Zero Trust Overview and Playbook Introduction E-Book

Zero Trust Overview and Playbook Introduction

Guidance for business, security, and technology leaders and practitioners

Mark Simos

Nikhil Kumar

BIRMINGHAM—MUMBAI

Zero Trust Overview and Playbook Introduction

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

No part of this book may be used for artificial intelligence (AI) or similar technology without the prior written permission of the publisher and authors. This prohibition includes but is not limited to training a large language model (LLM) or other AI algorithm using the book contents, using the book contents as a grounding or validating mechanism, and using the book content as a data source for an AI enabled application.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Rahul Nair

Senior Editor: Isha Singh

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Book Project Manager: Neil D’Mello

Proofreader: Safis Editing

Indexer: Rekha Nair

Production Designer: Gokul Raj S.T

Marketing Coordinators: MaryLou De Mello and Shruthi Shetty

First published: October 2023

Production reference: 1231023

www.zerotrustplaybook.com

Published by

Packt Publishing Ltd.

Grosvenor House

11 St. Paul ’s Square

Birmingham

B3 1RB, UK.

ISBN 978-1-80056-866-2

www.packtpub.com

I dedicate this book to my wonderful and beautiful wife and children. Thank you for your patience, support, and love – I couldn’t have done it without you. Thank you!

– Mark Simos

To my wife, Peelu, and children, Nitin and Laya, whose immeasurable love, patience, and support helped me through the long journey of getting this book done.

– Nikhil Kumar

Foreword

As global threats continue to compound, accelerate, and grow exponentially, there has never been a greater need for a change in thinking about cybersecurity. As a security practitioner since 2000, I have witnessed the ever-changing threat landscape and the evolution of industry solutions – as great innovation has attempted to keep pace with well-funded, well-orchestrated, and sophisticated attacks. Global organizations of all sizes and sectors have been impacted by the rampant pace of cyber-attacks – ransomware, DDoS, phishing, business email compromise, intellectual property theft, data theft, and cyber espionage, just to name a few of the types of attacks that exist today. Business has also become more digital, elevating security to an all-encompassing concern across business and technology. As we have witnessed this landscape changing, the industry also recognized it needed to evolve and change. With this recognition for change well understood, adopting a Zero Trust philosophy, architecture, and strategy became the rallying cry for cyber professionals.

What is lost in the race for a better solution to the growing cyber threats is a unified definition and set of capabilities for the successful implementation of Zero Trust in an organization’s environment. Through their series of books, the authors of The Zero Trust Playbook Series, Nikhil Kumar and Mark Simos, attempt to answer questions surrounding Zero Trust – including the core defining capabilities and characteristics and how to successfully implement a Zero Trust architecture.

Nikhil and Mark both have extensive professional experience on the front lines of cyber defense, advising global organizations on architecture and best practices. As they delve into the topic of Zero Trust, they not only define the topic but also provide answers to the why, as well as detailed guidance on the how.

There has never been a greater need for a change in the cybersecurity defense methodology, and Zero Trust will bring the industry a long way toward maturity. Grounding this topic in pragmatic guidance while also clarifying why the purpose is a worthy task, I commend Nikhil and Mark for embarking on this journey.

Ann Johnson

Corporate Vice President – Microsoft

Contributors

About the authors

Mark Simos helps individuals and organizations meet cybersecurity, cloud, and digital transformation goals. Mark is the lead cybersecurity architect for Microsoft, where he leads the development of cybersecurity reference architectures, strategies, prescriptive planning roadmaps, best practices, and other guidance. Mark is active in The Open Group where he contributes to Zero Trust standards and other publications.

Mark is constantly gathering, analyzing, and refining insights, lessons, and best practices to help rapidly secure organizations in the digital age.

Mark has presented at numerous conferences, including Black Hat, RSA Conference, Gartner Security & Risk Management, Microsoft Ignite and BlueHat, and Financial Executives International.

You can find Mark on LinkedIn (https://www.linkedin.com/in/marksimos).

Nikhil Kumar is the founder of ApTSi with prior leadership roles at PricewaterhouseCoopers and other firms. He has led the strategy and implementation of digital transformation, enterprise architecture, Zero Trust, and security, and security architecture initiatives from start-ups through to Fortune 5 companies, translating vision to execution.

