Build a Zero Trust Roadmap

Leverage an iterative and repeatable process to apply zero trust to your organization.

EXECUTIVE BRIEF

Analyst Perspective

Internet is the new corporate network.

For the longest time we have focused on reducing the attack surface to deter malicious actors from attacking organizations, but I dare say that has made these actors scream “challenge accepted.” With sophisticated tools, time, and money in their hands, they have embarrassed even the finest of organizations. A popular hybrid workforce and rapid cloud adoption have introduced more challenges for organizations, as the security and network perimeter have shifted and the internet is now the corporate network. Suffice it to say that a new mindset needs to be adopted to stay on top of the game.

The success of most attacks is tied to denial of service, data exfiltration, and ransom. A shift from focusing on the attack surface to the protect surface will help organizations implement an inside-out architecture that protects critical infrastructure, prevents the success of any attack, makes it difficult to gain access, and links directly to business goals.

Zero trust principles aid that shift across several pillars (Identity, Device, Application, Network, and Data) that make up a typical infrastructure; hence, the need for a zero trust roadmap to accomplish that which we desire for our organization.

Victor Okorie
Senior Research Analyst, Security and Privacy
Info-Tech Research Group

Executive Summary

Your Challenge

• Many IT and security leaders struggle to understand zero trust and how best to deploy it with their existing IT resources.
• The need to move from a perimeter-based approach to security toward an “Always Verify” approach is clear. The path to getting there is complex and expensive.

Common Obstacles

• Zero trust as a principle is a moving target due to competing definitions and standards. A strategy that adapts evolving best practices must be supported by business stakeholders.
• Full zero trust includes many components. Performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.

Info-Tech’s Approach

• Every organization should have a zero trust strategy and the roadmap to deploy it must always be tested and refined.
• Our unique approach:
• Assess resources and determine zero trust readiness.
• Address barriers and identify enablers.
• Prioritize initiatives and build out roadmap.
• Identify most appropriate vendors via vendor selection framework.
• Deploy zero trust and monitor with zero trust progress metrics.

Info-Tech Insight

A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

Your challenge

This research is designed to help organizations:

• Understand what zero trust is and decide how best to deploy it with their existing IT resources. Zero trust is a set of principles that defaults to the highest level of security; a failed implementation can easily disrupt the business. A pragmatic zero trust implementation must be flexible and adaptable yet maintain a consistent level of protection.
• Move from a perimeter-based approach to security toward an “Always Verify” approach. The path to getting there is complex without a clear understanding of desired outcomes. Focusing efforts on key protection gaps and leveraging capable controls in existing architecture allows for a repeatable process that carries IT, security, and the business along on the journey.

On this zero trust journey, identify your valuable assets and zero trust controls to protect them.

Top three reasons for building a zero trust strategy

44%

Reduce attacker’s ability to move laterally

44%

Enforce least privilege access to critical resources

41%

Reduce enterprise attack surface

Common obstacles

These barriers make this challenge difficult to address for many organizations:

• Due to zero trust’s many components, performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.
• To feel ready to implement and to understand the benefits of zero trust, IT must first understand what zero trust means to the organization.
• Zero trust as a set of principles is a moving target, with many developing standards and competing technology definitions. A strategy built around evolving best practices must be supported by related business stakeholders.
• To ensure support, IT must be able to “sell” zero trust to business stakeholders by illustrating the value zero trust can bring to business objectives.

43%

Organizations with a full implementation of zero trust saved 43% on the costs of data breaches.
(Source: Teramind, 2021)

96%

Zero trust is considered key to the success of 96% of organizations in a survey conducted by Microsoft.
(Source: Microsoft, 2021)

What is zero trust?

It depends on who you ask…

• Vendors use zero trust as a marketing buzzword.
• Organizations try to comprehend zero trust in their own limited views.
• Zero trust regulations/standards are still developing.

“A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”

Source: NIST, SP 800-207: Zero Trust Architecture, 2020

“An evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”

Source: DOD, Zero Trust Reference Architecture, 2021

“A security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.”

Source: NSA, Embracing a Zero Trust Security Model, 2021

“Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”

Source: CISA, Zero Trust Maturity Model, 2021

“The foundational tenet of the zero trust model is that no actor, system, network, or service operating outside or within the security perimeter is trusted.”

Source: OMB, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, 2022

What is zero trust?

From Theoretical to Practical

Zero trust is an ideal in the literal sense of the word, because it is a standard defined by its perfection. Just as nothing in life is perfect, there is no measure that determines an organization is absolutely zero trust. The best organizations can do is improve their security iteratively and get as close to ideal as possible.

In the most current application of zero trust in the enterprise, a zero trust strategy applies a set of principles, including least-privilege access and per-request access enforcement, to minimize compromise to critical assets. A zero trust roadmap is a plan that leverages zero trust concepts, considers relationships between technical elements as well as security solutions, and applies consistent access policies to minimize areas of exposure.

Info-Tech Insight

Solutions offering zero trust often align with one of five pillars. A successful zero trust implementation may involve a combination of solutions, each protecting the various data, application, assets, and/or services elements in the protect surface.

Zero trust business benefits

Reduce business and organizational risk

Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organizations practice.

36% of data breaches involved internal actors.
Source: Verizon, 2021

Reduce CapEx and OpEx

Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
Source: SecurityBrief - Australia, 2020.

Reduce scope and cost of compliance

Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.

Scope of compliance reduced due to segmentation.

Reduce risk of data breach

Reduced risk of data breach in any instance of a malicious attack as there’s no lateral movement, secure segment, and improved visibility.

10% Increase in data breach costs; costs went from $3.86 million to $4.24 million.
Source: IBM, 2021

Info-Tech’s methodology for Building a Zero Trust Roadmap

Protect what is relevant

Apply zero trust to key protect surfaces

A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

Align protect surfaces to business objectives

Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

Identify zero trust capabilities

Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

Roadmap first, not solution first

Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

Create enforceable policies

The success of a zero trust implementation relies on consistent enforcement. Applying the Kipling methodology to each protect surface is the best way to design zero trust policies.

Success should benefit the organization

To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key deliverable:

Zero Trust Communication Deck

Present your zero trust strategy in a prepopulated document that summarizes the work you have completed as a part of this blueprint.

Zero Trust Protect Surface Mapping Tool

Identify critical and vulnerable DAAS elements to protect and align them to business goals.

Zero Trust Program Gap Analysis Tool

Perform a gap analysis between current and target states to build a zero trust roadmap.

Zero Trust Candidate Solutions Selection Tool

Determine and evaluate candidate solutions based on defined criteria.

Zero Trust Progress Monitoring Tool

Develop metrics to track the progress and efficiency of the organization’s zero trust implementation.

