user security awareness.

● Knowing that bad actors often compromise the accounts of valid users, and
malevolent insiders often attempt to exceed privileges to suit their needs, it is
important to monitor and log events
● Monitoring is essential to detect potential bad acts early
● Logging is essential for identifying indicators of compromise (IOC), determining
impact, and collecting evidence
● Both monitoring and logging foster continuous improvement

16
 Conclusion

The paradigm shifts from

Zero Trust model
Traditional trust-based binary trust to adaptive
doesn't inherently trust Zero Trust potentially
access, while initially authentication and Once established, Zero
any entity. It verifies enhances security,
effective, struggles to authorization. Access is Trust provides valuable
access to data/systems offers a frictionless IT
accommodate cloud based on identity attributes telemetry and insights for
based on risk, environment, and can
services and external and intelligence signals, responsive issue
considering devices, be implemented in
collaboration, making evaluated continually management
the strong perimeter organizations, code, phased stages for ease
depending on
model costly and hard agents, and
application/solution/service
to maintain service-based identities
/device sensitivity

17
 References and Suggested Reading
● Zero Trust Advancement Center Resource Hub hosted by the Cloud Security Alliance,
https://cloudsecurityalliance.org/zt/resources/
● US Federal Zero Trust Resource Hub. https://zerotrust.cyber.gov/
● National Security Telecommunications Advisory Committee (NSTAC), Report to the President on Zero Trust and Trusted
Identity Management, 2022
● https://www.cisa.gov/sites/default/files/publications/NSTAC%20Report%20to%20the%20President%20on%20Zero%20T
rust%20and%20Trusted%20Identity%20Management%20%2810-17-22%29.pdf
● Zero Trust Maturity Model Version 2, Cybersecurity and Infrastructure Security Agency (CISA), April 2023
● https://www.cisa.gov/zero-trust-maturity-model
● Executive Order on Improving the Nation’s Cybersecurity, The White House, May 12, 2021,
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-
cybersecurity/
● Press Release for NSA Guidance on Advancing Zero Trust Maturity Throughout the User Pillar, US National Security Agency
(NSA), 2023
● https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3328152/nsa-releases-recom
mendations-for-maturing-identity-credential-and-access-manage/
● Advancing Zero Trust Maturity Throughout the User Pillar, National Security Agency (NSA), March 2023
● https://media.defense.gov/2023/Mar/14/2003178390/-1/-1/0/CSI_Zero_Trust_User_Pillar_v1.1.PDF
● Zero Trust Architecture, National Institute of Standards and Technology (NIST), Special Publication 800-207, 2020
● https://csrc.nist.gov/publications/detail/sp/800-207/final

18
 Acknowledgements
Reviewers
Lead Author
Sam Aiello Michael Roza
Contributors Alex Sharpe
Jason Garbis Vaibhav Malik
Brett James Meghana Parwate
Robin Basham Rajesh Murthy Yves Le Gelard Sven Olensky
Madhav Chablani Denis Nwanshi
Frank DePaola Lars Ruddigkeit
Jennifer Minella Annabelle Lee
Jonathan Flack Paul Simmonds Aaron Robel Himanshu Sharma
Sai Honig Nelson Spessard
Chandrasekaran Rajagopalan
Shamik Kacker Bernd Wegmann
Andrea Knoblauch Heverin Joy Williams
Alice Muravin Lauren Wise

CSA Analyst
Erik Johnson

19