An engineer and computer scientist with a passion for biology, Nikhil is known for communicating with boards and implementing with engineers and architects.

Nikhil is an MIT mentor, board member, innovator, and pioneer who has authored numerous books, standards, and articles and presented at conferences globally. He co-chairs The Open Group’s Zero Trust Working Group, a global standards initiative.

You can find Nikhil on LinkedIn (https://www.linkedin.com/in/nikhilkumar/).

Thank you to our many mentors and teachers over the years.

Special thanks to Jon Shectman, Elizabeth Stephens, John Flores, Tom Quinn, Carmichael Patton, Steve White, Wes Malaby, Brent Holliman, Michele Simos, Neb Brankovic, Dinakar Sosale, and Paul Weisman for excellent and thoughtful feedback on early drafts. You made this so much better!

We also want to thank the security and IT professionals on the front lines sacrificing to keep our organizations, society, and economy safe. Your work is deeply appreciated, and we hope this book helps you on your journey!

About the reviewer

Thomas Plunkett wrote his first computer program in 1981. He has industry experience with Oracle and IBM. He is the author of several books and a frequent public speaker. Thomas has a Master of Science degree in blockchain and digital currency from the University of Nicosia. He also has a Master of Science degree in computer science and applications from Virginia Polytechnic Institute and State University. He has taken graduate courses from Stanford University on blockchain and cryptocurrency, computer security, cryptography, and other topics. He has a Bachelor of Arts degree in government and politics from George Mason University. He has a Juris Doctor degree from George Mason University Antonin Scalia Law School.

Table of Contents

Preface

1

Zero Trust – This Is the Way

Introducing Zero Trust

Introducing the Zero Trust Playbook Series

Common Zero Trust questions

Summary

2

Reading the Zero Trust Playbook Series

Reading strategies

How we structured the playbooks

Zero Trust Overview and Playbook Introduction

Business and Technical Leadership Playbook

Technical Topic Playbooks

Futures

Summary

3

Zero Trust Is Security for Today’s World

Continuous change and why we need Zero Trust

Changes come faster in the digital age

Defining success in the digital age

Technology accelerates change and complexity

A darker trend – the growth of cybercrime

Staying balanced – assume failure and assume success

Cybersecurity or information security?

Implications and imperatives of Zero Trust

It’s a team sport

Security must be agile

Failure is not an option

Dispelling confusion – frequently asked questions on Zero Trust

Aren’t attackers just kids in their basements playing on computers?

Shouldn’t security have solved this simple technical problem by now?

Who are the attackers?

Can’t we just arrest these criminals and put them in jail?

Is this just a matter of spending more money?

If I have a Zero Trust strategy and funding, can I make this go away quickly?

Can we ever be completely safe? What should I do about it?

Is this cyberwar?

What are the most damaging attacks?

What does success look like for security and Zero Trust?

Why is Zero Trust so confusing?

How do I know if something is Zero Trust?

Summary

4

Standard Zero Trust Capabilities

Consistency via a simple model and durable capabilities

The Open Group Zero Trust Reference Model

Security disciplines

Digital ecosystems and business assets

Key Zero Trust capabilities

Capabilities as a common language of security

Zero Trust capabilities reference

Does Zero Trust include network security?

Summary

5

Artificial Intelligence (AI) and Zero Trust

What is AI?

What will the impact of AI look like?

What are the limitations of AI?

AI models do not “understand” anything

AI models reflect any biases in their data

How can Zero Trust help manage AI security risk?

Zero Trust – the top four priorities for managing AI risk

How will AI impact Zero Trust?

Summary

6

How to Scope, Size, and Start Zero Trust

Agile security – think big, start small, move fast

What is agile security?

Applying agility in practice

Focus on progress instead of perfection

Always ruthlessly prioritize

Myths and misconceptions that block security agility

Pursuing perfect security is a delusion

Pursuing perfect solutions is a perfect waste

Perfect plans are perfectly fragile

Scoping, sizing, and starting Zero Trust

Will Zero Trust work in my organization?

Is it better to go big or plan smaller projects?

Large Zero Trust transformations are the most effective

Good communication can catalyze executive sponsorship

Starting small is sometimes required

How do I ensure Zero Trust stays on track and continuously delivers value?

What is the best place to start Zero Trust?

