The Path to Zero Trust

 In Cybersecurity

Zero trust thought leadership group members: Geeta Kapoor (MSC Direct), Noah Davis (Trane Technologies), Leon Ravenna (KAR Global), Barney Baldwin (ex-MUFG, Columbia), Chase Cunningham (Ericom), Eve Maler (ForgeRock), Sean Frazier (Okta).

There is no single, clear path to zero trust. The path varies according to an organization’s maturity and its regulatory and compliance demands. A CISO might focus on establishing an action plan, on the steps needed to translate that plan into action, or on the action itself. The path to zero trust spans all these areas and should also incorporate the ability to harvest benefits and learnings, reset priorities and objectives, and progress incrementally towards a zero trust vision.

Executive summary

An organization’s current maturity levels and/or business priorities shape its perceptions of “the path to zero trust.” Stratascale research identifies three distinct phases and ten discrete steps that will help CISOs as they define a multi-year approach to ZT strategy development and refinement. The path starts with “GOHIO” (Get Our House in Order), ensuring that the business has the core capabilities needed to embark on the zero trust journey. It then proceeds through three stages: foundational activities that establish ZT priorities and objectives; transitional initiatives that bridge from high-level strategy to substantive ZT process and technology rollouts; and a deploy, monitor, and evolve stage that includes first steps, instrumentation, incremental deployment, and continuous improvement. Through the process, a detailed understanding of how ZT is achieving security goals, combined with a business-level understanding of how this achievement contributes to business success, enables the CISO to build proactively to a state where ZT enables continuous alignment with evolving business requirements and opportunities.

Defining priorities and directions

Many valid paths to zero trust are defined by the maturity of enterprise security capabilities, the priorities of the CISO, and the business’s specific needs. Articulating these paths for business executives, the board, or even members of the security team can be complex: “Zero trust sounds like a very far away destination, and I don’t know if [standard, referenceable] paths are laid out on how to get there.”

There is some consensus on where the ZT journey begins. Contributors to this document unanimously agreed that a ZT strategy starts with assessing current capabilities and requirements and should focus first on achievable objectives that “tie back to real problems from a risk visibility and corporate strategy perspective.”

However, there are many branches in the ZT path from these core positions. As one CISO contributing to this document put it, “I think zero trust principles and objectives are clear. But to communicate the strategy effectively, you need to be able to say, ‘Here is zero trust phase one. These are the things we should do out of the gate’” – prerequisites – “‘before we get more complicated and move to a more advanced ZT phase two.’” The initial steps and the more advanced actions take different forms in different contexts, shaped by current maturity levels and business needs.

Three stages of the journey

The zero trust thought leaders provided fascinating insight into how options vary according to starting points, but ultimately coalesce into a multipoint roadmap with three main stages. Each contributor had a different set of key ZT adoption issues and different reasons for emphasizing the priorities that define the path and its success. Across many different answers to the question, the priorities aligned with three broad areas.

The first consisted of foundational activities, such as ensuring sufficient security hygiene – which one contributor labeled colorfully as “GOHIO” (“Getting Our House in Order”) – plus understanding current capabilities, identifying “protect priorities,” and defining strategic objectives for the ZT strategy.

The second included steps that might be thought of as transitional – objectives that bridge from high-level strategy to substantive ZT process and technology rollouts: development of a detailed zero trust activity roadmap, establishment of an effective communications approach that will keep all stakeholders aligned throughout a multi-year ZT strategy, and initial tests of new systems.

The third stage – described by one contributing expert as more akin to a loop than a line – is comprised of actions associated with deploy, monitor, and evolve. These include pursuing low-friction first steps that build trust and momentum, deploying telemetry to ensure that the organization can identify areas of need and opportunities for refinement and progress, and building capabilities incrementally in response to these signals. This leads to the vision of ZT deployment as a loop, with CISOs using data gathered from instrumented systems to reset their ZT objectives.

the ten steps to zero trust (as a diagram)Foundational steps on the ZT path

Despite the popularity of Laozi’s famous saying, “A journey of a thousand miles begins with a single step,” most executives would agree with data scientist Randal Olson’s rejoinder, “Really, that’s not true. Every major journey begins with a plan.” Indeed, several of the expert sources contributing to this document focus their ZT attention primarily on planning – most likely because ZT is still too new within their organizations to allow for a meaningful definition of next-step activities or because they believe that without a sound foundation, implementation will fail.

