Zero Trust Overview and Playbook Introduction: Guidance for business, security, and technology leaders and practitioners

Zero Trust Overview and Playbook Introduction

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

No part of this book may be used for artificial intelligence (AI) or similar technology without the prior written permission of the publisher and authors. This prohibition includes but is not limited to training a large language model (LLM) or other AI algorithm using the book contents, using the book contents as a grounding or validating mechanism, and using the book content as a data source for an AI enabled application.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Rahul Nair

Senior Editor: Isha Singh

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Book Project Manager: Neil D’Mello

Proofreader: Safis Editing

Indexer: Rekha Nair

Production Designer: Gokul Raj S.T

Marketing Coordinators: MaryLou De Mello and Shruthi Shetty

First published: October 2023

Production reference: 1231023

www.zerotrustplaybook.com

Published by

Packt Publishing Ltd.

Grosvenor House

11 St. Paul ’s Square

Birmingham

B3 1RB, UK.

ISBN 978-1-80056-866-2

www.packtpub.com

I dedicate this book to my wonderful and beautiful wife and children. Thank you for your patience, support, and love – I couldn’t have done it without you. Thank you!

– Mark Simos

To my wife, Peelu, and children, Nitin and Laya, whose immeasurable love, patience, and support helped me through the long journey of getting this book done.

– Nikhil Kumar

Foreword

As global threats continue to compound, accelerate, and grow exponentially, there has never been a greater need for a change in thinking about cybersecurity. As a security practitioner since 2000, I have witnessed the ever-changing threat landscape and the evolution of industry solutions – as great innovation has attempted to keep pace with well-funded, well-orchestrated, and sophisticated attacks. Global organizations of all sizes and sectors have been impacted by the rampant pace of cyber-attacks – ransomware, DDoS, phishing, business email compromise, intellectual property theft, data theft, and cyber espionage, just to name a few of the types of attacks that exist today. Business has also become more digital, elevating security to an all-encompassing concern across business and technology. As we have witnessed this landscape changing, the industry also recognized it needed to evolve and change. With this recognition for change well understood, adopting a Zero Trust philosophy, architecture, and strategy became the rallying cry for cyber professionals.

What is lost in the race for a better solution to the growing cyber threats is a unified definition and set of capabilities for the successful implementation of Zero Trust in an organization’s environment. Through their series of books, the authors of The Zero Trust Playbook Series, Nikhil Kumar and Mark Simos, attempt to answer questions surrounding Zero Trust – including the core defining capabilities and characteristics and how to successfully implement a Zero Trust architecture.

Nikhil and Mark both have extensive professional experience on the front lines of cyber defense, advising global organizations on architecture and best practices. As they delve into the topic of Zero Trust, they not only define the topic but also provide answers to the why, as well as detailed guidance on the how.

There has never been a greater need for a change in the cybersecurity defense methodology, and Zero Trust will bring the industry a long way toward maturity. Grounding this topic in pragmatic guidance while also clarifying why the purpose is a worthy task, I commend Nikhil and Mark for embarking on this journey.

Ann Johnson

Corporate Vice President – Microsoft

Contributors

About the authors

Mark Simos helps individuals and organizations meet cybersecurity, cloud, and digital transformation goals. Mark is the lead cybersecurity architect for Microsoft, where he leads the development of cybersecurity reference architectures, strategies, prescriptive planning roadmaps, best practices, and other guidance. Mark is active in The Open Group where he contributes to Zero Trust standards and other publications.

Mark is constantly gathering, analyzing, and refining insights, lessons, and best practices to help rapidly secure organizations in the digital age.

Mark has presented at numerous conferences, including Black Hat, RSA Conference, Gartner Security & Risk Management, Microsoft Ignite and BlueHat, and Financial Executives International.

You can find Mark on LinkedIn (https://www.linkedin.com/in/marksimos).

Nikhil Kumar is the founder of ApTSi with prior leadership roles at PricewaterhouseCoopers and other firms. He has led the strategy and implementation of digital transformation, enterprise architecture, Zero Trust, and security, and security architecture initiatives from start-ups through to Fortune 5 companies, translating vision to execution.