Blueprint benefits

IT Benefits

• A mapped transaction flow of critical and vulnerable assets and visibility of where to implement security controls that aligns with the principle of zero trust.
• Improved security posture across the digital attack surface while focusing on the protect surface.
• An inside-out architecture that leverages current existing architecture to tighten security controls, is automated, and gives granular visibility.

Business Benefits

• Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organization’s practice.
• Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
• Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.
• Reduced risk of data breach in any instance of a malicious attack.

Measure the value of this blueprint

Save an average of $1.76 million dollars in the event of a data breach

• This research set seeks to help organizations develop a mature zero trust implementation which, according to IBM’s “Cost of a Data Breach 2021 Report,” saves organizations an average of $1.76 million in the event of a data breach.
• Leverage phase 5 of this research to develop metrics to track the implementation progress and efficacy of zero trust tasks.

43%

Organizations with a mature implementation of zero trust saved 43%, or $1.76 million, on the costs of data breaches.
Source: IBM, 2021

In phase 2 of this blueprint, we will help you establish zero trust implementation tasks for your organization.

In phase 3, we will help you develop a game plan and a roadmap for implementing those tasks.

Executive Brief Case Study

National Aeronautics and Space Administration (NASA)

INDUSTRY: Government

SOURCE: Zero Trust Architecture Technical Exchange Meeting

NASA recognized the potential benefits of both adopting a zero trust architecture (including aligning with OMB FISMA and DHS CDM DEFEND) and improving NASA systems, especially those related to user experience with dynamic access, application security with sole access from proxy, and risk-based asset management with trust score. The trust score is continually evaluated from a combination of static factors, such as credential and biometrics, and dynamic factors, such as location and behavior analytics, to determine the level of access. The enhanced access mechanism is projected on use-case flows of users and external partners to analyze the required initiatives.

The lessons learned in adapting zero trust were:

• Focus on access to data, assets, applications, and services; and don’t select solutions or vendors too early.
• Provide support for mobile and external partners.
• Complete zero trust infrastructure and services design with holistic risk-based management, including network access control with software-defined networking and an identity management program.
• Develop a zero trust strategy that aligns with mission objectives.

Results

NASA implemented zero trust architecture by leveraging the agency existing components on a roadmap with phases related to maturity. The initial development includes privileged access management, security user behavior analytics, and a proof-of-concept lab for evaluating the technologies.
Case Study Source: NASA, “Planning for a Zero Trust Architecture Target State,” 2019

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 8 to 12 calls over the course of 2 to 4 months.

Workshop Overview

Contact your account representative for more information.workshops@infotech.com 1-888-670-8889

Phase 1

Define Business Objectives and Protect Surfaces

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Identify and define the business goals.
• Identify the critical DAAS elements and protect surface.
• Align the business goals to the protect surface and critical DAAS elements.

This phase involves the following participants:

• Security Team
• Business Executives
• Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management

Analyze your business goals

Identifying business goals is the first step in aligning your zero trust roadmap with your business’ vision.

• Security leaders need to understand the direction the business is headed in.
• Wise security investments depend on aligning your security initiatives to business objectives.
• Zero trust, and information security at large, should contribute to your organization’s business objectives by supporting operational performance, ensuring brand protection and shareholder value.
• For example, if the organization is working on a new business initiative that requires the handling of credit card payments, the security organization needs to know as soon as possible to ensure the zero trust architecture will be extended to protect the PCI data and enable the organization to be PCI compliant.

Info-Tech Insight

Security and the business need to be in alignment when implementing zero trust. Defining the business goal helps rationalize the need for a zero trust implementation.

1.1 Define your organization’s business goals

Estimated time 1-3 hours

1. As a group, brainstorm the business goals of the organization.
2. Review relevant business and IT strategies.
3. Review the business goal definitions in tab “2. Business Objectives” of the Zero Trust Protect Surface Mapping Tool, including the key goal indicator metrics.
4. Record the most important business goals in the Business Goal column on tab “3. Protect Surfaces” of the Zero Trust Protect Surface Mapping Tool. Try to limit the number of business goals to no more than five primary goals. This limitation will be critical to help map the protect surface and the zero trust roadmap later.

Input

• Business and IT strategies

Output

• Prioritized list of business objectives

Materials

• Whiteboard/Flip Charts
• Zero Trust Protect Surface Mapping Tool

Participants

• Security Team
• IT Leadership
• Business Stakeholders
• Risk Management
• Compliance
• Legal

Download the Zero Trust Protect Surface Mapping Tool

Info-Tech Insight

Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

What does zero trust mean for you?

For a successful implementation, focus on your zero trust outcome.

Regardless of whether the user is accessing resources internally or externally, zero trust is posed to authenticate, authorize, and continuously verify the security policies and posture before access is granted or denied. Many network architecture can be local, cloud based, or hybrid and with users working from any location, there is no network perimeter as we knew it and the internet is now the corporate network.

Zero trust framework seeks to extend the perimeter-less security to the present digital transformation.

Understand protect surface

Data, Application, Asset, and Services

A protect surface can be described as what’s critical, most vulnerable, or most valuable to your organization. This protect surface could include at least one of the following – data, assets, applications, and services (DAAS) – that requires protection. This is also the area that zero trust policy is aimed to protect. Understanding what your protect surface is can help channel the required energy into protecting that which is crucial to the business, and this aligns with the shift from focusing on the attack surface to narrowing it down to a smaller and achievable area of protection.

Anything and everything that connects to the internet is a potential attack surface and pursuing every loophole will leave us one step behind due to lack of resources. Since a protect surface contains one or more DAAS element, the micro-perimeter is created around it and the appropriate protection is applied around it. As a team, we can ask ourselves this question when thinking of our protect surface: to what degree does my organization want me to secure things? The knowledge of the answer to this question can be tied to the risk tolerance level of the organization and it is only fair for us to engage the business in identifying what the protect surface should be.

Components of a protect surface

• Data
• Application
• Asset
• Services

Info-Tech Insight

The protect surface is a shift from focusing on the attack surface. DAAS elements show where the initiatives and controls associated with the zero trust pillars (Identity, Devices, Network, Application, and Data) need to be applied.

Sample Scenario

INDUSTRY: Healthcare

SOURCE: Info-Tech Research Group

Illustration

A healthcare provider would consider personal health information a critical resource worthy of being protected against data exfiltration due to a host of reasons including but not limited to privacy regulations, loss of revenue, legal, and reputational loss; hence, this would be considered a protect surface.

• What is the data that can’t be risked exfiltrated?
• What application(s) is used to access this data?
• What assets are used to generate and store the data?
• What are the services we rely on to be able to access the data?

