This is excerpted from a Zero Trust article John Kindervag published back in 2017, yet the fundamental principles haven’t waivered and the need for a movement toward Zero Trust has never been more acute.
“Zero Trust,” a widely accepted term originally coined by John Kindervag and adopted by Forrester, is a data-centric network design that puts microperimeters around specific data or assets so that more granular rules can be enforced.
Zero Trust networks solve the “flat network” problem that helps attackers move undetected inside corporate networks so they can find and exfiltrate sensitive data. The shift to Zero Trust is applicable across all industries — from government to retail, healthcare, and everything in between. Here are five steps to get companies started on the path to Zero Trust.
Identify Your Sensitive Data
This may seem simple, but it’s more challenging than you might think. It’s impossible to protect data that you can’t see. If you don’t know where your enterprise stores data, who specifically uses it, how sensitive it is, or how employees, partners, and customers use it, then you’re putting your organization at risk. Before investing in security controls, companies must identify the data to protect. Once data is identified, it’s necessary to make the data classification useful, and simplification is key.
Map the Data Flows of Your Sensitive Data
It’s crucial to understand how data flows across the network and between users and resources. Engaging multiple stakeholders such as application and network architects to create a transaction flow map is important because they bring different information to the conversation. Additionally, security teams should streamline their flow diagrams by leveraging existing models. For example, the Payment Card Industry Data Security Standard (PCI/DSS) requires organizations to create data flow diagrams to help them fully understand all cardholder data flows, and ensure that they’re effective in securing the cardholder data environment.
Architect Your Network
The actual design of a Zero Trust network should be based on how transactions flow across a network and how users and applications access toxic data. With an optimized flow in mind, it’s time to identify