An engineer and computer scientist with a passion for biology, Nikhil is known for communicating with boards and implementing with engineers and architects.

Nikhil is an MIT mentor, board member, innovator, and pioneer who has authored numerous books, standards, and articles and presented at conferences globally. He co-chairs The Open Group’s Zero Trust Working Group, a global standards initiative.

You can find Nikhil on LinkedIn (https://www.linkedin.com/in/nikhilkumar/).

Thank you to our many mentors and teachers over the years.

Special thanks to Jon Shectman, Elizabeth Stephens, John Flores, Tom Quinn, Carmichael Patton, Steve White, Wes Malaby, Brent Holliman, Michele Simos, Neb Brankovic, Dinakar Sosale, and Paul Weisman for excellent and thoughtful feedback on early drafts. You made this so much better!

We also want to thank the security and IT professionals on the front lines sacrificing to keep our organizations, society, and economy safe. Your work is deeply appreciated, and we hope this book helps you on your journey!

About the reviewer

Thomas Plunkett wrote his first computer program in 1981. He has industry experience with Oracle and IBM. He is the author of several books and a frequent public speaker. Thomas has a Master of Science degree in blockchain and digital currency from the University of Nicosia. He also has a Master of Science degree in computer science and applications from Virginia Polytechnic Institute and State University. He has taken graduate courses from Stanford University on blockchain and cryptocurrency, computer security, cryptography, and other topics. He has a Bachelor of Arts degree in government and politics from George Mason University. He has a Juris Doctor degree from George Mason University Antonin Scalia Law School.

Table of Contents

Preface

1

Zero Trust – This Is the Way

Introducing Zero Trust

Introducing the Zero Trust Playbook Series

Common Zero Trust questions

Summary

2

Reading the Zero Trust Playbook Series

Reading strategies

How we structured the playbooks

Zero Trust Overview and Playbook Introduction

Business and Technical Leadership Playbook

Technical Topic Playbooks

Futures

Summary

3

Zero Trust Is Security for Today’s World

Continuous change and why we need Zero Trust

Changes come faster in the digital age

Defining success in the digital age

Technology accelerates change and complexity

A darker trend – the growth of cybercrime

Staying balanced – assume failure and assume success

Cybersecurity or information security?

Implications and imperatives of Zero Trust

It’s a team sport

Security must be agile

Failure is not an option

Dispelling confusion – frequently asked questions on Zero Trust

Aren’t attackers just kids in their basements playing on computers?

Shouldn’t security have solved this simple technical problem by now?

Who are the attackers?

Can’t we just arrest these criminals and put them in jail?

Is this just a matter of spending more money?

If I have a Zero Trust strategy and funding, can I make this go away quickly?

Can we ever be completely safe? What should I do about it?

Is this cyberwar?

What are the most damaging attacks?

What does success look like for security and Zero Trust?

Why is Zero Trust so confusing?

How do I know if something is Zero Trust?

Summary

4

Standard Zero Trust Capabilities

Consistency via a simple model and durable capabilities

The Open Group Zero Trust Reference Model

Security disciplines

Digital ecosystems and business assets

Key Zero Trust capabilities

Capabilities as a common language of security

Zero Trust capabilities reference

Does Zero Trust include network security?

Summary

5

Artificial Intelligence (AI) and Zero Trust

What is AI?

What will the impact of AI look like?

What are the limitations of AI?

AI models do not understand anything

AI models reflect any biases in their data

How can Zero Trust help manage AI security risk?

Zero Trust – the top four priorities for managing AI risk

How will AI impact Zero Trust?

Summary

6

How to Scope, Size, and Start Zero Trust

Agile security – think big, start small, move fast

What is agile security?

Applying agility in practice

Focus on progress instead of perfection

Always ruthlessly prioritize

Myths and misconceptions that block security agility

Pursuing perfect security is a delusion

Pursuing perfect solutions is a perfect waste

Perfect plans are perfectly fragile

Scoping, sizing, and starting Zero Trust

Will Zero Trust work in my organization?

