“Don’t trust anyone” is common advice in many spy novels and movies. Good advice as well for modern Internet-connected network infrastructures, where there are no longer demarcations between internal-only and external access points. Moreover, hacks and other security threats can come from any attached component, even from remote Internet of Things (IoT) sensors and portable user devices.

Zero trust (ZT) is a term applied to the practice of network security that “assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned)” [1]. This practice has evolved due to the dramatic increase of potential vulnerabilities and exploits in enterprise networks, as well as the need to address them at all levels of access. The ZT approach to security addresses all device connections, whether owned and configurable by the enterprise or temporarily attached unmanaged devices, typically requiring multi-factor authentication, least provilege access rules, device access control, and continuous monitoring.

Cisco Systems produces much of the Internet’s networking hardware and software, including many widely used security products. Their team of cybersecurity experts has prepared a comprehensive publication on the concepts, methods, and architecture of ZT implementations. Zero trust architecture covers the definition, capabilities, planning, management, and challenges of this critical component of enterprise information technology (IT).

Planning and executing an enterprise-wide ZT security model is not a trivial undertaking, not only with respect to the required technologies but also due to its impact on users and established business practices. To assist with this process, the authors detail a multi-step workshop conducted with participation from all key organizational stakeholders, including business owners, managers, technology experts, C-level decision makers, and especially end users who are often most affected by complex security requirements. The workshop covers the goals, risks, and expected outcomes of the ZT project; individual and group responsibilities; and rules enforcement. It also addresses confronting misinformation and incorrect assumptions about the need for ZT.

As with promoting and explaining any highly technical project, examples and case studies are critical to obtaining support and commitment, and Cisco’s book appendix includes a detailed actual (but anonymized) use case describing the development and implementation of a comprehensive ZT solution. It presents the organization’s business problem--enabling full and secure work-from-home access to all physical and IT corporate resources and managing numerous IoT devices--identifying specific business unit goals for managing ZT, meeting regulatory requirements, and monitoring and enforcing policies. The use case can serve as a narrative template for readers considering or actively implementing ZT in their organizations, and includes discussion of common problems that need to be addressed such as device discovery, identification, labeling, and authorization.

Readers considering ZT or simply needing to learn more about it will benefit significantly from Cisco’s publication, even if they are considering other vendors’ solutions like Microsoft’s or ZT on Amazon Web Services (AWS).

More reviews about this item: Amazon