云安全聯盟-走向零信任架構：面向復雜和混合世界的指導性方法（英）-2021.10-30正式版

TowardaZeroTrustArchitecture

AGuidedApproachforaComplexandHybridWorld

?2021CloudSecurityAlliance–AllRightsReserved.Youmaydownload,store,displayonyourcomputer,view,print,andlinktotheCloudSecurityAllianceat

subjecttothefollowing:(a)thedraftmaybeusedsolelyforyourpersonal,informational,non-commercialuse;(b)thedraftmaynotbemodifiedoralteredinanyway;(c)thedraftmaynotberedistributed;and(d)thetrademark,copyrightorothernoticesmaynotberemoved.YoumayquoteportionsofthedraftaspermittedbytheFairUseprovisionsoftheUnitedStatesCopyrightAct,providedthatyouattributetheportionstotheCloudSecurityAlliance.

?Copyright2021,CloudSecurityAlliance.Allrightsreserved. 2

Abstract

Enterprisestakeholdersmustconsiderthechallengesofincreasedreal-timesystemcomplexity,theneedfornewcybersecuritypolicy,andthestrongculturalsupportthatisrequiredtosecurelyoperatesystemsinacomplexandhybridworld.EmergingtechnologysolutionsandapproachessuchasZeroTrustarecriticaltomeetingthemandatesinUnitedStatesPresidentBiden’sExecutiveOrder14028,ImprovingtheNation’sCybersecurity.Theimplicationsofanemerging,rich,anddiversesolutionslandscapeandthechallengestoanorganization’sabilitytoultimatelydeliveraZeroTrustarchitecture(ZTA)areexploredinthispaper.Recommendationsarediscussedforhowindustrycanimprovecollaborationamongkeystakeholdergroupstoacceleratebothenterpriseleaders’andsecuritypractitioners’adoptionofZeroTrustintotheirenvironments.

AProductoftheCloudSecurityAlliance–WashingtonDCChapter(CSA-DC)ResearchCommitteeResearchCommitteeChair:MariSpina

?Copyright2021,CloudSecurityAlliance.Allrightsreserved. 3

Acknowledgments

Authors:

JuanitaKoilpillai

JyotiWadhwa

Dr.AllenHarper

SalilParikh

PaulDeakin

VivianTero

GregBateman

AubreyMerchant-Dest

JayKelley

PhyllisThomas

UmaRajagopal

RebeccaChoynowski

Contributors:

JasonKeplinger

TomStilwell

LaurenBogoshian

BobKlannukarn

JoeKlein

DanieleCatteddu

NirenjGeorge

JaganKolli

AndresRuz

SpecialThanks:

BowenClose

AbouttheCSADCChapter

ThisdocumentwascreatedbytheDCchapteroftheCloudSecurityAlliance(CSA).TheDCChapteroftheCSAconsistsofvolunteerswhohavebeenattheforefrontofcloudsecurity.Visitourwebsiteat

/

formoreinformation.

?Copyright2021,CloudSecurityAlliance.Allrightsreserved. 4

Dedication

ThispaperisdedicatedtoJuanitaKoilpillai,whosesuddenandunexpecteddeathmarkedagreatlossforthecybersecuritycommunityandherCSA-DCChapterfriends.JuanitawasaprimaryauthorandcontributortothispaperandtheCSA-DCChapterworkinggroupthatproducedit.Juanita’scontributionstocybersecuritywillcontinueinherstead,strengtheningthecybersecuritypostureoforganizationsaroundtheworld.HertechnicalleadershipanddevelopmentofSoftware-DefinedPerimeter(SDP)technologiesformedtheearlyfoundationsofZeroTrustarchitectures(ZTAs).Juanitawasatruelightthatshonebrightlyacrossthecybersecuritycommunity.Itiswithgreatsadnesswebidfarewelltoatrulygreatleaderandengineer.