Is it better to go big or plan smaller projects?

Large Zero Trust transformations are the most effective

Good communication can catalyze executive sponsorship

Starting small is sometimes required

How do I ensure Zero Trust stays on track and continuously delivers value?

What is the best place to start Zero Trust?

Key terminology changes and clarification

Newer terminology – technical estate

Disambiguation – operations, operational, operating model, and so on

Summary

7

What Zero Trust Success Looks Like

Zero Trust success factors

Factor one – clear strategy and plan

Factor two – security mindset and culture shifts

Security risk is business risk

Security is a business enabler

Security is everyone’s responsibility

Security risk accountability starts at the top

Assume compromise (assume breach)

Explicit validation of trust

Asset-centric and data-centric security

Cybersecurity is a team sport

Factor three – human empathy

Zero Trust provides a competitive advantage

Key cultural themes

Summary

8

Adoption with the Three-Pillar Model

Introduction to the three pillars

Playbook structure

Playbook layout

The strategic pillar

The operational pillar

The operating model pillar

Stitching it all together with the Zero Trust Playbook

Zero Trust integration drives changes

Summary

9

The Zero Trust Six-Stage Plan

Overview of the six-stage plan

Using the playbook stages effectively

The playbook stages in detail

Stage 1 – Establish a strategy

Stage 2 – Set up an operating model

Stage 3 – Create the architecture and model

Stage 4 – Tailor to the business

Stage 5 – Implement and improve

Stage 6 – Continuously monitor and evolve

Summary

10

Zero Trust Playbook Roles

Role-based approach

Integration of roles with the six-stage plan

Zero Trust affects everyone

Role definition and naming

Illustrative list of roles

Per-role guidance

Role mission and purpose

Role creation and evolution

Key role relationships

Required skills and knowledge

Tooling and capabilities for each role

Zero Trust impact and imperatives for each role

Playbook-stage involvement for each role

A day in the life of Zero Trust for each role

Defining and measuring success

Summary of per-role guidance

Making it real

Summary

Book 1 summary

What’s next in The Zero Trust Playbook Series

Index

Other Books You May Enjoy

Preface

This is the first book in a series that makes the complex topic of cybersecurity as simple, clear, and actionable as possible (and hopefully a little more fun, too ☺).

In today’s continuously changing world, people face overwhelming complexity while trying to protect business assets from cybersecurity attacks.

Zero Trust enables business, technical, and security teams to work together to reduce risk in the face of continuously evolving attackers and threats, business models, cloud technology platforms, Artificial Intelligence (AI) innovations, and more.

The Zero Trust Playbook Series helps demystify cybersecurity and Zero Trust by breaking them down into discrete, actionable components to guide you through the strategy, planning, and execution of a Zero Trust transformation.

These books provide clear and actionable role-specific guidance for everyone from board members and CEOs to technical and security practitioners. They will help you understand Zero Trust, why it is important, what it means to each role, and how to execute it successfully. The series integrates 0 best practices and guidance to avoid common mistakes (antipatterns) that slow you down and drive up risk.

These books enable individuals and organizations to do the following:

Modernize security programs to increase effectiveness and reduce daily toil, suffering, and wasted effort resulting from classic security approaches

Securely enable digital business models to increase agility and reduce friction and business risk

Successfully execute individual role tasks to grow your skills, knowledge, and career

These books are designed to help you thrive in the security aspects of your role (and career) while helping your organization prosper and stay safe in today’s world.

Who this book is for

This first book serves as both a standalone overview of Zero Trust for anyone and an introduction to the playbooks in Zero Trust Overview and Playbook Introduction. with a part to play in Zero Trust to understand what Zero Trust is, why it’s important to you, and what success looks like.

This table provides a list of roles that will benefit from this book:

Figure Preface.1 - Illustrative list of roles that enable Zero Trust

The book is written for people who are currently in these roles (and similar roles) as well as those who aspire to work in these roles, work with people in the roles, and provide consulting and advice to these roles.

