Sure, implementing Zero Trust across your IT infrastructure might be easier if a definitive standard specified the exact approach to take.
Yet Zero Trust is really a collection of principles and best practices, guided by a fresh way of looking at security. The US Department of Defense even states in their reference architecture that Zero Trust is a philosophical outlook requiring a change in organizational mindset.
So how do you implement a new mindset and know that it's working? It starts with knowing what the most valuable assets are that you're trying to protect with a Zero Trust posture.
At the core of Zero Trust is the assumption that your IT environment has already been breached. Zero Trust recommends moving beyond traditional perimeter security because perimeters will always be breached.
The only way to deal with an intruder (either an outside hacker or insider threat actor) is to deny anyone and anything implicit trust. Requests for access to your data or IT resources must be validated and authenticated. Not just once. Every time.
Zero Trust is the defensive posture of continually monitoring and controlling activity and access, challenging requests at every turn, and providing the bare minimum privileges to meet a validated data or resource request.
Cybersecurity experts have testified before the US Congress about what threat actors are after when they carry out cyber-attacks. Of course, each incident and breach is unique, but they all share on thing in common:
Threat actors want your data.
An enterprise's most valuable asset is its sensitive information, such as customer data, intellectual property, and other trade secrets underlying the corporate strategy. The IT assets housing and supporting all this data are important to threat actors only as a means to get to that data.
Zero Trust is a methodology, a set of design principles, and a change in defensive mindset. Your first decision is deciding where to start your Zero Trust implementation.
Read this fact sheet to learn more about Zero Trust and data-centric security.