DAAS Element

• The data here is the patient information.
• The application used to access the personal health information would be EPIC, OR list, and any other application used in that organization.
• The assets used to store the data and generate the PHI would include physical workstations, medical scanners, etc.
• The services that can be exploited to disrupt the operation or used to access the data would include active directory, single sign-on, etc.

DAAS and Zero Trust Pillar

This granular identification provides an opportunity to not only see what the protect surface and DAAS elements are but also understand where to apply security controls that align with the principle of zero trust as well as how the transaction flows. The application pillar initiatives will provide protection to the EPIC application and the device pillar initiatives will provide protection to the workstations and physical scanners. The identity pillar initiatives will apply protection to the active directory, and single sign-on services. The zero trust pillar initiatives align with the protection of the DAAS elements.

Shift from attack surface to protect surface

Info-Tech Insight

The protect surface is a shift from focusing on the attack surface as it creates a micro-perimeter for the application of zero trust policies on the system. This drastically reduces the success of an attack whether internally or externally, reduces the attack surface, and is also repeatable.

1.2 Identify critical DAAS elements

Estimated time 1-3 hours

1. As a group, brainstorm and identify critical, valuable, sensitive assets or resources requiring high availability in the organization. Each DAAS element is part of a protect surface, or sometimes, the DAAS element itself is a protect surface.

• Data – The sensitive data that poses the greatest risk if exfiltrated or misused. What data needs to be protected?
• Applications – The applications that use sensitive data or control critical assets. Which applications are critical for your business functions?
• Assets – Physical or virtual assets, including an organization’s information technology (IT), operational technology (OT), or Internet of Things devices.
• Services – The services an organization most depends on. Services that can be exploited to disrupt normal IT or business operations.

Download the Zero Trust Protect Surface Mapping Tool

Input

• Critical resources to protect
• Understanding of how they interoperate or connect

Output

• Protect surfaces

Materials

• Whiteboard/Flip Charts
• Zero Trust Protect Surface Mapping Tool

Participants

• Security Team
• IT Leadership
• Business Stakeholders

1.3 Map business goals to critical DAAS elements

Estimated time 1-2 hours

1. The protect surface will be generated from the critical DAAS elements as a standalone protect surface or a group of interconnected DAAS elements merged into one.

• Each protect surface can be tied back to a business objective.

• Type in your business objectives if the drop-down list does not apply.

Download the Zero Trust Protect Surface Mapping Tool

Phase 2

Assess Key Capabilities and Identify Zero Trust Initiatives

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Assess the organization’s current capabilities.
• Define the zero trust target state.
• Identify tasks to close gaps
• Define zero trust initiatives and align zero trust initiatives to business goals and protect surfaces.

This phase involves the following participants:

• Security Team
• Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

The Info-Tech Zero Trust Framework

Info-Tech’s Zero Trust Framework aligns with zero trust references, including:

• ACT Zero Trust Cybersecurity Current Trends. 2019
• NIST SP 800-207: Zero Trust Architecture. 2020
• DOD Zero Trust Reference Architecture. 2021
• NSA Embracing a Zero Trust Security Model. 2021
• CISA Zero Trust Maturity Model. 2021
• Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, The White House. 2021
• OMB Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. 2022
• NSTAC Zero Trust and Trusted Identity Management. 2022
• NIST SP 800-53 r5: Security and Privacy Controls for Information Systems and Organizations

Identity

• Authentication
• Authorization
• Privileged Access Management

Applications

• Software Defined Compute
• DevSecOps
• Software Supply Chain

Devices

• Authentication
• Authorization
• Compliance

Networks

• Software Defined Networking
• Macro Segmentations
• Micro Segmentation

Data

• Software Defined Storage
• Data Loss Prevention
• Data Rights Management

Info-Tech Insight

A best-of-breed approach ensures holistic coverage of your zero trust program while refraining from locking you into a specific reference.

2.1 Review the Info-Tech framework

Estimated time 30-60 minutes

1. As a group, have the team review the framework within the Zero Trust Program Gap Analysis Tool.
2. Customize the tool as required using the instructions in tab “2. Setup”:

• Define costing criteria
• Define benefits criteria
• Configure full-time equivalent hours and start year
• Input business goals as mapped to protect surfaces (see next slide)

Download the Zero Trust Program Gap Analysis Tool

Input

• Protect surfaces mapped to business objectives

Output

• Customized framework

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT

2.1.1 Input business goals as mapped to protect surfaces

Refer to the Protect Surface Mapping Tool, copy the following elements from the Protect Surface tab.

1. Enter Business Goals.
2. Enter Protect Surfaces.
3. Enter Data.
4. Enter Application.
5. Enter Assets.
6. Enter Services.

Info-Tech Insight

Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

2.2 Assess current capabilities and define zero trust target state

Estimated time 6-12 hours

1. Using the Zero Trust Program Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
2. Follow the instructions on the next slides to complete your current-state and target-state assessment.
3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

Download the Zero Trust Program Gap Analysis Tool

Input

• Protect surfaces mapped to business objectives
• Information on current state of controls, including sources such as audit findings, vulnerability and penetration test results, and risk registers

Output

• Current-state and target-state assessment for gap analysis

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management

Understanding security target states

Maturity models are very effective for determining target states. This table provides general descriptions for each maturity level. As a group, consider which description most accurately reflects the ideal target state in your organization.

AD HOC 01

Initial/ad hoc security programs are reactive. Lacking strategic vision, these programs are less effective and less responsive to the needs of the business.

DEVELOPING 02

Developing security programs can be effective at what they do but are not holistic. Governance is largely absent. These programs tend to rely on the talents of individuals rather than a cohesive plan.

DEFINED 03

A defined security program is holistic, documented, and proactive. At least some governance is in place; however, metrics are often rudimentary and operational in nature. These programs still often rely on best practices rather than strong risk management.

MANAGED 04

Managed security programs have robust governance and metrics processes. Management and board-level metrics for the overall program are produced. These are reviewed by business leaders and drive security decisions. More mature risk management practices take the place of best practices.

OPTIMIZED 05

An optimized security program is based on strong risk management practices, including the production of key risk indicators (KRIs). Individual security services are optimized using key performance indicators (KPIs) that continually measure service effectiveness and efficiency.

2.2.1 Conduct current-state assessment

1. Carefully review each of the controls in the Gap Analysis tab that are needed for the protect surfaces. For each control, indicate the current maturity level of the organization. The tool uses the maturity levels of the CMMI model to score maturity.

• Only use “N/A” if you are confident that the control is not required in your protect surfaces. For example, if the protect surfaces do not require or use software-defined computing, select “N/A” for any controls related to software-defined computing.