AnilKarmel

President,CSA-DCChapter

?Copyright2021,CloudSecurityAlliance.Allrightsreserved. 5

TableofContents

Abstract 3

Acknowledgments 4

Dedication 5

1Background 7

1.1WhyZeroTrust? 7

1.2AssessingtheCurrentZeroTrustMaturityLevel 9

1.3DevelopingaZeroTrustRoadmap 10

2ConsiderationsforZeroTrustAdoption 14

2.1Technology 14

2.2OrganizationalCulture 15

2.3Policy 15

2.4RegulatoryEnvironment 15

3ZeroTrustSolutionLandscape 17

3.1Software-DefinedPerimeter 17

3.2NetworkSegmentation 18

3.3ServiceMesh 19

3.4EdgeComputing 20

3.5PolicyasCode 20

3.6IdentityAwareProxy 22

4ImplicationsforIndustry 23

4.1Technology 23

4.2OrganizationalCulture 24

4.3Policy 24

4.4RegulatoryEnvironment 25

5Recommendations 26

6AdditionalReading 28

7References 29

?Copyright2021,CloudSecurityAlliance.Allrightsreserved. 6

1Background

DuetotheCOVIDpandemic,organizationshavehadtoquicklyadapttosupportingaglobalremoteworkforce.Theexpansionofremoteworkandtheadoptionofcloudtechnologieshaveextendedthedefinitionofthesecurityperimeter,necessitatingadoptionofaZeroTrust(ZT)strategytosecurethefutureofwork.Combinedwiththeongoingshifttomoreagileandscalablemulti-cloud,hybridarchitectures,theseforceshaveacceleratedmorethaneverbeforetheneedtoimprovethesecurityandriskmanagementofinformationsystems.ITorganizationsarenowbeingdriventoprioritizetheirfocusondefiningandadoptingaZeroTrustarchitecture(ZTA)uniquetoitsenvironment.

TheadoptionofaZTAisfurtherpromotedbytherecentPresidentialExecutiveOrdermandatingimprovementstothenation’scybersecurity1andtheFederalZeroTrustStrategy.2

Withperimeter-basedanddefense-in-depthapproachesgivingwaytothisnewersecurityparadigm,enterprisesareseekingtoreducesecurityrisks,especiallyastheybegintoadoptmodernmicroservice,microsegmentation,andsoftware-definedarchitecturesthatenableremoteproductivity.AlthoughthereisbroadsupportfromITvendors,therealityofZTAisstillanambitiousfuturetargetstatebecauseorganizationsarejustbeginningtoformulatebaselinesfortheirZTAapproachandtheindustryisseekinginsightstoformbestpracticesorstandardsthroughongoingcollaborations.

Thispaperwillhelpinformcybersecuritypractitioners,engineers,architects,businessleaders,andITstakeholders.Althoughbroadlyuseful,thispaperfocusesonaU.S.governmentperspective.Asaresult,ageneralfamiliaritywithNISTSP800-207isimplied.

1.1WhyZeroTrust?

TheZTmodelofinformationsecuritywasintroducedbytheJerichoProjectin2003,recognizingthesecuritychallengesoftraditionalperimeternetworking,followedin2009(publiclyavailablein2014)byGoogle’sBeyondCorpproject—theirimplementationofZT—andthenbyForresterResearchin2010.TheZTmodel“eliminatestheideaofatrustednetwork”andteachesthat“inZeroTrust(ZT),allnetworktrafficisuntrusted.Thus,securityprofessionalsmustverifyandsecureallresources,limitandstrictlyenforceaccesscontrol,andinspectandlogallnetworktraffic.”3In2019,NISTauthoredaSpecialPublicationonZeroTrustArchitecture4(SP800-207)thatmeldsZTideasintoanabstractdefinitionofZTAandpresentsguidingtenetsfordevelopmentandimplementationof

Exec.OrderNo.14208,86FR26633(May12,2021).

/briefing-room/

presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

U.S.OfficeofManagementandBudget.(n.d.).FederalZeroTrustStrategy.Cybersecurity&InfrastructureSecurityAgency.RetrievedSeptember29,2021,from

/

federal-zero-trust-strategy/

Kindervag,J.(2010,September17).NoMoreChewyCenters:IntroducingtheZeroTrustModelofInformationSecurity.PaloAltoNetworks.

