BlogCyber ResilienceZero TrustNetwork SecurityCybersecurity Risk & StrategySecurity
Blog4 minute read

Zero Trust Principles

Not just a single solution, a zero trust implementation is an integrated approach for continuous validation of authorized users across your entire organization. A zero trust security framework focuses on protecting critical assets through a layered, continuously monitored and adaptable architecture that minimizes risks and containment in case of breaches.

In this blog

  1. Zero trust principles 
  2. Protect surfaces 
  3. Five-step process for zero trust implementation 
  4. A final note  

 Zero trust principles 

Zero trust is the security buzzword of the moment, and it is almost certainly on your organization's cyber roadmap. This is usually due to audit findings, a desire to reduce risk, the adoption of an "assume breach" posture, migrating workloads to the cloud and increased remote access working. 

Zero trust principles are designed to restrict users' and systems' access to only the data and applications they need to perform their jobs (the principle of least privilege) and limit the impact of breaches through network segmentation.  

This isn't entirely new; it is a positive security model (blocking everything except that which is explicitly allowed), supporting the principle of least privilege, but continuously monitored and enforced. 

While implementing zero trust is an architectural notion that relies on the full gamut of your security ecosystem, it is based upon these core architectural concepts: 

  • Never trust, always verify 
  • Assume breach is transitioning to inside-out security
  • Least privilege to risk-based security approach
  • Segmented and secure user application access, providing secure remote access to applications in legacy data centers and the cloud
  • Environment network segmentation provides a way of restricting users' and entities' network-level access and thereby reducing the 'blast radius' of an incident.
  • Identity and access management, which is the process of assuring that users are who they purport to be, grants and verifies the right to access resources and manages the lifecycle of these identities and access privileges.

Our clients gain several benefits from adopting a zero trust stance, including visibility of the applications that their users are interacting with, blast radius reduction of an incident, and reduced risk through enhanced security controls, particularly for trusted third-party access, a key threat vector these days. 

 Protect surfaces 

The concept of a "protect surface" refers to the specific, critical assets within an organization that need to be secured. The protect surface typically includes the most valuable data, applications, assets and services (DAAS) that are essential to the organization's operations and success. 

In their zero trust architectural approaches, both the Cloud Security Alliance and National Security Telecommunications Advisory Committee (NTSAC) propose that organizations build their zero trust controls around protect surfaces rather than monolithic programs across the whole of the organization's environment. 

Unlike the traditional approach of securing the entire attack surface, which can be vast and complex, focusing on the protect surface allows for a more manageable and effective security strategy. 

The protect surface is a fundamental concept of WWT's approach to zero trust. Our team emphasizes the importance of identifying and securing these critical assets to create a robust security framework. An organization may want to start with the minimum viable business (MVB) applications and systems identified in cyber resilience and recovery planning. This approach aims to ensure that security measures are applied consistently and comprehensively across the organization, regardless of where assets are located or how they are accessed. 

 Five-step process for zero trust implementation 

The five stages to secure a protect surface, as outlined by CSA and advocated by World Wide Technology (WWT), are as follows: 

  • Define your protect surface: Determine the critical assets, data, applications and services (DAAS) that make up the protect surface. Understanding what needs to be protected and why it is critical to the organization is essential.
  • Map the transaction flows: Once the protect surface is identified, map the transaction flows. This involves understanding how data moves across the network, who accesses it and how it is used. This mapping helps in identifying potential vulnerabilities and points of exposure.
  • Build A zero trust architecture: Design a security architecture based on the information gathered in the identification and mapping stages. This architecture should be tailored to protect the specific assets within the protect surface, ensuring that security measures are both effective and efficient.
  • Create zero trust policy: Implement the security architecture by deploying the necessary security controls, technologies and processes to protect the identified assets. This may involve configuring firewalls, setting up access controls and implementing monitoring systems.
  • Monitor and maintain the network: Continuously monitor and maintain the security measures in place. This involves regular assessments, updates and adjustments to the security architecture to address new threats and vulnerabilities as they arise. Continuous improvement and validation are key to ensuring the ongoing security of the protect surface

 A final note  

Do not attempt to deliver a complete architecture in one go. Zero trust is a multi-year journey, not a sprint. Consider securing your critical assets first (this is why system categorization is key) with some core zero trust functionality and maturing your zero trust architecture from there.