Key terminology changes and clarification

Newer terminology – technical estate

Disambiguation – operations, operational, operating model, and so on

Summary

7

What Zero Trust Success Looks Like

Zero Trust success factors

Factor one – clear strategy and plan

Factor two – security mindset and culture shifts

Security risk is business risk

Security is a business enabler

Security is everyone’s responsibility

Security risk accountability starts at the top

Assume compromise (assume breach)

Explicit validation of trust

Asset-centric and data-centric security

Cybersecurity is a team sport

Factor three – human empathy

Zero Trust provides a competitive advantage

Key cultural themes

Summary

8

Adoption with the Three-Pillar Model

Introduction to the three pillars

Playbook structure

Playbook layout

The strategic pillar

The operational pillar

The operating model pillar

Stitching it all together with the Zero Trust Playbook

Zero Trust integration drives changes

Summary

9

The Zero Trust Six-Stage Plan

Overview of the six-stage plan

Using the playbook stages effectively

The playbook stages in detail

Stage 1 – Establish a strategy

Stage 2 – Set up an operating model

Stage 3 – Create the architecture and model

Stage 4 – Tailor to the business

Stage 5 – Implement and improve

Stage 6 – Continuously monitor and evolve

Summary

10

Zero Trust Playbook Roles

Role-based approach

Integration of roles with the six-stage plan

Zero Trust affects everyone

Role definition and naming

Illustrative list of roles

Per-role guidance

Role mission and purpose

Role creation and evolution

Key role relationships

Required skills and knowledge

Tooling and capabilities for each role

Zero Trust impact and imperatives for each role

Playbook-stage involvement for each role

A day in the life of Zero Trust for each role

Defining and measuring success

Summary of per-role guidance

Making it real

Summary

Book 1 summary

What’s next in The Zero Trust Playbook Series

Index

Other Books You May Enjoy

Preface

This is the first book in a series that makes the complex topic of cybersecurity as simple, clear, and actionable as possible (and hopefully a little more fun, too ☺).

In today’s continuously changing world, people face overwhelming complexity while trying to protect business assets from cybersecurity attacks.

Zero Trust enables business, technical, and security teams to work together to reduce risk in the face of continuously evolving attackers and threats, business models, cloud technology platforms, Artificial Intelligence (AI) innovations, and more.

The Zero Trust Playbook Series helps demystify cybersecurity and Zero Trust by breaking them down into discrete, actionable components to guide you through the strategy, planning, and execution of a Zero Trust transformation.

These books provide clear and actionable role-specific guidance for everyone from board members and CEOs to technical and security practitioners. They will help you understand Zero Trust, why it is important, what it means to each role, and how to execute it successfully. The series integrates 0 best practices and guidance to avoid common mistakes (antipatterns) that slow you down and drive up risk.

These books enable individuals and organizations to do the following:

These books are designed to help you thrive in the security aspects of your role (and career) while helping your organization prosper and stay safe in today’s world.

Who this book is for

This first book serves as both a standalone overview of Zero Trust for anyone and an introduction to the playbooks in Zero Trust Overview and Playbook Introduction. with a part to play in Zero Trust to understand what Zero Trust is, why it’s important to you, and what success looks like.

This table provides a list of roles that will benefit from this book:

Role Type

Roles

Organizational senior leaders

Member of board of directors

Chief Executive Officer (CEO)

Chief Financial Officer (CFO)

Chief Operating Officer (COO)

Chief Legal Officer (CLO)

Chief Privacy Officer (CPO)

Chief Risk Officer (CRO)

Chief Compliance Officer (CCO)

Product and business line leaders

Communications/public relations director

Adjacent/ancillary roles

Human resources

Business analysts

Internal readiness/training

Internal and external communications

Risk and compliance roles

Risk team

Compliance and audit team

Technology senior leaders

Chief Digital Officer (CDO)

Chief Information Officer (CIO)

Chief Technology Officer (CTO)

Chief Information Security Officer (CISO)

Enterprise security integration (deputy CISOs and staff, security [business] analysts)

Technology directors

Software delivery Vice President (VP)

Security directors

Architects

Enterprise architects

Security architects

Infrastructure architects

Business architects

Information architects

Access architects

Solution architects

Software/application architects

Managers

Technology managers

Security managers

Security Operations (SecOps) managers

Product line managers/directors

Product owners

Software development directors

Technology delivery managers

Software testing/quality managers

Security posture management

Security posture management

Security governance and compliance management

People security (user education and insider risk)

