Zero Trust Manifesto
In May 2021, President of the United States Joe Biden (POTUS) inked an executive order to strengthen cybersecurity defenses and raise the security posture of the federal digital footprint. According to POTUS and his advisors, Zero Trust is at the heart of cyber defense. What is Zero Trust? Planet Technologies has aligned the definition of Zero Trust with the Open Group’s Principles, NIST 800-207, and Microsoft’s guidance. In short, Planet Technologies believes Zero Trust is a mindset and philosophy to approach cybersecurity. We believe that cybersecurity is a business challenge, not a technical problem. As a result, the Planet approach to protecting the confidentiality, integrity, and availability of on-premises and cloud systems/data leverages a Zero Trust philosophy of never trusting and always verifying.
Zero Trust Theory
As organizations adopt and operate in the cloud, perimeter-only security techniques are obsolete. Simply put, the cloud offers access to resources from anywhere. As a result, the mindset on protection must shift to assume no perimeter. Because Zero Trust is complex and different from traditional security, the first step in adopting Zero Trust is understanding the mindset. Planet Technologies has developed a program to introduce the Zero Trust across six domains, including (1) identity, (2) devices, (3) infrastructure, (4) network, (5) applications, and (6) data.
Zero Trust Misnomer
Understanding the six domains of Zero Trust is one component to successfully deploying Zero Trust. Organizations often only invest in sophisticated tools or Zero Trust education for their teams. Herein lies some misnomers:
- Our organization has the best-trained security personnel with decades of experience [in obsolete perimeter security technologies].
- We are prepared because our organization has invested millions in best-of-breed security tools [and nothing in training our security team or standardizing common security scenarios].
- We have established a comprehensive compliance program with documented processes; We are compliant [yet we have no tools, and no one understands modern cybersecurity].
A healthy security program requires all three explicit components. First, the organization must have a staff that is trained and understands the concepts of Zero Trust. Second, the business must provide a comprehensive toolbox for a prepared security team. Finally, and often neglected, the company must operationalize unique processes and procedures. Operationalizing security is the concert of a well-trained and experienced team, adequately equipped toolbox, and leveraging pre-defined and skill-based proactive and reactive security processes.
Zero Trust ECR (ZT-ECR) Anatomy
Planet Technologies has developed a Zero Trust Enterprise Cloud Readiness (ZT-ECR) program to address people, tools, and security operations. Subsequently, the goals of the ZT-ECR are threefold: discovery, planning, and recommendations. The ZT-ECR is a structured engagement where architects and technology strategists present an operational approach to Zero Trust. Next, the engagement combines business goals, operational goals, and technical controls (tools) to build a complete picture of Zero Trust. Finally, Planet Technologies will score the organization’s level of Zero Trust maturity throughout the engagement and make recommendations for the future.
The ZT-ECR is structured by topics that align with the six domains of Zero Trust. For example, identity sessions will focus on the theoretical implementation of identity. The customer will understand Zero Trust, tools, and folding the ZT-Identity practices into the daily operations of the technology stack. The remaining ZT domains follow the same three-stage approach, including focusing on people, tools, and operationalization. When completed, the final sessions will address operations and secure DevOps from a strategical view.
Zero Trust ECR Conclusion and Next Steps
Underpinning all the discussions in the ECR is an evaluation of the organization’s Zero Trust Maturity. Planet Technologies will deliver a detailed executive report describing Zero Trust operational best practices, the organization’s current adoption, and recommendations for the future. Planet will leverage a unique scoring system that evaluates 44+ Zero Trust best practices to quantify the organization’s Zero Trust maturity. Planet Technologies will provide recommendations on the next steps, which typically include a Zero Trust Rapid Modernization Plan (ZT-RaMP). ZT-RaMP involves the tactical deployment of technologies and tools together. Planet promotes Zero Trust at the heart of an organization’s cyber defense. In closing, Planet would like to echo that Cybersecurity is a business challenge, not a technical problem.