Make sure that the gap between target state and current state is achievable for the current zero trust roadmap. For instance, if you set your current maturity to 1 – Ad Hoc, then having a target maturity of 4 – Managed or 5 – Optimized is not recommended due to the big jump.

2.2.2 Review the Gap Analysis Dashboard

1. Use the Dashboard to map your progress on assessing current- and future-state maturities. As you fill out the Zero Trust Program Gap Analysis Tool, check with the Dashboard to see the difference between your current and target state.
2. Use the color-coded legend to see the size of the gap between your current and target state.
3. Zero trust processes that appear white have not yet been assessed or are rated as “N/A.”

2.3 Identify tasks to close gaps

Estimated time 5 hours

1. Using the Zero Trust Program Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
2. Follow the instructions on the next slides to identify gap closure tasks for each control that requires improvement.
3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

Download the Zero Trust Program Gap Analysis Tool

Input

• Zero trust controls gap information

Output

• Gap closure task list

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management

2.3 Identify tasks to close gaps (cont.)

1. For each of the controls where there is a gap between the current and target state, a gap closure task should be identified:

• Review the example tasks and copy one or more of them if appropriate. Otherwise, enter your own gap closure task.

• In small groups, have participants ask, “what would we have to do to achieve the target state?” Document these in the Gap Closure Tasks column.
• The example gap closure tasks may be appropriate for your organization, but do not simply copy them without considering whether they are right for you.
• Not all gaps require their own task. You can enter one task that may address multiple gaps.
• Be aware that tasks that are along the lines of “investigate and make recommendations” may not fully close maturity gaps.

Make sure that the Gap Closure Tasks are SMART (Specific, Measurable, Achievable, Realistic, Timebound).

2.4 Define tasks and initiatives

Estimated time 2-4 hours

1. As a group, review the gap tasks identified in the Gap Analysis tab.
2. Using the instructions on the following slides, finalize your tab “5. Task List.”
3. Using the instructions on the following slides, review and consolidate your tab “6. Initiative List.”

Download the Zero Trust Program Gap Analysis Tool

Input

• Gap analysis

Output

• Refined list of tasks
• List of zero trust initiatives

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management
• Project Management Office

2.4.1 Finalize your task list

1. Define the gap closure task list in tab “5. Task List”:
1. Obtain a list of all your tasks from Gap Closure Tasks column in tab “3. Gap Analysis.”
2. Paste the list into the table in tab “5. Task List,” Task column.

• Use Paste Values to retain the table formatting.

• They have costs associated with them.
• They require initial effort to implement and ongoing effort to maintain.
• They must be accomplished dependently of other tasks.

1. For each new initiative, create the initiative name on Initiative Name column in the tab “6. Initiative List.”

Example: Initiative consolidation

In the example below, we see three gap closure tasks within the Authentication process for the Identity pillar being consolidated into a single initiative “IAM modernization.”

We can also see three gap closure tasks within the Micro Segmentation process for the Network pillar being grouped into another initiative “Network segmentation.”

Info-Tech Insight

As you go through this exercise, you may find that some tasks that you previously defined could be consolidated into an initiative.

2.4.2 Finalize your initiative list

1. As you go through this exercise, you may find that some tasks that you previously defined could be consolidated into an initiative.
2. Review your final list of initiatives in tab “6. Initiative List” and make any required updates.
1. Optionally, add a description or paste in a list of the individual gap closure actions that are associated with the initiative. This will make it easier to perform the cost and benefit analysis.
3. Obtain a list of all gap closure tasks associated with an initiative by filtering the Initiative Name column in the Task List tab.
4. Indicate the most appropriate pillar alignment for each initiative using the drop-down list.
1. Refer to tab “5. Task List” for the pillar associated with an initiative under the Initiative Name column.

If the list of tasks is too long for the Description column, then you can also shorten the name of the tasks or group several tasks to a more general task.

2.5 Align initiatives to business goals and protect surfaces

Estimated time 30-60 minutes

1. Using the instructions on the following slides, align initiatives to business goals in tab “6. Initiative List.”
2. Using the instructions on the following slides, align initiatives to protect surfaces in tab “6. Initiative List.”

Download the Zero Trust Program Gap Analysis Tool

Input

• List of zero trust initiatives
• Protect surfaces mapped to business objectives

Output

• List of zero trust initiatives aligned to business goals and protect surfaces

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management
• Project Management Office

2.5.1 Align initiatives to business goals

1. Indicate the most appropriate business goal(s) alignment for each initiative using the drop-down list in “Selection for Business Goal(s)” column.
1. Use the legend to determine the most appropriate business goal(s).
2. After that copy the selected business goal(s) to Business Goal(s) Alignment column.
3. Then reset the selection using the blank cell in Selection for Business Goal(s) column.

2.5.2 Align initiatives to protect surfaces

1. Indicate the most appropriate protect surface(s) for each initiative using the drop-down list in Selection for Protect Surface(s) column.
1. Use the legend to determine the most appropriate protect surface(s).
2. After that copy the selected protect surface(s) to Protect Surface(s) Coverage column.
3. Reset the selection using the blank cell in Selection for Protect Surface(s) column.

Phase 3

Evaluate Candidate Solutions and Finalize Roadmap

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Define solution criteria.
• Identify candidate solutions.
• Evaluate candidate solutions.
• Perform cost/benefit analysis.
• Prioritize initiatives and build roadmap.

This phase involves the following participants:

• Security Team
• Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

3.1 Define solution criteria

Estimated time 30-60 minutes

1. As a group, review the scoring system within the Zero Trust Candidate Solutions Selection Tool.
2. Customize the tool as required using the instructions on the following slides.

Info-Tech Insight

Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

Download the Zero Trust Candidate Solutions Selection Tool

Input

• Zero trust initiative list

Output

• Zero trust candidate solutions

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT

3.1.1 Define compliance and solution evaluation criteria

On the Setup tab, provide a weight for each evaluation criterion to evaluate the candidate solutions. You can use “0%” weight if that criterion is not required in your solution selection.

1. Verify that the Description for each criterion is accurate.
2. Provide weights for the compliance score and the solution score, which are the overall evaluation:

• Compliance score consists of tenets score, pillar score, threat protection score, and trust algorithm score.
• Solution score consists of features score, usability score, affordability score, and architecture score.

3.1.2 Define remaining evaluation criteria

On the Setup tab, provide a weight for each evaluation criterion to evaluate the candidate solutions. You can use “0%” weight if that criterion is not required in your solution selection.