/documents/

Forrester-No-More-Chewy-Centers.pdf

Rose,S.,Borchert,O.,Mitchell,S.,&Connelly,S.(2020,August11).SP800–207,ZeroTrustArchitecture.NIST.

/publications/detail/sp/800-207/final

?Copyright2021,CloudSecurityAlliance.Allrightsreserved. 7

ZTA;illustratedinFigure1.IndustrydynamicsdrivingtheadoptionofanewZTsecuritylandscapeincludeexplodingsecuritycost,broaduseof5G,cloudcomputing,theInternetofThings(IoT),andmicroservice-orientedarchitectures.Thesefactorscontributetoredefiningownershipboundariesandusagepatternsbydiminishingtheprominenceoffixedphysicalorsoftware-definednetworkboundaries.

ZeroTrustTenetsfromNIST

1Alldatasourcesandcomputingservicesare“resources”

2Communicationsaresecuredregardlessoflocation

3Accesstoindividualresourcesisgrantedonaper-sessionbasis

4 Accesstoresourcesisdeterminedbydynamicpolicyandotherbehavioralandenvironmentalattributes

5 Integrityandsecuritypostureofownedandassociatedassetsismonitoredandmeasured

Dynamicresourceauthenticationandauthorizationarestrictly

enforcedbeforeaccessisallowed

7 Informationoncurrentstateofasset,networkinfrastructure,andcommunicationsiscollectedtoimprovesecurityposture

Figure1.ZeroTrustTenets,NISTSP800-207

Asorganizationscontinuetomigrateallorpartsoftheirnetworktothecloud,stakeholdersatgovernmentagenciesandcommercialenterprisesmustsecuretheirprivate,public,orcommunitycloudinstancesinanewway.Althoughtheneedisimminent,thischangeinthesecuritylandscapewilltaketimeandintentiontoimplement.Organizationswillneedtoadvancetheirabilitytosecuretheirsystemsinthecloudwithnewtechnologystacks,skillsets,andprocesses.Thispresents

achallengeofdevelopingnewsecuritygovernanceandpoliciesthatarebasedoncontinuousverification,microsegmentation,software-definednetworks,andcontinuousmonitoringandvisibility.Implementingandenforcingthesemodernizedpolicieswillrequireindustryplayerstodesignandoperateacomplexmixofbothtraditionalandmodernaccesscontrolandnetworktechnologies,customizedtotheirownenvironmentovertime.

Commonlydeployedapproaches,suchasalways-onVPNconnectionsandroutingalltrafficthroughenterprisegateways,havebecomelessefficientornolongerviablefromacostanduserexperience

?Copyright2021,CloudSecurityAlliance.Allrightsreserved. 8

perspective.Furthermore,muchofcybersecurityisbasedonasignature-basedconcept,wherebytoolslookfor“signatures”ofknownbadbehavior,butbydefinitionazero-daythreatdoesnothaveaknownsignature.ThislimitationisaddressedbyZT,sinceZTAsdonotrelyonsignature-oranomaly-basedtechnologiestohelpreducerisk.WithZT,securitycontrolsarepervasiveandrightlytrendingclosertotheactualdataandfunctions,whereverandwhenevertheyareinstantiated.However,giventhedisparityintherateandlevelofmodernizationamongorganizations,thespeedandmaturityofindustryguidanceonhowtosecurethesemodernarchitectureshasfallenbehindandisatbesttoouncoordinatedforoptimalprotectionofsystemsandtheirdata.

MaturityforZTsolutionsandroadmapsisjustbeginning,givenarchitectureandmarketplacecomplexity.Forexample,securitypractitionersarechallengedwithidentifyingusersandimplementingautomateddetectionofnewcyberthreatsinreal-time,multi-cloudenvironments.Giventoday’ssophisticatedandhybridlandscape,thispaperproposesfoundationalelementsofaZeroTrustArchitectureCapabilityMaturityModel(ZTA-CMM)andisassociatedwithaZTroadmap.OngoinggovernmentandindustrydialogandcollaborationwillaidinthedevelopmentofZTA-CMMbestpracticestoassesshowZTprinciplesareappliedtocurrentarchitecturesandthecorrespondingZTroadmapthataddressesthegaps,yieldingimprovedriskmanagementandcyberresiliency.