What this book covers

This first book kicks off The Zero Trust Playbook Series with an overview of Zero Trust and an introduction to the playbooks in the series. This book sets up the context of all that follows and introduces the common context everyone should know.

The chapters in this book are as follows:

Chapter 1, Zero Trust – This Is the Way, gets us started by introducing Zero Trust and The Zero Trust Playbook Series and answering common questions about Zero Trust.

Chapter 2, Reading the Zero Trust Playbook Series, introduces us to the structure and layout of the playbook series and suggested strategies to get what you need from these books quickly.

Chapter 3, Zero Trust Is Security for Today’s World, shows us how Zero Trust is designed for the digital age of continuous change that we live in, and why it’s critically important to get right. This chapter also clears up some common points of confusion around security and Zero Trust.

Chapter 4, Standard Zero Trust Capabilities, describes the standard Zero Trust capabilities in the Zero Trust Reference Model from The Open Group that are referenced throughout the playbooks. These are the key elements that will stay constant as we continuously improve on Zero Trust.

Chapter 5, Artificial Intelligence (AI) and Zero Trust, teaches us about AI and how this technology is disrupting business, technology, security, and society at large. It describes AI’s impacts, limitations, and relationship to Zero Trust that will be managed through the guidance for each role in the playbooks.

Chapter 6, How to Scope, Size, and Start Zero Trust, answers the top questions about planning and getting started with a Zero Trust transformation. This also describes key terminology changes and common points of confusion about terminology that is used differently by different teams in an organization.

Chapter 7, What Zero Trust Success Looks Like, covers the three key success factors for Zero Trust that are embedded into the playbooks: having a clear strategy and plan, managing mindset and culture shifts, and integrating human empathy.

Chapter 8, Adoption with the Three-Pillar Model, lays out the three pillars of the playbook (strategic, operational, and operating model) and shows how the elements in that model work together to integrate business, technology, and security to create Zero Trust.

Chapter 9, The Zero Trust Six-Stage Plan, describes the six stages used by the playbook, including a detailed summary of who does what. This shows us how the playbook brings everyone together to make Zero Trust real.

Chapter 10, Zero Trust Playbook Roles, describes the role-based approach and per-role guidance in the playbooks. This sets us up for success as we move on to the playbook for our role.

The remaining playbooks in the series provide actionable role-by-role guidance for each affected role.

To get the most out of this book

You don’t need anything except a desire to learn to get a clear picture of Zero Trust and how to execute it from this book.

You will get more out of this book if you have experience working in business, technology, or security for an organization (or an aspiration to do so). This experience is not required to understand the concepts as we explain those throughout the book to ensure clarity.

Follow the guidance in Chapter 2, Reading the Zero Trust Playbook Series, to identify the best reading strategy for your needs.

Conventions used

Text conventions throughout this book include:

Tips or important notes

That appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Contacting the authors: If you wish to contact the authors, you may reach out via LinkedIn: https://www.linkedin.com/in/marksimos | https://www.linkedin.com/in/nikhilkumar/

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Zero Trust Overview and Playbook Introduction, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

Scan the QR code or visit the link below

https://packt.link/free-ebook/978-1-80056-866-2

Submit your proof of purchase

That’s it! We’ll send your free PDF and other benefits to your email directly

1

Zero Trust – This Is the Way

Zero Trust secures business assets everywhere they go.

Zero Trust is a modern security approach that aligns security with business priorities and risks. Zero Trust enables organizations to manage increased risk from rapidly evolving security threats (including ransomware) and to manage a fundamental shift in security assumptions (the organization’s private network isn’t enough to keep business assets safe). Zero Trust also gives you the ability to manage risk and opportunities from new technologies such as the cloud, artificial intelligence (AI), and more.

This chapter will cover the following topics:

Introducing Zero Trust

Introducing the Zero Trust Playbook Series

Introducing Zero Trust

Zero Trust affects anyone working in any organization that uses any kind of computer, device, or internet technology—which is nearly everyone in business, government, and other organizations today. Zero Trust makes security a business enabler and drives an organization-wide