Zero Trust - Always Have a P.L.A.N

September 23, 2024

In the years that I’ve been studying, writing about, implementing, and assessing Zero Trust – I have been thinking of ways to help clients understand what it means. As I discussed in a previous blog “Brace for Impact”, implementing a security approach that assumes breach changes our whole approach. This leads me to something that clients have asked for in the past, “is there a guide that is easy to follow and has some high-level steps?”

 

I used to point clients to the National Security Telecommunications Advisory Committee (NSTAC) . The Committee’s five-step process for Zero Trust implementation is clear, concise, and to the point. However, as I have expanded my understanding of Zero Trust, I have learned the challenges that come with implementing a Zero Trust approach. As a result, I created the framework Prepare, Layout, Action, Nurture—or PLAN.

 

The NSTAC five-step approach is included in PLAN as well to effectively evaluate use cases for access. The NSTAC process is best leveraged to help an organization define controls for use cases and is a great way to understand how to put your security investments to work and help illuminate gaps in your security control inventory.

 

PLAN is a perpetual and ongoing process; it is a way to continuously review and improve your Zero Trust approach.

 

Step 1: Prepare

In this initial phase, the PLAN implementor discovers where they are from a Zero Trust implementation status, what they have from a control and tooling perspective. They then incorporate business and IT strategies/plans and measure maturity in accordance with zero trust principles and tenets.

 

Step #2: Layout

In this phase, the Zero Trust implementor is developing a detailed plan with steps, timelines, resources and responsibilities needed to achieve the goals of the Zero Trust Architecture (ZTA).

 

Step #3: Action

This is where the plan is being executed based on the output from layout.

 

Step #4: Nurture

The final step is where progress is monitored, outcomes are evaluated, adjustments are made, and continuous improvements are evaluated, and changes implemented.

 

OCS-ZeroTrust-Images-01_small.jpg

Figure 1 – P.L.A.N. (Prepare, Layout, Action, Nurture)

 

Let’s take a deeper dive into in the high-level approach to a quick-start implementation. It should be noted that some of these steps can be difficult and may take time to execute. In addition, the steps can be performed out of order, however I do recommend that Step 1 (Prepare) be prioritized to ensure some of these critical success factors are accomplished and output is ready when needed later in the Zero Trust implementation steps.

 

 

Prepare

This first step is deeply rooted in “programizing” your Zero Trust approach. Leverage your program management capabilities to help you get your organization ready. In Figure 2 below, there are eight capabilities that should look familiar. Probably one of the most important capabilities is found in “Layer 8”, the Human Factor where the security team works with the business to ensure there is alignment. If there’s no alignment, then we’ll need to dream up another buzzword in a decade to replace Zero Trust because the next new way of conducting business will be invented and security will be left behind, again.

 

The other capabilities should make sense. All of these were reviewed and placed in the Optiv + ClearShark Zero Trust framework early in the development of our approach. As the DHS CISO stated in the Zero Trust Implementation Plan, “Much of the work of implementing Zero Trust, for any organization, is just work” and “We must be brilliant at the basics”. I was delighted to see this highlighted in DHS’ plans—it was refreshing to see importance place on the things that contributed to the need for Zero Trust in the first place.

 

Steps in Prepare:

 

  • Define business objectives
  • Develop/update policies and standards
  • PerformIT/security tool review
  • Perform a ZT maturity assessment
  • Collect inventory of human entities
  • Collect inventory of DAAS (Data, Applications, Assets, and Services)
  • Determine organization risk tolerance

 

OCS-ZeroTrust-Images-02_small.jpg

Figure 2 – Program-level Critical Success Factors

 

 

Layout

In step 2 you will take all you learned about your organization and begin to develop a roadmap. The security tool review includes capabilities and controls. The maturity and security tool review output will be invaluable throughout your Zero Trust implementation.

 

The following steps are in Layout:

 

  1. Syntheses of the security tool and maturity assessment output.
  2. Zero Trust roadmap development
  3. Develop metrics to measure control effectiveness
  4. Measure controls and report
  5. Select solutions for gaps in program as roadmap dictates

 

 

Action

This is the phase where the roadmap tasks developed in Step 2 are implemented. This is also the step in which the NSTAC five-step process is leveraged. One minor change to the NSTAC process is that I shifted step 5, “Monitor and Maintain the Network”, to Nurture.

 

Steps in Action:

 

  1. Implement the roadmap which includes people, process, and technology
  2. Review use cases for access leveraging the NSTAC 5-step process and Kipling model (who, what, when, where, why, how)
  3. As part of the previous step, opportunities for Automation/Orchestration will start to find shape
  4. Measure risk prior to implementation of controls and after

 

 

Nurture

Nurture is a perfect name for this phase. This is the phase where we move our actions into a rhythm. “Programization” is strong in this phase as well, this is where we measure, report, and adjust.

 

Steps in Nurture:

 

  1. Monitor and maintain
  2. Evaluate improvements, review intended results
  3. Leverage success criteria developed in layout (specifically looking to see if Target levels were achieved)
  4. Perform lessons learned
  5. Continuous improvement

 

OCS-ZeroTrust-Images-03_small.jpg

Figure 3 – PLAN Zero Trust Quick Start

 

To summarize, PLAN was developed to help organizations see a way to break the Zero Trust problem apart. It shows a methodology that moves through steps designed to help demonstrate risk reduction, collaboration, and modernization. Please reach out if you found this approach helpful.

Mark Modisette
By:
Mark Modisette
Executive Director, Executive Solutions, Office of the CISO
Zero Trust Technologist, Mark Modisette is a veteran information assurance and security executive with more than 20 years of experience in multiple industry sectors. Mark's recent experience with Optiv + ClearShark has focused on Zero Trust evangelist/author, and advisory services, where he works with organizations to design roadmaps, perform Zero Trust readiness reviews, and make recommendations to ensure successful ZT implementations. Additionally, Mark helps clients understand where to start with zero trust and how to utilize security program management and security risk management to ensure continued success in the implementation of Zero Trust concepts.

Follow Optiv
LinkedIn: www.linkedin.com/company/clearshark
Facebook: www.facebook.com/optivinc
YouTube: www.youtube.com/c/OptivInc
Blog: www.optiv.com/explore-optiv-insights/blog

About Optiv + ClearSharkTM

Optiv + ClearShark is a cybersecurity and IT solutions provider focused exclusively on serving the U.S. federal government. From the data center, cloud and to the edge, we have decades of experience securing and modernizing federal agency data and infrastructure. Our world-class advisory and engineering team is comprised of mission-focused, results-driven subject-matter experts with deep technology and agency domain knowledge and security clearances.

 

Now part of Optiv, the cyber advisory and solutions leader, Optiv + ClearShark partners with federal agencies to advise, deploy and operate complete cybersecurity programs.