1.2AssessingtheCurrentZeroTrustMaturityLevel

AnorganizationmustunderstandthecurrentmaturitylevelofitsZTA,engaginginorganization-widereviewstoconductathoroughandefficientanalysis.Thisanalysisshouldaccountforthecurrentpeople,processes,andtechnologiesinplacethatcontributetotheZTpillars.Thoughfocused

onfederalagencies,theCISAFederalZeroTrustStrategy5documentcanoperateasaguideforunderstandingtheprocessesandtechnologiesthatarevitalforasuccessfulZTAimplementation.ConceptualmodelsandframeworksarebeingidentifiedbytheNationalInstituteofStandardsandTechnology(NIST)andindustrystakeholders6suchasACT-IAC7andForrester,8andwillcontinuetoevolve;however,itshouldbenotedthatatthistimethereisnoefforttobringtheseframeworkstogether.CISAhasreleasedaZTCMM9composedofthefollowingpillars:identity,devices,networks,applicationsworkloads,anddata.Together,thesefivecomponentsprovideaholisticperspectiveonthedifferentareaswhereanorganizationcanapplyresourcestowardsthedevelopmentofitsZTA.

U.S.OfficeofManagementandBudget.(n.d.).FederalZeroTrustStrategy.Cybersecurity&InfrastructureSecurityAgency.RetrievedSeptember29,2021,from

/

federal-zero-trust-strategy/

Microsoft.(n.d.).ZeroTrustModel-ModernSecurityArchitecture.RetrievedSeptember29,2021,from

/en-us/security/business/zero-trust

AmericanCouncilforTechnology-IndustryAdvisoryCouncil.(2019,April18).ZeroTrustCybersecurityCurrentTrends.

/system/files/ACT-IAC%20Zero%20

Trust%20Project%20Report%2004182019.pdf

Forrester.(n.d.).TheZeroTrustSecurityPlaybookFor2021.RetrievedSeptember29,2021,from

/playbook/The+Zero+Trust+Security+Playbook+For+2020/-/E-PLA300

CybersecurityandInfrastructureSecurityAgency,CybersecurityDivision.(2021,June).ZeroTrustMaturityModel-Pre-decisionalDraft,Version1.0.CybersecurityandInfrastructureSecurityAgency.

/sites/default/files/publications/CISA%20Zero%20Trust%20

Maturity%20Model_Draft.pdf

?Copyright2021,CloudSecurityAlliance.Allrightsreserved. 9

PillarsofaZeroTrustArchitecture(DHSCISACMM)

Inacomplexhybridandmobileenvironment,theidentitystoreofallactorsmaybemaintainedinafederatedactivedirectory,backedwithapublickey

Identity infrastructure(PKI).Further,theorganizationmayleverageaseparateidentitymanagementsolutionwhichmayormaynotbefullyintegratedwiththefederatedactivedirectoryservice.

Device

Networks

Application

Workload

Data

Anorganization’sendpointsmaybecomprisedofandnotlimitedtotraditionalservers,desktops,laptops,VDIinstances,thinclients,mobiledevices,InternetofThings(IoT)devices.

Networksincludetraditional,wireless,mobile(5G,Zigbee,etc.),cloud,andsoftware-definednetworks,forexampleinHyperConvergedInfrastructure(HCI).Micro-segmentationisestablishedatthenetworkandapplicationlevels.

Anorganization’sapplicationworkloadsorplatformtosupportthoseworkloadsmaybefromathirdpartyand/ordevelopedbytheorganization.Thisincludestheapplicationandtheplatforms,containers,andserversusedtosupporttheapplications.

Datamaybethebusinessdatacollectedbyandutilizedbytheorganizationtoconductbusiness,butalsomayincludedatalakesrequiredtomaintainvisibility.