Technical engineering and operations

Cloud engineering and operations

Endpoint/productivity

Identity

Infrastructure

CI/CD infrastructure

Network

Data security

Operational Technology (OT) security

Security posture engineering and operations

Application and product security

Software security engineers

Software developers

Software testers

Supply chain security

Internet of Things (IoT) security

Security operations

Triage analysts

Investigation analysts

Threat hunting

Detection engineering

Attack simulation (red and purple teaming)

Incident management

Threat intelligence

Figure Preface.1 - Illustrative list of roles that enable Zero Trust

The book is written for people who are currently in these roles (and similar roles) as well as those who aspire to work in these roles, work with people in the roles, and provide consulting and advice to these roles.

What this book covers

This first book kicks off The Zero Trust Playbook Series with an overview of Zero Trust and an introduction to the playbooks in the series. This book sets up the context of all that follows and introduces the common context everyone should know.

The chapters in this book are as follows:

The remaining playbooks in the series provide actionable role-by-role guidance for each affected role.

To get the most out of this book

You don’t need anything except a desire to learn to get a clear picture of Zero Trust and how to execute it from this book.

You will get more out of this book if you have experience working in business, technology, or security for an organization (or an aspiration to do so). This experience is not required to understand the concepts as we explain those throughout the book to ensure clarity.

Follow the guidance in Chapter 2, Reading the Zero Trust Playbook Series, to identify the best reading strategy for your needs.

Conventions used

Text conventions throughout this book include:

Tips or important notes

That appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Contacting the authors: If you wish to contact the authors, you may reach out via LinkedIn: https://www.linkedin.com/in/marksimos | https://www.linkedin.com/in/nikhilkumar/

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Zero Trust Overview and Playbook Introduction, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/978-1-80056-866-2

1

Zero Trust – This Is the Way

Zero Trust secures business assets everywhere they go.

Zero Trust is a modern security approach that aligns security with business priorities and risks. Zero Trust enables organizations to manage increased risk from rapidly evolving security threats (including ransomware) and to manage a fundamental shift in security assumptions (the organization’s private network isn’t enough to keep business assets safe). Zero Trust also gives you the ability to manage risk and opportunities from new technologies such as the cloud, artificial intelligence (AI), and more.

This chapter will cover the following topics:

Introducing Zero Trust

Zero Trust affects anyone working in any organization that uses any kind of computer, device, or internet technology—which is nearly everyone in business, government, and other organizations today. Zero Trust makes security a business enabler and drives an organization-wide transformation to effectively protect digital business assets.

Earlier is better! Nearly all organizations are already starting on a Zero Trust journey (whether they call it Zero Trust or not). Organizations that start the transformation early and integrate security into cloud technology and digital business practices earlier will experience lower risk and a smoother experience.

The Zero Trust Playbook Series provides detailed role-by-role guidance on the strategy, planning, and execution of Zero Trust to guide you through this journey.

This book kicks off the series and lays the foundation for everything that follows, providing a summary of Zero Trust, how it affects each role in an organization, and how the playbooks guide you through this transformation. The context of this book is critical to ensure all stakeholders work toward the same goals, hence this book is recommended for all readers.

Note

Think of this first book like you would a big kickoff meeting for a large program. This gets everyone the context they need before each team goes off into its own follow-up meetings to plan and execute its projects or workstreams using the playbooks in the series.

This first book includes a definition of Zero Trust, how it relates to risk and conflict in the physical world, how it addresses security threats such as ransomware and data breaches, a summary of key Zero Trust principles, and what changes to expect in your organization across technology, processes, and human experiences on this journey.

This first book also introduces the role-based approach in the Zero Trust playbooks, showing how Zero Trust is put into practice for each affected role. We encourage you to use these playbooks and the six-stage plan in them as a reference template for your own organization’s Zero Trust transformation.

Agile or waterfall? The best of both!

The playbooks blend the best of agile approaches with well-established best practices for strategic planning and top-down executive sponsorship for large transformations.

This blended approach enables flexibility and speed without losing focus on the long-term end-to-end Zero Trust transformation. As a result, these playbooks are compatible with any organizational style, from well-established organizations following traditional program management methodologies to boundary-pushing digital-native organizations that have widely adopted agile approaches.

