Operationalizing Zero Trust – Step 1: Identify What to Protect

This blog series builds on ideas introduced in my recent post, “Zero Trust is not hard … If you’re pragmatic”.

In my previous post, I outlined six steps to achieve Zero Trust. In this series, I will explore each of the six steps previously outlined to provide a solid framework that can be used by micro-segmentation practitioners in organisations large and small to make their projects more successful. Before I begin, here’s a visual representation of each step:

Step 1: Identify what to protect

In the infancy of workplace technology, before it became ubiquitous, organisations took a very “horses for courses” approach. In corporate terms, this meant a tactical approach to adopting new capabilities – be it new hardware, operating systems or software, it was always about what was most suited to the specific job at hand, rather than trying to solve for a generic use case.

As technology was deployed on a small scale, ad hoc solutions were manageable, and more productive than trying to pursue economies of scale or seek to engineer strategic solutions that could be relevant across the board.

But we now know that as organisations grow, there is a tipping point where the cost and effectiveness of running ad hoc solutions is overruled by the ability to leverage generic components that can be used to build effective solutions everywhere.

The adoption and deployment of security technologies is no different, which is why introducing a net new security capability is such a complex, long, and drawn out endeavour, especially if that capability is meant to be preventive.

So why am I stating all the above? This context illustrates how you can make quick, early progress with a strategic (i.e., all-encompassing, long-term, and complex) initiative like adopting a Zero Trust mindset by starting with tactical (i.e., highly specific, short-term, and relatively simple) steps.

Ultimately, our objective should be to put a Zero Trust framework in place across our organisation. Having this long-term goal is essential for validating that progress, and each step will take us closer to that objective. But achieving complete Zero Trust requires many such steps, over a lengthy timescale, and showing ROI can be difficult with an “all or nothing” approach. If you can’t show measurable progress in the short-term (quarter over quarter, if not as aggressive as month over month) then support and interest around the initiative may fade as other priorities take centre stage.

Instead, look to achieve your long-term goal – enterprise-wide adoption of Zero Trust – by targeting an application or collection of applications that:

• Have a strong driver to adopt Zero Trust security principles. This ideally would be a compliance or regulatory mandate, or an audit finding that must be remediated. The other strong driver for adopting Zero Trust comes from an “incident” – everyone has one and as the old saying goes “never waste a crisis”. This ensures that there is a willingness (and need) to accept change.
• Are marked as critical applications. Focusing on crown jewel applications early in the process provides the best opportunities for learning, but if successful, can provide confidence in the technology’s benefit to other, less critical parts of the enterprise. These are also applications that key decision makers are often most aware of, so progress will give them direct line of sight to ROI from the Zero Trust initiative.
• Have a willingness to be guinea pigs. This is an experiment, and there is no doubt that it comes with the associated risks. By adopting Zero Trust, you are flipping the usual access models on their head, which could result in growing pains. Working with application teams who are comfortable with the adoption risks is hugely valuable. They will be your future champions as you look to widen adoption.

I find that SWIFT or PCI-DSS systems, development workloads on a production network, critical security services, applications running unpatched, and/or end-of-life components are all great candidates to be initial adopters of Zero Trust segmentation, as they tick at least two of the requirements above. What applications do you have that fit into those categories?

Once you’ve identified what you want to protect, you can move forward to determining which Zero Trust pillar to focus on and, more specifically, exactly what control you will be enforcing – which will both be covered in the next post in this series.

Can’t wait for my next post to learn more? Visit our page on how to operationalize your Zero Trust strategy with micro-segmentation to get the inside scoop.