Figure2.ZeroTrustPillars,DHSCISAZT-CMM

AZTA-CMMprovidesinsightsintothematuritylevelofeachpillar(showninFigure2).Gainingadeepunderstandingofeachareahelpstoinformorganizationalstakeholdersabouttheirenvironment’suniquestrengthsandgapsregardingtheadoptionofaZTA.Currently,organizationsarelimitedinleveragingawidelyacceptedZTmaturitymodelforZTAassessments,whichisagapinindustryguidanceandanareathatwilllikelystimulateindustrycollaborationontherankingsandlevelsoftheZTA-CMM.Intheinterim,individualorganizationswilllikelymoveforwardwithinitialassessmentsandtheresultsofthosefirstassessmentswillbecomethebaselineassessmentoftheorganization.

1.3DevelopingaZeroTrustRoadmap

AsorganizationsgainmoreinsightintothecurrentstateoftheirZTAmaturitylevel,theycanidentifyandincorporateintotheirarchitecturenewsolutionsthataddressthegapsandadvancetheirmaturity.Forexample,theDHSCISAZTCMM(DHSCISA)usesthreelevels:traditional,advanced,andoptimal,asshowninFigure3.

?Copyright2021,CloudSecurityAlliance.Allrightsreserved. 10

Traditional

Advanced

DHSCISAZeroTrustMaturityModel

Identity

Device

Network/

Application

Data

Environment

Workload

Passwordor

Limitedvisibility

Largemacro-

Accessbasedon

Notwell

multifactor

intocompliance

segmentation

localauthorization

inventoried

authentication

Simpleinventory

Minimalinternal

Minimal

Staticcontrol

(MFA)

orexternaltraffic

integrationwith

Unencrypted

Limitedrisk

encryption

workflow

assessment

Somecloud

accessibility

VisibilityandAnalytics

AutomationandOrchestration

Governance

MFA

Compliance

Definedby

Accessbased

Leastprivilege

Someidentity

enforcement

ingress/egress

oncentralized

controls

employed

micro-perimeters

authentication

federation

Datastoredin

withcloudand

Dataaccess

Basicanalytics

Basicintegration

cloudorremote

on-premises

dependsondevice

intoapplication

environmentsare

systems

postureonfirst

workflow

encryptedatrest

access

VisibilityandAnalytics

AutomationandOrchestration

Governance

Optimal

Continuous

validation

Real-timemachinelearninganalysis

Constantdevice

Fullydistributed

Accessis

Dynamicsupport

securitymonitor

ingress/egress

authorized

Alldatais

andvalidation

micro-perimeters

continuously

encrypted

Dataaccess

Machinelearning-

Strongintegration

dependsonreal-

basedthreat

intoapplication

timeriskanalytics

protection

workflow

Alltrafficis

encrypted

VisibilityandAnalytics AutomationandOrchestration Governance

Figure3.CISAZT-CMM,(DHSCISA)

Achievingthetargetedmaturitylevelissupportedbyevaluatingtheorganization’scurrentmaturitylevelandpromptingstakeholderstousethatevaluationtoidentifypriorityareasforexecution,resourcerequirements,andbudgetallocationoveradefinedtimelinetoachievethetargetedmaturitylevel.TargetedmaturitylevelsinadvancedenvironmentsthatalreadyreflectahighdegreeofZTapproachesintheirarchitecturewillbemuchhigherrelativetoorganizationsthatarestartingtheirsecurityandITmodernizationjourney.ToaddresstherequirementsofaZTAroadmap,stakeholderswillneedtogainabetterunderstandingofanevolvingtechnologylandscaperepresentingmodernopportunitiestoattaintargetedmaturitylevels.

?Copyright2021,CloudSecurityAlliance.Allrightsreserved. 11

Thisbeginswithcompletingamaturityassessmentoftheorganization’scapabilitiesacrosseachofthefivepillars.Foreachpillar,severalquestionsmaybedevelopedsothatrelevantstakeholdersprovideaholisticassessmentofthelevelofmaturityineachfocusarea.ThesequestionswouldincreaseinthedegreeofdifficultyandscopetoresultinamorematureaspectofZTinthatpillar.Aftercompletingthequestionnaire,theorganizationmayleveragethequantifiedresultsasabaselineassessmentoftheorganization’scurrentZTAmaturity.Maturitylevelcanbemeasuredandquantifiedusinganorganization’srubric,similartotheapproachsuggestbytheCMMC10andrepresentedinaspiderdiagram,asnotionallyillustratedinFigure4,alongsideadesiredortargetstateofZTmaturityfortheorganization.