“GOHIO”

Although only one member of the zero trust thought leadership group used the phrase “Get Our House in Order,” the concept was advanced repeatedly as a necessary prerequisite to establishing a ZT strategy.

The CISO who used the GOHIO term associated it with “doing the basic things” – such as having asset management, good vulnerability management and patching, visibility into how users are authenticating into the corporate environment, MFA, network diagrams, and similar foundational attributes.[1] Other contributors highlighted similar issues as prerequisites to moving forward with ZT: one connected fundamental “house in order” capabilities to ZT strategy by saying, “I have to pave the road first before I start setting speed limits,” focusing on establishing identity and governance before socializing more advanced capabilities and objectives.

Determine current state

Many of the experts contributing to this document began their recommended paths with variants on examining, understanding, or defining their current capabilities. Specific items cited as important in this context included:

  • Configuration management database (CMDB): “Having a clean and accurate CMDB is critical.” An inventory of what products are in use and their current status and location is a necessary starting point for understanding security needs.
  • Understanding data flows: “How do people use data within your environment, and where is that data?”
  • Data classification: This was mentioned by several contributors, sometimes with respect to location (echoing “where is that data?” from the previous bullet) and sometimes with respect to source, ownership, or criticality.
  • “Where you are and what you own”: This was described as the goal of “the beginning phase…scheme, strategize, understand where you are and what you own.” The contributor believed that capturing this information in visuals helped both establish what was known and create a means of sharing that insight to explain the need for ZT.
  • Current security posture and opportunities for improvement: One expert proposed, “What is our current cyber security posture and where are our opportunities for improvement?” as a logical first question in defining ZT strategy. Connecting current state to possible forward paths can provide input to ZT directions.

Identify protect priorities

One of the defining features of zero trust is apparent in this phrase: While security teams are adept at attack surface management – identifying and responding to vulnerabilities – ZT takes the asset as its starting point.

One expert contributing to this report posited that “identify[ing] the target resources that you want to protect” should be the first point on the ZT journey, noting that this identification presupposes that a business is already engaged in data classification. Another expert stated that “protect surface, not attack surface” should be an initial zero trust priority.

A third contributor highlighted the question, “What IP [intellectual property] do we need to protect?” This, the CISO believed, is at the core of “a conversation with the business that every security leader should be having.” Expanding on the point, this zero trust thought leadership group member added that this step also includes a need to understand regulatory requirements, as these provide an important input to defining protect priorities.

Define strategic objectives

CISOs culminate the ZT planning process by defining the business and security objectives that the ZT strategy will address.[2]

While several contributors discussed this issue, one took a particularly compelling view of why working with business leaders to answer the question “what strategic advantage can be achieved by implementing zero trust?” provides a basis for establishing the importance of the security function at the senior leadership team (SLT) and board level: because “that gets you into the idea of consumer confidence, employee engagement, job satisfaction, all of these things where you build a culture of security, which can be a competitive advantage for companies.”

One contributor positioned defining strategic objectives both as a foundational step and as part of a continuous improvement loop: as the immediate predecessor to “put the plan in place” but also as a living understanding of goals and direction—an understanding that evolves as the security organization learns from its experiences and receives additional input from the business with respect to priorities and requirements.

CAUTION: Money can’t buy me…

The diagram above includes a note of caution or advice for effective action tied to each of the three stages of the ZT journey. The one associated with these foundational steps states, “Don’t simply invest and expect the ‘transformative nature of security’ to fix problems.”

In cybersecurity, more investment does not directly yield more protection: An effective security posture is much more a function of alignment of resources against most urgent needs than a straight correlation to budget.

Security leaders need to ensure that they invest in the right capabilities and avoid investment in non-critical or redundant products or processes.

Transitional steps on the ZT path

While no contributor to this document viewed transition as “step one” toward ZT, several emphasized the importance of measures that create a bridge from strategy to production-scale deployment.

Develop the ZT roadmap

In many ways, all the content in this document, and all the steps in the graphic above, could be subsumed under this header. But the contributors who positioned roadmapping as a transitional step viewed it in a specific light: as a means of highlighting and building plans addressing opportunities for improvement or as a stage at which ZT policies governing rollout are defined.

This latter point is important to positioning ZT roadmap development as a key step in moving from strategy to execution. Large organizations will have many different initiatives happening at once, across the security function as a whole, and in pursuit of different ZT objectives. To keep the portfolio on track, the CISO will need to create structures that apply across different initiatives. In particular, as one expert observed, there will be a need to identify responsible and accountable parties.