1. Verify that the Description for each criterion is accurate.
2. Provide weights for the remaining evaluation criteria:

• Tenets: Considers how well each initiative aligns with zero trust principles.
• Pillars: Considers how well each initiative aligns with zero trust pillars.
• Threats: Considers what zero trust threats are relevant with the candidate solution.
• Trust Algorithm: Considers trust evaluation factors, trust evaluation process score, and input coverage.
• Cost Estimation: Considers initial costs, which are one-time, upfront capital investments (e.g. hardware and software costs), and ongoing cost, which is any annually recurring operating expenses that are new budgetary costs (e.g. licensing, maintenance, subscription fees).
• Deployment Architecture: Considers the solutions deployment architecture capabilities.

Review available candidate solutions

The Rapid Application Selection Framework is a comprehensive yet fast-moving approach to help you select the right software for your organization

Five key phases sequentially add rigor to your selection efforts while giving you a clear, swift-flowing methodology to follow.

Download the Rapid Application Selection Framework research

Evaluate software category leaders through vendor rankings and awards

SoftwareReviews

The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

Sample whiteboard activity

• Place sticky notes on the zero trust tenet that matches with the identified candidate solution to produce “solution requirements” that can be used to develop an RFP.
• A sample sticky note is provided below for privileged access management.

• The PAM solution should support MFA
• Live session monitoring, audit, and reporting
• Should have password vaulting to prevent privileged users from knowing the passwords to critical systems and resources

3.2 Identify candidate solutions

Estimated time 2 hours

1. As a group, have the team review the candidate solutions within the Zero Trust Program Gap Analysis Tool.
2. On tab 3 in the Zero Trust Candidate Solutions Selection Tool:

• Review the candidate solutions within the Zero Trust Program Gap Analysis Tool. For example, the candidate solutions with multifactor authentication (MFA) options are authenticators with SMS, mobile application, smartcard, or token.

Input

• Candidate solutions for zero trust tasks and initiatives

Output

• Suitability evaluation of candidate solutions

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT

Info-Tech Insight

Add a description associated with the candidate solution, e.g. reference link to vendors or manufacturers. This will make it easier to perform the evaluation.

Download the Zero Trust Candidate Solutions Selection Tool

3.2.1 Review candidate solutions

1. Review the candidate solutions within the Zero Trust Program Gap Analysis Tool. For example, the candidate solutions with multifactor authentication (MFA) options are authenticators with SMS, mobile application, smartcard, or token.
2. Enter candidate solutions to the Compliance Data Entry tab on the Solution column within the Zero Trust Candidate Solutions Selection Tool.
3. Optionally, add a description associated with the candidate solution, e.g. reference link to vendors or manufacturers. This will make it easier to perform the evaluation.

3.3 Evaluate candidate solutions

Estimated time 3 hours

On the Scoring tab, evaluate solution features, usability, affordability, and architecture using the instructions on the following slides. This activity will produce a solution score that can be used to identify the suitability of a solution.

Input

• Candidate solutions

Output

• Candidate solutions scored

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT

Download the Zero Trust Candidate Solutions Selection Tool

3.3.3 Evaluate solution scores

After all candidate solutions are evaluated, the Solution Score column can be sorted to rank the candidate solutions. After sorting, the top solutions can be used on prioritization of initiatives on Zero Trust Program Gap Analysis Tool.

1. On Features
   1. Enter Coverage.
   2. Enter Quality.
2. Enter Usability.
3. On Affordability
   1. Enter Initial Cost.
   2. Enter Ongoing Cost (annual).
4. Enter Architecture.

3.4 Perform cost/benefit analysis

Estimated time 1-2 hours

1. Assign costing and benefits information for each initiative, following the instructions on the next slide.
2. Define dependencies or business impacts if they will help with prioritization.

Input

• Ranked candidate solutions
• Gap analysis
• Initiative list

Output

• Completed cost/benefit analysis for initiative list

Materials

• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool

Participants

• Security Team
• Subject Matter Experts From IT, Facilities, Audit, Risk Management
• Project Management Office

Download the Zero Trust Program Gap Analysis Tool

3.4.1 Complete the cost/benefit analysis

Use Zero Trust Program Gap Analysis Tool.

1. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.

• Use the result from candidate selection to define the estimated costs.
• If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.

The Cost / Effort Rating is calculated based on the weight defined on step 2.1.1. The Benefit Rating is calculated based on the weight defined on step 2.1.2.

3.4.2 Optionally enter detailed cost estimates

Use Zero Trust Program Gap Analysis Tool.

1. For each initiative, the tool will automatically populate the Detailed Cost Estimates and Detailed Staffing Estimates columns using the averages that you provided in step 2.1.1. However, if you have more detailed data about the costs and effort requirements for an initiative, you can override the calculated data by manually entering it into these columns. For example:

• You are planning to subscribe to a security awareness vendor, and you have a quote from them specifying that the initial cost will be $75,000.
• You have defined your “Medium” cost range as being “$10-100K,” so you select medium as your initial cost for this initiative in step 3.4.1. As you defined the average for medium costs as being $50,000, this is what the tool will put into the detailed cost estimate.
• You can override this average by entering $75,000 as the initial cost in the detailed cost estimate column.

The Benefits-Cost column will give results after comparing the cost and the benefit. Negative value means that the cost outweighs the benefit. Positive value means that the benefit outweighs the cost. Zero value means that the cost equals the benefit.

3.5 Prioritize initiatives

Estimated time 2-3 hours

1. As a group, review the results of the cost/benefit analysis. Optionally, complete the Other Considerations columns in the Prioritization tab:

• Dependencies can refer to other initiatives on the list or any other dependency that relates to activities or projects within the organization.
• Business impacts can be helpful to document as they may require additional planning and communication that could impact initiative timelines.

Input

• Gap analysis
• Initiative list
• Cost/benefit analysis

Output

• Prioritized list of initiatives

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• IT Leadership
• Project Management Office

Download the Zero Trust Program Gap Analysis Tool

3.5.1 Create a visual effort map for your organization

1 hour

An effort map is a tool used for the visualization of a cost and benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized based on tab 7 in the Zero Trust Program Gap Analysis Tool.

1. Establish the axes and colors for your effort map:
1. X-axis represents the Benefit value from column J
2. Y-axis represents the Cost/Effort value from column H
3. Sticky note color is determined using the Alignment to Business value from column I
2. Create sticky notes for each initiative and place them on the effort map or whiteboard based on the axes you have created with the help of your team.
3. As you place initiatives on the visual effort map, discuss and modify rankings based on team member input.

Input

• Outputs from activities 3.4.1 and 3.4.2

Output

• High-level prioritization for each of the gap-closing initiatives
• Visual representation of quantitative values

Materials

• Zero Trust Program Gap Analysis Tool (tab 7)
• Sticky notes
• Markers
• Whiteboard

Participants

• Security Team
• IT Leadership
• Project Management Office

3.5.2 Refine the effort map’s visual output

1 hour

Once the effort map is complete, work to further simplify the visual output by categorizing initiatives based on the quadrant in which they have been placed.