Figure4.ZeroTrustMaturitySpiderDiagram(notional)

Theresultingdifferentialinthebaselineandtargetpointsisthegapassessment.ThegapassessmentincludesspecificareasforeachpillarthattheZTRoadmapwilladdresstomethodicallyandgraduallyimprovethecurrentstatetothetargetstateoveronetothreeyears.

CMMCInformationInstitute.(2021,August21).DoD/NISTSP800–171BasicSelfAssessmentScoringTemplate.

/cmmc-info-tools/dod-nist-sp-800-171-basic-self-

assessment-scoring-template/

?Copyright2021,CloudSecurityAlliance.Allrightsreserved. 12

YearOne YearTwo YearThree

Identity

Device

Prioritizedinvestmentandallocationof

Networks resourcesacrosseachpillarbasedongapassessmentfindings

Application

Workload

Data

Figure5.ZTPrioritizedInvestmentRoadmap(notional)

ThisapproachyieldsaZTprioritizedinvestmentroadmap,assuggestedinFigure5.Itshouldincorporatetheuseofindustrybestpracticesandframeworks,suchastheNISTSpecialPublication(SP)800series,CSACloudControlsMatrix(CCM),orgovernmentSecurityTechnicalImplementationGuides(STIGs),astheypertaintoeachpillar.Thiswillhelpguideorganizationsonthedetailedprocessandtechnologyrequirementsthataremissingfromtheircurrentstateinordertoachievetheirdesiredmaturityleveloveronetothreeyears.Thisapproachispresentedasanexample

ofwhatispossibleanditmaybecustomizedforeachorganization.FutureworkinggroupsandorganizationsmaydevelopastandardsetofprescriptivequestionsandgraphicsdescribingcapabilitymaturitylevelsforaholisticapproachtoadoptingaZTA.

?Copyright2021,CloudSecurityAlliance.Allrightsreserved. 13

2ConsiderationsforZeroTrustAdoption

InadditiontoZTmaturityassessmentandroadmapconsiderations,thefollowingfourfactorsareimportantconsiderationstodevelopingaZTA:technology,organizationalculture,policy,andregulatoryrequirements.Theseinternalandexternalfactorsinfluenceanorganization’sabilitytounderstand,design,andimplementaZTAroadmapfortoday’scomplexandhybridenvironments.TheyhelpstakeholdersidentifywhichvariablesaresignificantbarriersoracceleratorsintheircurrentmaturitylevelofZTAandwhichonesmosthelptoadvancetheirZTAjourney.

OneessentialstepinZTAadoptionwillbetheinventoryofpeople,processtechnology,criticalassets,andsecuritycontrols.Thisiskeytoadoptingthearchitecturesuccessfully.NISTrecommendsthatyoustartwithasingleprocessandcontinuetheorganizationjourneyinthedeploymentofthearchitecture.

OrganizationsshouldtargetquickwinsandunderstandthatadoptionofaZTAisalonger-term,strategicinitiative.Assuch,itrequiresexecutivesupportandongoingconsiderationofallthesefactorsoverthreetofiveyears.Acapabilitymaturitymodelcanguideanorganizationthroughajourneytounderstandexistingandlegacycapabilitieswhilesuggestingappropriatequestionstoaskandseekanswersto.Forexample,questionscouldaddress:

Whatarethelegacytechnologiesusedbytheorganization?

Whattypeofdata/servicesaretheyusing?

Whatarethespecificcloudservicesimplemented?

Isthereacloudaccesssecuritybrokersolutionimplemented?

Howareidentitiesmanagedandwhattoolsareimplemented?

Inwhichphaseofthecloudadoptionjourneyistheorganization?