Establish communications campaign

It’s often the case that communication is the most powerful tool in the executive toolbox, and it was recognized as such by multiple members of the zero trust thought leadership group. One contributor observed that “this is where you see ALL the failures” in ZT rollouts. Security leaders need effective executive communications to “minimize surprises”; failure creates friction with the SLT, potentially reducing commitment to the ZT strategy.

One contributor with extensive SLT and board exposure noted that “competitive analysis is usually fairly compelling to board members.” Advice to CISOs included, “Take the business objective – tie it to what you’ve done or are doing – and describe what other [competitor] firms have done right in this area.” This expands the requirement to augment ZT business objectives with a broader understanding of how ZT enables other firms to reduce costs, increase revenues, reduce risk, or be more agile, but it will significantly increase the CISO’s credibility at the board level.

Test new capabilities

Testing is often given short shrift in strategic plans, but several members of the thought leadership group emphasized the importance of ensuring that new capabilities be proven with target groups before general release.

The populations that should be tested, and the means of testing, vary with use case. Zero trust applies to “carbon and non-carbon” users – humans, but also IoT devices, applications, and other devices or logic functions that can request data or other assets that an attacker could compromise.[3] Security systems today require human users to re-authenticate periodically, and emerging best practices suggest that ZT could enable new levels of “granularity,” in which interactions build (or detract from) an earned level of trust. Many of these approaches, though, are either untested or minimally deployed across non-carbon users, and non-carbon identities represent a large and very fast-growing segment of the user population.[4]

Experts described several different approaches to selecting and testing target groups. One advocated for A/B testing focused on either very tech savvy or highest risk populations. Another stressed the importance of testing non-savvy users because “what appears seamless to someone who is knowledgeable many not to someone who is less so.” A third suggested including “the breakers” – people “that are always on the phone…people who walk up to a computer, and it breaks. Every company has them, everybody [at the help desk] knows who they are. We want those people to be part of rollout tests.”

These suggestions help to identify the importance of testing and options for its rollout. Individual CISOs will need to identify the most appropriate approaches for their respective businesses, but all CISOs should ensure that testing is included in the path to ZT.

ADVICE: Be the broken record

Contributors adamantly advised that CISOs “be the broken record.” Rather than relying on a single conversation with stakeholders, CISOs should build endorsement through repetition of important objectives, supported by associated metrics and (per the previous point) competitive intelligence.

In reiterating these communications, CISOs should focus on non-technical terms referencing business benefits. Executives will forget technical explanations of system capabilities. But measures taken to reduce risk, increase productivity, reduce M&A cycle time, or expand secure interaction with online customers or partners address issues that command SLT and board attention.

Deploy, monitor, evolve

The final stages of the ZT journey involve deployment: Having planned for ZT and managed through key transition steps, how should the CISO approach production-scale rollout?

Low friction first steps

Perhaps the best deployment advice offered by a zero trust thought leadership group member was “Start with steps that can be achieved without causing friction with upper management…the best route to take is the one that’s available to you now and is funded.” Many strategies are guided principally by a roadmap that is more extensive than that referenced in step five, and which defines a technology deployment sequence rather than a set of policies that are important to rollout governance.

Rather than working through a long-term technology checklist, CISOs should look to ensure the success of funded products and dedicate energy to initiatives that align security with executive care-abouts. The contributor added that their security team frequently uses the phrase “fail forward” – ensuring that regardless of the current state or success of an initiative, the organization as a whole works to build maturity incrementally.

Deploy instrumentation

One memorable discussion in the ZT research project included the assertion that ZT consists of “two bookends: data, which I’m trying to control access to, and identities, which I’m trying to grant access to – and everything else is telemetry signals.” This may be a bit dismissive of four of the six ZT pillars,[5] but it does emphasize the need to use instrumentation and telemetry to obtain data needed to assess and improve the ZT approach.

Contributors suggested tapping into data sources ranging from device telemetry to help desk logs. These inputs can identify emerging issues and may also indicate that it is safe to migrate from outdated systems to newer solutions. From a management perspective, the message attached to this step is more direct: telemetry provides a basis for both analysis and comparison of individual ZT components, enabling the CISO to make course corrections where necessary, and to identify areas that are in greatest need of increased resources or which offer the greatest potential for additional benefit.

Build incrementally

The concept of ZT incrementalism was discussed at some length earlier in this series,[6] but the concept is important in the context of a path to zero trust as well. Zero trust represents a sea change in the vision for how security works – a move from focusing on hardening a perimeter to centering strategy on protecting the most critical enterprise intellectual property (IP) assets.