You can go big or go small: Smaller Zero Trust initiatives can deliver value faster but have a limited impact compared to a full transformation. To get the full value and benefits of a Zero Trust transformation, you will need to coordinate across the organization with an intentional plan and supporting cultural elements.

The playbook series enables you to start anywhere with Zero Trust and get quick wins to reduce security risk and enable the mission. See Chapter 6, How to Scope, Size, and Start Zero Trust, for more details on how to choose quick wins and how to adapt the playbooks to different organizational styles.

Now, let’s get started with how to read this book and this series to quickly get the information you need the most!

Introducing the Zero Trust Playbook Series

“The future is already here—it’s just not evenly distributed.”

– William Gibson

This book serves as both a standalone overview of Zero Trust for anyone (without reading anything else) as well as an introduction to the Zero Trust Playbook Series.

This Zero Trust Overview and Playbook Introduction book helps you understand the what, why, and how of Zero Trust and cybersecurity—what it means to you, why it is important to you, and how you benefit by implementing Zero Trust.

The playbook series also helps filter out unneeded details for each role while still providing the context of “why” people are being asked to do things differently than before. We did our best to streamline things that don’t matter to people while still providing a clear picture of the whole plan and how Zero Trust changes the organization around you.

Regardless of your role in an organization, this book provides insights that will help guide your Zero Trust journey and overcome the challenges you will likely face.

Before we dive into the details, let’s go through some quick answers to some common questions.

Common Zero Trust questions

Some important questions come up often, and we’ll start by answering those. These are short answers, and more details are coming in this book and the series, but we’ll start with some simple clarity.

Who should use the Zero Trust Playbook Series?

This series benefits nearly everyone in an organization, particularly business leaders, technology leaders, security leaders, and practitioners in Information Technology (IT) and security teams.

Note

The book series also helps people in organizations that support these roles, such as advisory/consulting services, managed service providers (MSPs), educational institutions, and other organizations.

Information security is a complex topic and changes fast, with risks and priorities shifting as fast as daily or hourly. The Zero Trust Playbook Series provides clear guidance to consistently manage this complexity and tailors that guidance for each role, from CEOs to individual employees.

This guidance covers everything, from cultural change and board-level business risk to changes that security, business, technical, and compliance professionals will execute in daily operations.

The Zero Trust Playbook Series is an ideal resource for anyone doing the following:

What is Zero Trust?

Zero Trust is simply security for today’s world of continuous change—securing digital business assets over their lifetime and anywhere they go. This security approach is based on zero assumed trust, which forces everyone to make informed decisions using data, not assumptions.

Zero Trust is a foundational shift in security philosophy from implicit (assumed) trust to explicit validation of trust. Instead of trusting any computer on your corporate network, you would explicitly validate that it is trustworthy before allowing access to valuable business assets.

The Open Group, a global standards organization, defines Zero Trust as follows:

“An information security approach that focuses on the entire technical estate – including data/information, APIs, and Operational Technology/Industrial Control Systems – throughout their lifecycle and on any platform or network.”

The US National Institute of Standards and Technology (NIST) SP 800-207Zero Trust Architecture standard states the following:

“Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (that is, local area networks versus the internet) or based on asset ownership (enterprise or personally owned).”

Global consensus on Zero Trust

Documentation on Zero Trust and its importance has been published by many organizations globally, including the US NIST, the UK National Cyber Security Centre (NCSC), The Open Group, the Cloud Security Alliance (CSA), the World Economic Forum (WEF), the US Cybersecurity and Infrastructure Security Agency (CISA), the US National Security Agency (NSA), the US Department of Defense (DOD), and others.

Many commercial organizations have adopted and advocated for the use of Zero Trust, including Microsoft, Google, leading global solution integrators, and countless security technology vendors.

This playbook guidance will help you align your security program with this growing consensus on Zero Trust and execute it.

Zero Trust is not a silver bullet! No single action or technology product can provide an easy miracle cure for security risks (despite any marketing claims you may have heard ☺). Zero Trust is a journey of incremental progress that aligns the time, energy, and money you spend on information security to three things:

The Zero Trust journey is similar in many ways to paying down a long-term debt or working through a backlog of tasks. This is because the Zero Trust journey requires discovering and removing false assumption of trust that have influenced people, processes, and technologies in your organization for years (or even decades).