1. Before moving forward with the initiative wave prioritization (activity 3.7), identify any initiatives listed across all quadrants that are required as a part of compliance and mark with a sticky dot.
2. Document these initiatives as Execution Wave 1.

Input

• Outputs from activity 3.5.1

Output

• Prioritization for each of the gap-closing initiatives
• First execution wave of gap-closing initiatives

Materials

• Zero Trust Program Gap Analysis Tool (tab 7)
• Sticky notes
• Sticky dots
• Markers
• Whiteboard

Participants

• Security Team
• IT Leadership
• Project Management Office

3.5.3 Refine the effort map’s visual output

30 minutes

1. Use a separate area of the whiteboard to draw out four to five Execution Wave columns.
2. Group initiatives into each Execution Wave column based on their placement within the quadrant from activities 3.5.1 and 3.5.2.
1. Ensure that all identified mandatory activities as per governing privacy law fall within the first wave.
2. Leverage the following 0-4 Execution Wave scale:
0. Underway –Initiatives that are already underway
1. Must Do – Initiatives that must happen right away
2. Should Do – Initiatives that should happen but need more time/support
3. Could Do – Initiatives that are not a priority
4. Won’t Do – Initiatives that likely won’t be carried out
3. Indicate the granular level for each execution wave using the a-z scale.

• Use the lettering to track dependencies between initiatives.
• If one must take place before another, ensure that its letter comes first alphabetically.
• If multiple initiatives must take place at the same time, use the same letter to show they will take place in tandem.

Input

• Outputs from activity 3.5.2

Output

• Prioritization for each of the gap-closing initiatives
• First execution wave of gap-closing initiatives

Materials

• Zero Trust Program Gap Analysis Tool (tab 7)
• Sticky notes
• Sticky dots
• Markers
• Whiteboard

Participants

• Security Team
• IT Leadership
• Project Management Office

Wave assignment example

In the example below, we see “IAM modernization” was assessed as 9 on cost/effort rating and 5 on benefit rating and its Benefits-Cost has a positive value of 1. We can label this as SHOULD DO (wave 2).

We can also see “Network segmentation” was assessed as 6 on cost/effort rating and 4 on benefit rating and its Benefits-Cost has a positive value of 2. We can label this as MUST DO (wave 1).

We can also see “Unified Endpoints Management” was assessed as 8 on cost/effort rating and 2 on benefit rating and its Benefits-Cost has a negative value of -4. We can label this as WON’T DO (no wave).

We can also see “Data Protection” was assessed as 4 on cost/effort rating and 2 on benefit rating and its Benefits-Cost has a zero value. We can label this as COULD DO (wave 3).

It is recommended to define the threshold of each wave based on the value of Benefits-Cost before assigning waves.

3.6 Build roadmap

Estimated time 2-3 hours

1. As a group, follow step 3.6.1 to create your roadmap by scheduling initiatives into the Gantt chart within the Zero Trust Program Gap Analysis Tool.
2. Review the roadmap for resourcing conflicts and adjust as required.
3. Review the final cost and effort estimates for the roadmap.

Input

• Gap analysis
• Cost/benefit analysis
• Prioritized initiative list

Output

• Zero trust roadmap

Materials

• Zero Trust Program Gap Analysis Tool

Participants

• Security Team
• IT Leadership
• Project Management Office

Download the Zero Trust Program Gap Analysis Tool

3.6.1 Schedule initiatives using the Gantt chart

1. On the Gantt Chart tab for each initiative, enter an owner (the role who will be primarily responsible for execution).
2. Additionally, enter a start month and year for the initiative and the expected duration in months.

• You can filter the Wave column to only see specific waves at any one time to assist with the scheduling.
• You do not need to schedule Wave 4 initiatives as the expectation is that these initiatives will not be done.
• 

3.6.2 Review your roadmap

1. When you have completed the Gantt chart, as a group review the overall roadmap to ensure that it is reasonable for your organization. Consider the following:

• Do you have other IT or business projects planned during this time frame that may impact your resourcing or scheduling?
• Does your organization have regular change freezes throughout the year that will impact the schedule?
• Do you have over-subscribed resources? You can filter the list on the Owner column to identify potential over-subscription of resources.
• Have you considered any long vacations, sabbaticals, parental leaves, or other planned longer-term absences?
• Are your initiatives adequately aligned to your budget cycle? For instance, if you have an initiative that is expected to make recommendations for capital expenditure, it must be completed prior to budget planning.

3.6.3 Review your cost/effort estimates table

1. Once you have completed your roadmap, review the total cost/effort estimates. This can be found in a table on the Results tab. This table will provide initial and ongoing costs and staffing requirements for each wave. This also includes the total three-year investment. In your review consider:

• Is this investment realistic? Will completion of your roadmap require adding more staff or funding than you otherwise expected?
• If the investment seems unrealistic, you may need to revisit some of your assumptions, potentially reducing target levels or increasing the amount of time to complete the strategy.

This table provides you with the information to have important conversations with management and stakeholders.

Phase 4

Formulate Policies for Roadmap Initiatives

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Formulate zero trust policies for critical DAAS elements.
• Formulate zero trust policies to secure a path to access critical DAAS elements.

This phase involves the following participants:

• CIO
• CISO
• Business Executives
• IT Manager
• Security Team

Understand the zero trust policy

Use the Kipling methodology as a vendor agnostic approach to identify appropriate allow list elements when deploying multiple zero trust solutions.
The policies help to prevent lateral movement.

Info-Tech Insight

The success of a zero trust implementation relies on enforcing policies consistently. Applying the Kipling methodology to the protect surface is the best way to design zero trust policies.

4.1.1 Formulate policy

Estimated time 1-2 hours

1. As a group, review the protect surface(s) identified in phase one, and using the Kipling methodology from the previous slide, formulate a policy. Each policy can be reviewed repeatedly until we are sure it satisfies the goal.
2. The policy created should be consistent for both cloud and on-prem environments.
3. As an example, let's use the healthcare scenario found in tab 3 of the Zero Trust Protect Surface Mapping Tool. The protect surface used is "Automated Medication Dispensing." Another example will be "Salesforce" accessed via the cloud.

Input

• Kipling methodology
• Protect surface

Output

• Zero trust policy

Materials

• Whiteboard/Flip Charts
• Zero Trust Protect Surface Mapping Tool

Participants

• CIO
• CISO
• Business Executives
• IT Manager
• Security Team

4.1.2 Apply policy

1-2 hours

1. Place each protect surface in its own microperimeter. Each microperimeter should be segmented by a next-generation firewall or authentication broker that will serve as a segmentation gateway.
2. Name the microperimeter and place it on a firewall.