However,questionsshouldbetailoredtotheorganization’sparticularbusinessandmission.Eachshouldaddresstheorganization’sbusinesslandscapeassociatedwiththestateoftechnology,itsorganizationalculture,itsoperatingpolicies,theregulatoryenvironmentinwhichitoperates,andthecloudsecurityarchitecturetowardswhichtheorganizationisheaded.Forfederalagencies,thisisspelledoutinCISA’sCloudSecurityTechnicalReferenceArchitecture.11

2.1Technology

Technologicalconsiderationsarecritical.Legacytechnologysolutionshavecenteredaroundaddinglayerstotheperimeter,butthisperimeter-basedapproachhasbeenunabletocontaintheever-increasingdiversityandnumberofattacksonourITsystems.Computingunitsforapplicationdeliveryhavetransitionedfromconcentratedbig-ironserverstonumerousvirtualizedservers

CybersecurityandInfrastructureSecurityAgency.(n.d.).CloudSecurityTechnicalReferenceArchitecture.RetrievedSeptember29,2021,from

/cloud-security-

technical-reference-architecture/

?Copyright2021,CloudSecurityAlliance.Allrightsreserved. 14

andservicestohighlygranularcontainersdistributedacrossalandscapeofcloudproperties.TheatomizationoffunctioncreatesportabilitychallengesfortheapplicationofZT;however,givenincreasedcloudadoptionratesaspartofdigitaltransformationinitiatives,ZTrepresentsthenextevolutionandamoderncyberapproachtopreventionofandresiliencytowardcyber-attacks.Anorganization’sskillwithkeycapabilitiessuchasidentityandcredentialaccessmanagement(ICAM),software-definednetworks(SDN),microsegmentedenvironments,Identity-AwareProxies(IAPs),andtheabilitytocontinuouslymonitorsystemswilldrivethetransitiontoZT.Understandingthetechnologylandscapeinyourarchitectureandtheoptionsavailableinthemarketecosystemwillinfluencetherightsolutionforyourenvironment.

2.2OrganizationalCulture

Anorganization’scultureisanotherstronginfluenceforallstakeholderstoconsider.TheCOVID-19pandemichasproventobeacatalystpushingorganizationsintowork-from-homeprogramsandsecurityteamstoprogresstowardsaZTstrategy.ToadoptZT,theorganizationmustbewillingtochangeandfostera“trustnoone”approachthroughenterprisere-engineering.Proactiveorganizationsembracingscalablecloudandhybridmodelsoverlegacyenvironmentsareatanadvantageandwillbeabletomoreeasilyadoptthe“ZTmindset.”Understandingyourcultureandchangemanagementcapabilityisessential.

2.3Policy

Alongwithculture,theabilityforanorganizationtoupdateitspoliciesisalsocritical.ThemodernITorganizationisasophisticated,complex,hybridmixofon-premisesandcloud-hostedarchitecture,whichcanmakeanorganization’scybersecuritycontrolpolicieschallenging.Theimpactofchangingpoliciespermeatesacrossanorganization’sentireinfrastructure,applications,anddata.TheabilitytoidentifyanddevelopnewZT-basedpoliciesisanimportantfactoranduniquetoeachorganization.Organizationsmaybechallengedtoidentify,create,andformalizethesepolicies,giventheimmaturityofZTAs.

2.4RegulatoryEnvironment

AfinalinfluencehighlightedintheadoptionofZTistheregulatoryenvironment.TheU.S.Governmenthastwoprimaryframeworksthatdrivecybersecuritycompliance:theRiskManagementFramework(RMF)12andCybersecurityFramework(CSF),administeredbyNIST.Theyprovideguidanceonsecurityassessment,implementation,authorization,andmonitoring.PresidentialExecutiveOrder13636ImprovingCriticalInfrastructureCybersecurity,13issuedonFebruary12,2013,establishedaframeworkbasedonexistingstandards,guidelines,andpracticesforreducingcyber

SecuriconTeam.(2019,October8).NIST800–53Rev.5:WhatitIs,andWhyYouShouldCare.Securicon.

/nist-800-53-rev-5-what-it-is-and-why-you-should-care/

Exec.OrderNo.13636,78FR11737(February12,2013).

/

the-pr