Zero trust integrates a mature risk management approach

Organizations differ widely in how well security is aligned with and integrated with business risk.

For organizations that haven’t integrated security into risk management, Zero Trust will introduce this. For organizations that have already started the journey of aligning security risk with business opportunities and risk, Zero Trust will accelerate and refine this with increased agility and improved security outcomes.

The playbooks help your organization adopt Zero Trust and mature risk management practices regardless of where you are on this journey.

What does Zero Trust mean to me?

Zero Trust can look different depending on your role in an organization. Let’s take a closer look at this:

These books help you to see Zero Trust from your perspective (“How does it impact me?”) and provide an actionable playbook for you—and your organization—to navigate these changes.

The term Zero Trust was originally coined by an industry analyst at Forrester, John Kindervag, to describe a concept for rethinking computer network security. This name comes from the fact that the network itself provides no inherent trust (“Zero Trust”) for business assets on it. This concept has since evolved over the past decade or so to become a broader strategic security paradigm that aligns with and empowers digital transformation.

One simple way to think about it is that Zero Trust is cybersecurity (information security) without the flawed assumption a private network can magically keep business assets secure. Traditional information security approaches often rely on a pervasive and wrong assumption that an organization can keep assets secure by simply keeping them connected to a private network managed by the organization.

Is Zero Trust new?

Partially. The formalization of Zero Trust as an industry-standard approach is relatively recent, but Zero Trust builds on concepts that were formally documented by The Jericho Forum™, which was founded in 2004. Additionally, many aspects of Zero Trust are adaptations of concepts from earlier work and other disciplines such as military doctrine, economics, psychology, and more. As with business and cloud technology, Zero Trust details will continually evolve with external requirements, but this core will stay as a consistent foundation.

Why is Zero Trust important?

Zero Trust enables security to operate at the speed of business, providing safety and security for today’s world. Zero Trust helps organizations to operate and grow while managing continuous changes in markets, technology platforms, and cybersecurity threats. Organizational risk has increased, and existing static perimeter-centric security approaches simply can’t keep up with these changes.

Business-critical systems and data are constantly evolving and moving around networks and cloud providers around the globe. Security threats are increasing from ruthless criminal gangs (often using extortion/ransomware) and nation-state attackers.

We need security that is agile and can keep up with these changes—hence Zero Trust.

What is the scope of Zero Trust?

Zero Trust affects everything in cybersecurity (information security) today and also expands security’s scope in business and technology disciplines. This is because nearly every part of a modern business, government agency, or other organization relies on technology and data and needs that technology and data to be safe from attacks.

The term Zero Trust can also refer to more than one thing, so you can expect this term will be used in multiple ways throughout the series. Zero Trust can refer to an overall approach (or paradigm) for security, a security strategy, or can refer to specific architectures and technologies that support the Zero Trust approach and strategy.

Don’t panic!

While this transformation can seem big and overwhelming, the good news is that there are already plenty of successes to learn from. Organizations are already implementing Zero Trust, and we have incorporated the lessons learned here to guide your transformation. These lessons learned by other organizations are directly integrated into this actionable playbook to help illuminate your path.

Chapter 6, How to Scope, Size, and Start Zero Trust, discusses how to size, scope, and get started on Zero Trust.

Why is Zero Trust confusing?

We have seen a lot of confusion about what Zero Trust is (and even cynicism that it isn’t real or new). We have learned that this confusion arises primarily for three reasons:

This book directly addresses the first two factors, and we sincerely hope it helps with the third one as well.

What does a Zero Trust transformation look like? How long does it take?

Zero Trust doesn’t happen overnight; it requires focusing on quick wins and incremental progress.

Zero Trust is an ongoing journey of continuous changes to keep up with attacker innovation, changing markets, and changing technology platforms. Zero Trust provides the core principles and framework that guide you along the modernization journey and stay agile to meet continuously changing demands. It also provides the architectural structure and governance guardrails to enable that journey.

Zero Trust is not a static discipline and does not exist in an independent silo; it is a living, breathing part of a modern business that is continuously adapting to the world. For more information on planning quick wins and incremental progress, see Chapter 6, How to Scope, Size, and Start Zero Trust.

Why should you read these books?