Input

• Kipling methodology
• Protect surface

Output

• Zero trust policy

Materials

• Whiteboard/Flip Charts
• Sticky Notes
• Zero Trust Protect Surface Mapping Tool

Participants

• CIO
• CISO
• Business Executives
• IT Manager
• Security Team

Microperimeter A
Protect Surface:
DAAS Elements:

Microperimeter B
Protect Surface:
DAAS Elements:

Microperimeter C
Protect Surface:
DAAS Elements:

4.2 Secure a path to access critical DAAS elements

How should you allow access to the resource?

This component makes up the final piece of formulating the policies as it applies the protection of the application traffic.

The principle of least privilege is applied to the security policy to only allow access requests and restrict the access to the purpose it serves. This access request is then logged as well as the traffic (both internal and external). Most firewalls (NGFW) have policy rules that, by default, enable logging.

Segmentation gateways (NGFW, VM-series firewalls, agent-based and clientless VPN solutions), are used to apply zero trust policy (Kipling methodology) in the network, cloud, and endpoint (managed and unmanaged) for all local and remote users.

These policies need to be applied to security profiles on all allowed traffic. Some of these profiles include but are not limited to the following: URL filtering profile for web access and protect against phishing attacks, vulnerability protection profile intrusion prevention systems, anti spyware profiles to protect against command-and-control threats, malware and antivirus profile to protect against malware, and a file blocking profile to block and/or alert suspicious file types.

Good visibility on your network can also be tied to decryption as you can inspect traffic and data to the lowest level possible that is generally accepted by your organization and in compliance with regulation.

Conceptualized flow

With users working from anywhere on managed and unmanaged devices, access to the internet, SAAS, public cloud, and the data center will have consistent policies applied regardless of their location.

The policy is validating that the user is who they say they are based on the role profile, what they are trying to access to make sure their role or attribute profile has the appropriate permission to the application, and within the stipulated time limit. Where the data or application is located is also verified and the why needs to be satisfied before the requested access is granted. Based on the mentioned policies, the how element is then applied throughout the lifecycle of the access.

Phase 5

Monitor Zero Trust Roadmap Deployment

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

• Establish metrics for roadmap tasks.
• Track metrics for roadmap tasks.

This phase involves the following participants:

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

5.1 Establish metrics for roadmap tasks

Estimated time 2 hours

1. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, identify metrics to measure implementation and efficacy of tasks
2. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, document metric metadata.
3. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.

• If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.

Input

• Zero trust roadmap task list

Output

• Metrics for measuring zero trust task implementation and efficacy

Materials

• Zero Trust Progress Monitoring Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Zero Trust Progress Monitoring Tool

5.1.1 Identify metrics to measure implementation and efficacy of tasks

Estimated time 3-4 hours

1. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, for each section defined in columns C and D, enter zero trust implementation tasks into column E. If you completed the Zero Trust Program Gap Analysis Tool, use the tasks identified there to populate column E.
2. For each task, identify in column F any metrics that will communicate implementation progress and/or implementation efficacy.

• If multiple metrics are needed for a single task, we recommend expanding the size of the row and adding additional metrics onto a new line in the same row. A sample is provided in the tool.

Info-Tech Insight

To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

5.1.2 Document metric metadata

Estimated time 1-2 hours

For each metric defined in step 4.1.1:

1. Identify in column G whether the metric can be measured now (Phase 1), measured in a few months’ time (Phase 2), or measured in a few years’ time (Phase 3).
2. Identify in columns H through M who is responsible for collecting the metric (Person Source), who/what is consulted to collect the metric (Technology Source), who compiles the collected metric into dashboards and presentations (Compiler), and who is informed of the measurement of the metric (Audience).

• Add more columns under the Audience category if needed.
• Use “X” to identify if an audience group will be informed of the measurement of the metric.

5.2 Track and report metrics

Estimated time 2 hours

1. In the Zero Trust Progress Monitoring Tool, copy and paste metrics you plan to track in the tool from column F on tab 2 to column B on tab 3.
2. Use tab 3 to identify collection frequency, metric target, and measurements collected for each metric. Add notes or comments to each metric or measurement to track contextual elements that could affect metric measurements.
3. Leverage the graphs on tab 4 to communicate metrics to the appropriated audience groups, as defined in tab 2.

Input

• Metrics for measuring zero trust task implementation and efficacy

Output

• Metric data and graphs for presenting zero trust implementation metrics to audience groups

Materials

• Zero Trust Progress Monitoring Tool

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Zero Trust Progress Monitoring Tool

5.2.1 Record baseline measurements for metrics

Estimated time 1-2 hours

On tab “3. Track Metrics” of the Zero Trust Progress Monitoring Tool:

1. Copy and paste the metrics from Column F on tab “2. Task & Metric Register” that you want to track into Column B of this tab.
2. For each metric, record the frequency of collection (Collection Frequency) and the metric target (Target) by referencing columns O and P on tab “2. Task & Metric Register.”
3. Begin to record baseline/initial values for each metric in column E. Rename columns to match your highest frequency of collection.
   (e.g. if any metric is being measured monthly, there should be one column per month)
4. Over time, conduct measurements of your metrics and store them in the table below.
5. Add notes, as necessary.

5.2.2 Report metric health to audience groups

Estimated time 1-2 hours

On tab “4. Graphs” of the Zero Trust Progress Monitoring Tool:

1. The Overall Metric Health gauge at the top of this tab presents the average percentage away from meeting metric targets for all metrics being tracked. To calculate this value, the differences between the most recent measurements and target values for each metric are averaged.
2. Below the Overall Metric Health gauge, use the drop-down list in cell D9 to select one of the metrics from tab “3. Track Metrics.”
3. Six different graphic representations of the tracked data for the selected metric will populate.

Copy and paste desired graphs into presentations for audience members identified in step 5.1.2.

5.3 Build a communication deck

Estimated time 2 hours

Leverage the Zero Trust Communication Deck to showcase the work that you have done in the tools and activities associated with this research.

