In my experience in defining, designing, and implementing Zero Trust Architectures, I have come to the conclusion that every deployment has its own unique personality.
What this looks like in practice is that there is an art to ZTA that is not completely understood by most people. One of the first steps/phases in a ZTA ‘journey’ is to identify & understand the protect surface. This requires an in-depth review of your own environment. I look to a quote from 20th Century psychiatrist Carl Jung as a guiding principle.
“Who looks outside, dreams; who looks inside, awakes.” – Carl Jung
Both points of view are necessary. To dream is to perceive the future. It is to understand the journey your security teams needs to travel. To awake, a leader comes to terms and understands where their security team currently succeeds and fails. The dream is to perceive what a full Zero Trust Architecture deployment/implementation would look like in their environment. To some extent, to successfully build a ZTA environment, your first have to ‘dream’ about your ZTA deployment, and then ‘awake’ to the reality of your present situation. I have led a number of teams through the ‘dreaming’ as well as the ‘awaking’ of ZTA. The art of the architecture is when you are able to find the path between what exists and what their ZTA needs to be.
The assessment is critical to the success of a ZTA implementation. The assessment is a snapshot of what the current environment looks like and how it operates. The biggest challenge of the assessment is the number of people that need to be involved to get a clear and realistic picture of the Tactics, Techniques, and Procedures that the IT and Security team follows. Having a holistic view of the operations and architecture is imperative to the successful interview and mapping of the current state of the environment.
Either internal or external, make sure that you have the right people on both sides of the table. To represent the current state, you need to have the people who can answer what the world truly looks like presently, not what the CIO/CISO ‘believe’ to be true. On the other side of the table, you need individuals who are knowledgeable of all aspects of IT as well as how to successfully implement a ZTA environment. Without the proper ZTA knowledge, they will not be able to ask the right questions about the current state and then advise on how to travel the ‘journey’ to ZTA.
Principal Security Consultant - JWR Identity