Now that we understand how the preparation phase of the Zero Trust journey works, it’s time to delve deeper into the planning.
While preparation involves strategic analysis and gathering information deeply and broadly, planning is the documentation of all resources framed in the Zero Trust strategy. It can be classified into:
In this post, we explain in detail this important step in the Zero Trust journey and the path to building inventories based on the National Institute of Standards and Technology (NIST) best practices.
What Is the Planning Phase in the Zero Trust Journey?
Planning is based on building inventories of tangible and intangible assets within the network. From the list of assets, it’s possible to measure the criticality and consequences of an eventual loss or violation and then build an appropriate defense posture.
It’s impossible to ignore the size of the effort to complete this task—especially in large companies. For this reason, NIST best practices indicate that stakeholder assets should be the initial focus, and then the process can be divided into subsets targeted at smaller areas.
Such direction goes along with the proposed simplification of the journey, as much of the effort is reduced to get the next steps underway.
How to Classify and Build Inventories on the Zero Trust Journey?
Now the question is: where to start planning? By classifying inventories into assets, identities, data, data flow, and workflow, a process we’ll cover next.
“You can’t protect yourself from what you can’t see.” You may never have come across this phrase, but it defines well the importance of asset inventory in the Zero Trust journey, as it documents all systems, devices, software, and applications in a network.
One of the main benefits of asset inventory is enabling the identification of security vulnerabilities and efficient action plans, preventing unnecessary time and money from being spent.
This work can be more arduous depending on the size of the company and the amount of tangible assets that exist. However, there are ways to automate the process to gain visibility into IT assets in a faster and more streamlined way.
Identities can be people or any kind of entity on the network. Because they use the company resources, access control is required so that a given resource is accessed by the right entity, at the right time and in the right context.
For example, resources that system administrators, developers, and stakeholders have access to are business critical, and should be the first items mapped and analyzed in terms of security.
The purpose of the identity inventory is precisely to store authoritative information about the entities that access resources on the network so that the security team can analyze in advance the obstacles and vulnerabilities for the implementation of Zero Trust.
Besides the inventories above, it’s necessary to create another one to store and catalog all data and information existing in the systems inserted in the Zero Trust strategy. From this inventory, it’s possible to understand the current state of assets, network infrastructure and communications, which is crucial to develop the defense posture.
Since the data is spread throughout the company and is usually numerous, it’s recommended that the organization prioritizes documenting the most important and sensitive data.
According to the Armed Forces Communications & Electronics Association International (AFCEA), one of the best practices for ensuring that mission-critical data is always available to support mission functions and never falls into the wrong hands is to define data stewards.
Who are the data stewards?
In a Zero Trust strategy, data stewards are the people tasked with organizing and managing mission data. They have a responsibility of keeping them protected and ensuring that they are used according to access permissions and the function of the data in the context of the mission.
The fact that we refer to the figure of the data steward in the plural is not by chance. In most companies, data management is divided among the different areas involved in the mission so that each data steward is appointed for a particular set of critical data. This process is orchestrated by the Chief Data Officer.
Dataflow is the path taken by data from the company to the end-user. In a Zero Trust architecture, it’s necessary to pay attention, among other points, to encryption in data transmission between applications, services, and users.
The data flow inventory is the documentation of the entire journey of a piece of data that passes through the assets, identities, and other components impacted by the Zero Trust strategy. For example, developer uses his laptop to access the data needed to connect solutions via API.
The flow between the request and the delivery is what should be included in the inventory for its complete visibility.
In the context of Zero Trust, workloads are the connections in the company’s applications. When workloads are documented, understanding how interfaces between applications, sources, users, and entities will be protected becomes easier.
This process comprises securing access to applications and environments involving any user, device, and location, and enables the creation of a secure access zone to be implemented in the architecture. Simply put, there’s no way to build an efficient Zero Trust architecture without a close look at workloads.
It’s worth mentioning that workloads are part of an approach called Trusted Access, defined by Cisco in three pillars: workforce, workload, and workplace. This is a set of best practices that enable the third phase of the Zero Trust journey—a subject we’ll address in the next blog post.
Important Considerations About Planning Processes
Building inventories, with an emphasis on workload configurations, is a task that requires substantial time if done manually. According to Forrester, due to the ease with which they are generated, workloads on cloud architectures need to be documented with the help of solutions that offer this type of visibility.
The reason for this is to simplify the process so that it doesn’t become a bottleneck and also so that the team is able to proceed with the next phases of the journey as soon as possible. In other words, using tools, platforms, and solutions that contribute to good visibility is always welcome.
Similarly, data-driven work benefits from the adoption of observability solutions, capable of making visible the interactions between users, applications, and data from a vast amount of devices, including the creation of a set of Zero Trust policies, which we’ll see in the next post of this series.
Azion’s security stack simplifies Zero Trust implementation by making it easy to get real-time data of events occurring in applications. It also simplifies the creation of efficient access control rules, and policies for generating your workloads.
Contact our experts and learn how we can help your business take security to the next level.
 Tips for Zero Trust Strategy Implementation Leads (AFCEA) |  Zero Trust Architecture: A Practical Approach (Cisco)