In this communication deck template, you will find the following sections:

• Introduction
• Protect Surfaces
• Zero Trust Gap Analysis
• Zero Trust Initiatives & Tasks

Input

• Protect surfaces mapped to business goals
• Zero trust program gap analysis
• Zero trust roadmap initiatives and tasks
• Zero trust metrics

Output

• Communication deck for zero trust strategy

Materials

• Zero Trust Communication Deck

Participants

• Security Team
• Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
• Project Management Office

Download the Zero Trust Communication Deck

Summary of Accomplishment

Knowledge Gained

• Knowledge of protect surfaces and the business goals protecting them supports
• Comprehensive knowledge of zero trust current state and summary initiatives required to achieve zero trust objectives
• Assessment of which solutions for zero trust tasks and initiatives are the most appropriate for the organization
• A defined set of security metrics assessing zero trust implementation progress and efficacy

Deliverables Completed

• Zero Trust Protect Surface Mapping Tool
• Zero Trust Program Gap Analysis Tool
• Zero Trust Candidate Solutions Selection Tool
• Zero Trust Progress Monitoring Tool
• Zero Trust Communication Deck

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

Contact your account representative for more information

workshops@infotech.com

1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Zero Trust Program Gap Analysis Tool

Assess current security capabilities and build a roadmap of tasks and initiatives that close maturity gaps.

Zero Trust Progress Monitoring Tool

Identify and track metrics for zero trust tasks and initiatives.

Research Contributors

• Aaron Benson, CME Group, Director of IAM Governance
• Brad Mateski, Zones, Solutions Architect for CyberSecurity
• Bob Smock, Info-Tech Research Group, Vice President of Consulting
• Dr. Chase Cunningham, Ericom Software, Chief Strategy Officer
• John Kindervag, ON2IT Cybersecurity, Senior Vice President, Cybersecurity Strategy and ON2IT Group Fellow
• John Zhao, Fonterra, Enterprise Security Architect
• Rongxing Lu, University of New Brunswick, Associate Professor
• Sumanta Sarkar, University of Warwick, Assistant Professor
• Tim Malone, J.B. Hunt Transport, Senior Director Information Security
• Vana Matte, J.B. Hunt Transport, Senior Vice President of Technology Services

Related Info-Tech Research

Build an Information Security Strategy

Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations. This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building out a security roadmap.

Determine Your Zero Trust Readiness

IT security was typified by perimeter security. However, the way the world does business has mandated a change to IT security. In response, zero trust is a set of principles that can add flexibility to planning your IT security strategy.

Use this blueprint to determine your zero trust readiness and understand how zero trust can benefit both security and the business.

Mature Your Identity and Access Management Program

Many organizations are looking to improve their identity and access management (IAM) practices but struggle with where to start and whether all areas of IAM have been considered. This blueprint will help you improve the organization's identity and access management practices by following our three-phase methodology:

• Assess identity and access requirements
• Identify initiatives using the identity lifecycle
• Prioritize initiatives and build a roadmap

Bibliography

• “2021 Data Breach Investigations Report.” Verizon, 2021. Web.
• “A Zero-Trust Strategy Has 3 Needs - Identify, Authenticate, and Monitor Users and Devices On and Off The Network.” Fortinet, 15 July 2021. Web.
• “Applying Zero Trust Principles to Enterprise Mobility.” CISA, March 2022. Web.
• Biden Jr., Joseph R. “Executive Order on Improving the Nation’s Cybersecurity.” The White House, 12 May 2021. Web.
• “CISA Zero Trust Maturity Model.” CISA - Cybersecurity Division, June 2021. Web.
• “Continuous Diagnostics and Mitigation Program Overview.” CISA, Jan. 2022. Web.
• Contributor. “The Five Business Benefits of a Zero Trust Approach to Security.” Security Brief - Australia, 19 Aug. 2020. Web.
• “Cost of a Data Breach Report 2021.” IBM, July 2021. Web.
• English, Melanie. “5 Stats That Show The Cost Saving Effect of Zero Trust.” Teramind, 29 Sept. 2021. Web.
• “Improve Application Access and Security With Fortinet Zero Trust Network Access.” Fortinet, 2 March 2021. Web.
• “Incorporating Zero-trust Strategies for Secure Network and Application Access.” Fortinet, 21 July 2021. Web.
• Jakkal, Vasu. “Zero Trust Adoption Report: How Does Your Organization Compare?” Microsoft, 28 July 2021. Web.
• “Jericho Forum™ Commandments.” The Open Group, Jericho Forum, May 2007. Web.
• Johnson, Derrick. “Zero Trust vs. SASE - Here's What You Need to Know.” Security Magazine, 23 July 2021. Web.
• Joint Defense Information Systems Agency (DISA) and National Security Agency (NSA) Zero Trust Engineering Team. “Department of Defense (DOD) Zero Trust Reference Architecture.” DoD CIO, Feb. 2021. Web.
• Kay, Dennis. “Planning for a Zero Trust Architecture Target State.” NASA, NIST, 13 Nov. 2019. Web.
• National Security Agency. “Embracing a Zero Trust Security Model.” U.S. Department of Defense, Feb. 2021. Web.
• NSTAC. “Draft Report to the President - Zero Trust and Trusted Identity Management.” CISA, NSTAC, n.d. Web.
• Rose, Scott W., et al. “Zero Trust Architecture.” NIST, 10 Aug. 2020. Web.
• “Securing Digital Innovation Demands Zero-Trust Access.” Fortinet, 15 July 2021. Web.
• Shackleford, Dave. “How to Create a Comprehensive Zero Trust Strategy.” SANS, Cisco, 2 Sept. 2020. Web.
• “The CISO’s Guide to Effective Zero-Trust Access.” Fortinet, 28 April 2021. Web.
• “The State of Zero Trust Security 2021.” Okta, June 2021. Web.
• Kerman, Alper, et al. “Implementing a Zero Trust Architecture.” NIST - National Cybersecurity Center of Excellence, March 2020. Web.
• Kindervag, John. “Keynote - John KINDERVAG - 021622.” Vimeo, VIRTUAL Eastern | CyberSecurity Conference, 16 Feb. 2022. Web.
• Lodewijkx, Koos. “IBM CISO Perspective: Zero Trust Changes Security From Something You Do to Something You Have.” SecurityIntelligence, IBM, 19 Nov. 2020. Web.
• VB Staff. “Report: Only 21% of Enterprises Use Zero Trust Architecture.” VentureBeat, 15 Feb. 2022. Web.
• Young, Shalanda D. “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” The White House, EXECUTIVE OFFICE OF THE PRESIDENT - OFFICE OF MANAGEMENT AND BUDGET, 26 Jan. 2022. Web.
• “Zero Trust Access.” Fortinet, n.d. Web.
• “Zero Trust Architecture Technical Exchange Meeting.” NIST - National Cybersecurity Center of Excellence, 12 Nov. 2019. Web.
• “Zero Trust Cybersecurity Current Trends.” ACT-IAC, 18 April 2019. Web.
• “Zero-Trust Access for Comprehensive Visibility and Control.” Fortinet, 24 Sep. 2020. Web.