Because it is not at root a technology concept, zero trust does not require a rip and replace approach to installed products. Some deployed products will integrate into the ZT framework, other products will be extraneous, and some new capabilities will need to be added in response to requirements not addressed via the perimeter-based approach.

Zero trust changes the CISO’s paradigm from responding to threats to proactively developing capabilities around the highest-value assets. As one contributor stated, “Zero trust is not a product you buy, and you deploy, and then you’re done.” Even if it were possible to fully tool a ZT framework overnight (and it isn’t, regardless of budget), CISOs should build in response to evolving business needs and deploy at a pace that aligns with the capacity of the organization to absorb change.

CAUTION: Have a plan for glitches

The caution associated with the deploy, monitor, evolve stage addresses an issue that all CISOs face: What happens when we deploy a new system, and users can’t absorb it? One contributor observed that “one of the things we’ve seen is, if you disable an old method [of performing a security task] – the old, bad method that people shouldn’t use – if something goes wrong…what you’re going to end up doing in a panic is letting [users] do what they did before.”

Some leaders try to forestall this reversion by employing a “burn the boats” approach, denying access to deprecated systems to remove the temptation for users to find workarounds that avoid new solutions. But this adversarial approach is unlikely to build confidence within the user community. Instead, security leaders are urged instead to make sure that new products address defined business objectives, that they are tested, and that they are introduced incrementally, to avoid overwhelming users with new features and workflow requirements. Above all, it’s important to build effective communications into the ZT approach, so that when users struggle to adopt new features or systems, the security team can engage constructively.

Creating the continuous improvement loop

The bottom step in the ZT path graphic above does not represent the end of a linear process – it leads to an arrow labeled “capture benefits; reset objectives” that cycles back to either step three, “identify protect priorities,” or step four, “define strategic objectives.”

It is critical that zero trust, which is often described as “a journey” or “a mindset, not a product,” incorporate this continuous improvement loop. Members of the zero trust thought leadership group emphasized the importance of measuring and communicating business and security benefits gained through ZT and getting feedback on the business impact of these changes. At the same time, the security leaders need to be constantly in touch with new, emerging, or urgent business priorities, and prepared to adjust their ZT strategies accordingly.

This need for ongoing reassessment of impact and strategic directions speaks to why ZT doesn’t have a defined end state. The lack of a defined end state may be challenging for CISOs accustomed to achieving specific outcomes. But it is also the greatest strength of the ZT path: the ability to build a process focused on the most critical security and business objectives, and to apply that process proactively over time, enabling security to contribute visibly and meaningfully to competitive advantage.

Working with this content

CISOs looking to integrate this perspective on zero trust within executive-level strategy discussions can use the following constraints and takeaways to inform their approach.

Key constraints on the path to ZT

  • Data requires “laser focus.” Zero trust is often extolled for its focus on data, but as one contributor noted, “You can run some serious risks around [data] access and movement, and if you take a wrong step there, the whole program will get shot down.” The CISO noted that at times, zero trust “may be moving slower than people would like, but…if you block somebody’s ability to send a contract out, get a quote out, you’ll erase all the gains you’ve made.”
  • Singular focus on an objective may result in short-term gain, but a lack of balance will create longer-term pain. One contributor related experiences in which security leaders proclaimed that they would do “one of those big pushes.” But, the contributor asked, does the organization really know what will break in other areas, while they focus on one area of achievement? “If I can do incremental improvements… I’ve won more than trying to slam through [a major initiative in a single pillar] to get to the top of the maturity pile [in that pillar] – while other areas of either infrastructure or apps can’t support [the new siloed approach].”
  • From an identity and access perspective, what we refer to as “zero trust” might be more accurately termed “earned trust.” As one expert stated, “We are utilizing intelligence, the signals and telemetry to provide access for an identity – an application, a service, a bot, an actual person. You earn and are given a level of access based on that information, or I am adaptively going to remove access because I know that you currently have a poor security posture – at that point, I’m not going to allow you that earned trust, I’m going to give you limited access to non-confidential information. You have to earn the trust to be able to access protected resources. We use information to tell us whether an identity has earned the privilege to access data or an application.”