Read these books for clarity on what Zero Trust is, what implementing it means, why you do it, and how to do it.

The authors led the development of the first industry-wide definition of Zero Trust (The Open Group Zero Trust Core Principles), which has found its way into commercial and national cybersecurity initiatives. They are now leading the definition of global standards for Zero Trust to create interoperable Zero Trust solutions and define what Zero Trust means.

In addition to leading standards initiatives, the authors have experience working with multiple organizations to lead, plan, and implement Zero Trust initiatives. The series captures their experience and integrates lessons learned and best practices into an actionable six-stage plan for Zero Trust. This plan will support any digital transformation or cloud migration initiative—regardless of the organization’s size or industry. Let’s take a closer look at what the series provides:

Summary

We have seen many instances of how Zero Trust approaches make life better at organizations for business, technology, and security teams alike. We look forward to seeing your success on this journey using this book series!

Now that we have a general sense of Zero Trust and the Zero Trust Playbook Series, let’s move on to how to get the most out of these books with Chapter 2, Reading the Zero Trust Playbook Series.

2

Reading the Zero Trust Playbook Series

A journey without direction is just wandering.

Now that we have clarity on some of the most important questions from Chapter 1, Zero Trust – This Is the Way, it’s time to plan how to get the most out of these books for you.

Everyone should read this first book to understand what Zero Trust means and develop a shared understanding of Zero Trust. Read it closely, as it’s foundational to the rest of the series and to Zero Trust at large. These chapters provide an overview of Zero Trust, including the core definition of Zero Trust, how it relates to business and digital transformation, the guiding principles, a view of what success looks like, and the six-stage playbook to create and implement a Zero Trust initiative.

This chapter covers the following topics:

Reading strategies

While you can read the playbook series any way you want, we recommend one of two approaches:

The most efficient way to get actionable guidance is to read the playbook for your role (or the role you aspire to). This will quickly get you relevant information for your current role immediately that you can act on without delay.

How do I focus only on my role? Read this first book and then proceed to the playbook for your role. Ensure to read the introductory chapters in your playbook before reading the chapter dedicated to your role.

Who should focus only on their role? People with an urgent need to learn and execute on Zero Trust will often read the playbooks this way to get to their role guidance fastest. This includes people assigned to support an existing Zero Trust project and is particularly useful when you have to meet deadlines for an executive-sponsored project. Senior organizational leaders often have extremely limited time for reading and may also use this method.

Notes on this method

You may need to read about multiple roles: Some roles interact very closely with other roles as part of their core job. Roles whose success depends on closely working with other roles will be instructed to read about those roles in the introduction chapter(s) of their playbook. For example, technical and security managers should read about the roles of team members they manage to help them plan daily processes, career development, learning/training activities, and performance measurement.

Skipping context has risks: While it’s possible (and tempting ☺) to jump ahead to read only the chapter for your role, we don’t recommend this for most readers unless you have an extremely urgent need to execute immediately.

It is faster to jump ahead, but skipping the context could cause confusion or misinterpretation of the guidance. Each role chapter assumes people have read and understand the context of this book and the playbook introductory chapter(s). For example, the chapters for security operations (SecOps) roles such as triage analyst (Tier 1), investigation analyst (Tier 2), threat hunter, and threat intelligence (TI) analyst all assume you understand the terminology and concepts in the introductory chapters of the playbook. If you must jump ahead, we recommend going back to read the common context as soon as you can. As with many things in life, context matters!

Reading each playbook will give you a full end-to-end perspective on the Zero Trust journey from all relevant perspectives. The series covers the organizational vision, continues through strategy and plans, and then looks at how those translate to a practitioner’s hands-on view.

Reading about all of the roles will allow you to understand Zero Trust completely from a business/organizational leadership perspective, how that translates to technical leaders, and how practitioners experience this and get the job done on the ground. This full context helps you understand each role in the organization and its individual Zero Trust transformation experiences. This will help you be more effective and successful in your current role, plan your career path, and prepare you for your next career steps.

Who should read the whole series? Roles who interact with most or all other roles in the playbook will need to understand the full journey for all of them (even if just reading playbook introduction chapters and skimming the role chapters). This is particularly valuable for external consultants and internal architect roles who interact with and advise many roles in an organization. This is also a valuable method for people new to cybersecurity and trying to identify which role best fits their skills and interests.