Takeaways from “Business Objectives”

  • Build institutional insight to effectively position ZT in a business context. One key precept of Western thought, attributed to Socrates, is “To know thyself is the beginning of wisdom.” More prosaically, self-knowledge is also a key attribute of a successful ZT approach. Zero trust is an extended test of the CISO’s capacity for understanding their organizational requirements and attributes, including:
    • “GOHIO,” or the issues that must be addressed before embarking on ZT.
    • The organization’s current state with respect to deployed versus required capabilities.
    • Corporate “protect priorities” – the critical resources that need to be prioritized within the ZT strategy.
    • Strategic objectives that will be either supported or met by ZT.
    • User capacity to accept change, and the corresponding ability to define an appropriate cadence for introducing or retiring systems.
    • Pathways to successful communications that can build corporate support for ZT.
    • Data providing insight into deployment successes and hiccups.

This institutional understanding of critical capabilities, processes, and technologies enables the CISO to focus ZT on the business’s most important assets, and implement continuous strategy realignment based on feedback on impact and evolving needs.

  • Frame ZT as a means of enabling business agility. ZT defines a proactive, iterative, “continuous path” security process that creates competitive advantage by delivering better insight and more powerful security capabilities – but the connection needs to be explained in business, not technology, terms. A contributor with extensive senior executive experience observed, “One of the things I’ve noticed when dealing with execs and boards is…it’s not about locking down access and creating microsegmentation networks and working with telemetry signals from XDR and devices. It’s about the next time we do a merger or acquisition; we can have it complete in two months versus six months because we can eliminate the risk associated with bringing this partner into this new company. We can reduce our risk, improve our cycle time, we can get new products and services out to our customers because we have a standard framework and process to get these resources to the customer and offer them new services.” Zero trust is important to both business and security success. CISOs and other champions should evangelize zero trust using terms that resonate with each target audience.
  • Connect your input definitions and calibration to your target outputs and actions. There’s an argument to be made that granularity is an important ZT parameter – that the ability to either increase signal granularity to enable a more detailed and nuanced understanding of risk and opportunity or, in other cases, to aggregate characteristics to allow for faster and more consistent treatment of similar inputs/stimuli – should be addressed as a key issue in ZT strategy. What is the right level of measurement or categorization for each of the business and technical demands that ZT addresses? Each organization’s security and business leaders will have to work together to formulate an answer.

 

Expanding on this thought, one member of the thought leadership group argued that this is actually a discussion about relationships rather than signals: In the digital world, companies need to develop the ability to “respect relationship as a first-class object.” The contributor mused that digital connections between “two parties who have different duties and different interests used to be entirely impossible. And then it was possible, but clunky. And now digital relationships are a little bit more like real life…but the parties involved typically have misaligned incentives.” The expert believed that ZT orients security toward deployment of tools that drive incrementally more fine-grained trust between the parties’ positions – “to negotiate permission to let ethical and/or legal boundaries to be traversed [for example, by sharing data, potentially in ways that aren’t fully defined or understood]. This isn’t a security issue, it’s a people issue. It’s a business issue. It’s [about] human conditions.” As is the case with so many issues that land on the CISO’s desk, the security team focuses on supporting relationship outcomes, while the senior leadership team and the board drive the security strategy by determining the relationship objectives.


[1] The Stratascale Zero Trust Metrics in Context and Action (Stratascale ZT-MICA) tool, linked to the Zero Trust Metrics document, contains insights into assessing identity, network, and other ZT capabilities.

[2] Each of these objectives is the subject of a report in this series: Zero Trust Interest and Investment Drivers covers the security considerations important to ZT strategy, while Zero Trust Business Objectives examines the business outcomes that motivate (or can be achieved by) an effective approach to zero trust.

[3] See also Defining Zero Trust for more discussion on this point.

[4] Figures vary, but it is generally thought that there are more than five times as many internet-connected devices as there are humans today, and the ratio is expected to grow to more than ten times by the end of the decade. The extent to which IoT is or will be a major security concern varies by industry, but non-carbon users are a meaningful user group today and will be a larger, more diverse, and more widespread population over time.

[5] A companion research series from Stratascale, The Technical Manager’s Guide to Zero Trust, analyzes ZT drivers, priorities, deployment paths, and metrics associated with identity, devices, network, infrastructure, applications, and data.

[6] See The ZT Rollout Notebook, which contains a section on Incrementalism.

This is the seventh of eight source documents included in Stratascale’s “An Executive Guide to Zero Trust” research series. We will also publish a capstone report connecting these eight pieces, plus a six-part companion series (“The Technical Manager’s Guide to Zero Trust”) and several compilations and ancillary documents and tools.

Readers interested in specific executive-level perspectives on zero trust may wish to explore the other publications in this series: