ZT Planning Flashcards
What are the core ZT principles for Zero-Trust Planning
- Never trust, always verify
- Inside-out security
- Risk-based security approach (assuming budget scarcity use risk to allocate budget)
What differences do you see in ZT planning and implementation between large and small companies?
Large organizations may pursue a portfolio of ZT initiatives with different motivations/success criteria
Small organizations may only have a single ZT effort
Which five steps should be considered initially when planning ZT
- Define the protect surface
- Map the transaction flows
- Build a ZTA
- Create a ZT policy
- Monitor and maintain the network
What does the CISA high-level ZT Maturity Model consist of?
The CISA High-Level ZT Maturity model consists of:
1. Five pillars
2. Three cross-cutting concerns
3. Four maturity levels
What are the three cross-cutting concerns in the CISA ZT Maturity Model
- Visibility and Analytics
- Automation and Orchestration
- Governance
Which stage is the starting point for a ZT transformation?
The ‘traditional’ model is the starting point.
What are the four stages in the CISA ZT MM?
- Traditional - no implementation of ZT
- Initial - starting to move to ZTA but still lacks essential features
- Advanced - Essential capabilities in place
- Optimal - continuous monitoring and optimization
What are the five pillars of the CISA ZT MM
- Identity
- Devices
- Network
- Applications and workloads
- Data
What should the primary focus during ZT planning be?
Aligning activities and resources to achieve business outcomse with acceptable risk levels defined by the board of directors and senior leadership
Which are initial considerations for planning the implementation of ZT philosophy, approach, and design principles?
- The maturity level of the organization’s security approach
- The complexity of service architecture and data flows
- The risk appetite and regulatory environment of the organization
Which assets may ZT migration tactics and design principle applied to based on the organization’s risk profile and risk appetite?
All assets in the organization
A limited set of assets
What are examples key factors to be considered during ZT planning?
Stakeholders to engage
Technology strategy
BIA results
Risk Register
Supply chain risk management
Organizational security policies
Architecture options
Compliance requirements
Workforce training
Why is stakeholder identification critical?
It requires significant, concerted time/energy investment
It can make or break an organization’s ZT effort
What are examples of stakeholders to be considered?
Business/service owners
Application/data owners
Infrastructure/asset owners
Service architecture owners
CISO/security teams
Legal officers
Compliance officers
Procurement officers
What must be done once stakeholders are identified?
Planning efforts should map out respective responsibilities (RACI chart)
Communications plan development
What is the most critical ZT-specific role?
The asset owner:
- Determines valide users/roles/privileges/data usage
Typically exist in the business
What are best practices for stakeholder invovlement?
Should not lose focus on other internal users/groups
Must consist of stakeholders across organization and levels, including functional areas
Bring stakeholders in early, keep them engaged
Should be well-informed of organization’s collective mission/ongoing priorities
What is the role of an asset custodian?
Asset custodians implement directives set by asset owners
Asset custodians are usually in IT
What should communications plan in ZT contain at a minimum?
Define a communication strategy, establish cadence
Incorporate mechanisms for setting proper expectations
Means to communicate/document key decisions
What is a technology strategy?
A technology strategy describes how technology is being used to achieve business objectives
Questions to ask about ZT and technology strategy?
- How does the ZT strategy fit into the organization’s technology strategy?
- How does the ZT strategy need to be updated to incorporate the technology strategy?
- How does the ZT strategy impact existing plans/processes/procedures?
- How does ZT strategy affect existing budgets/investments?
- How does ZT strategy affect existing internal standards/best practices?
What does a BIA typically provide?
Asset list with
- relative values/owners
- RPO/RTO
- Interdepencies/prorities
Assessment of resources required to restore/maintain each asset
How does the risk register help ZT planning?
It provides:
- Inventory of potential risk events, recorded/tracked by likelihood/impact/description
- Controls for reducing risk within risk appetite thresholds
- The risk owner and the control owner
Which organizational policies will typically require an update when ZT is introduced?
Organizational policies affecting identity, devices, networks, applications and workloads, and data
What are the three categories of policies to consider when planning ZT?
Policies that dictate or constrain the ZT initiative
Policies that require updating due to ZT
Policies that need to be created to support ZT
Which policy types are generally. needed for ZT?
General and IT security
ZT
Data governance
Cloud
Key management policy
Incident response
IAM
Monitoring
DR/BC
In which ways is a ZT approach helpful for compliance?
Increased control over regulated data
Better overall cybersecurity
How should training deal with ZT?
Training is foundational to ZT initiatives
ZT should be part of the awareness progams
Who will need specific training on ZT?
Staff who determines access controls
Staff who configures access controls
Support team
Auditing staff
Upper management, board and CEO to ensure necessary awareness levels
Stakeholder identification effors should result in a responsibility matrix known as a
RACI chart
RACI stands for
Responsible, Accountable, Consulted, and Informed
What should governing documents approved by senior management and the board of directors contain as a starting point for identifying stakeholder responsibilities?
Designate the executive sponsor and provide insights into reporting expectations
What do RPO and RTO stand for?
RPO: Recovery Point Objectives
RTO: Recovery Time Objectives
What should organizations starting with ZT planning start with?
- Prerequisite for understanding the protect surface
- Definition of the ZT project’s scope/priorities
- Business case development
What is prerequisite to understanding the protect surface?
Undersatnding what the organization wants to protect with ZT:
Data/assets, data location, asset where data is hosted, services/processes/classifications.
This requires:
Data & asset discovery and inventory
Data & asset classification
Entities/user discovery and inventory
What are data and assets classified on?
Data sensitivity
What are meant with entities?
Person and non-person users (machines, APIs, service accounts)
What is done with the discovered entities?
Discovered entities are mapped to all relevant protect surfaces. Identities are used to define the ZT policies.
What will scope typically include?
Success criteria identified for the ZT projects
Business units identified for the ZT journey
The business units’ protect surfaces
The protect surface’s data and assets
Identities accessing the protect surface
Entities mapped to the identities/personas
Approaches to prioritization:
Based on complexity: start simple, move to more complex
Based on risk: select protect surface high on the risk register
Based on use case: when a definite use case is identified
What are factors to consider in the business case?
BIA
Risks that ZT program is designed to address
Cost of the project
Cost of not doing the project
What the organization stands to gain through ZT
Additional benefits from improving security culture
Use case examples for ZT
Role based access control for internal staff
Remote Access
Services Accessed using Mobile Devices
Third-Party Service Providers
Staff Access to Assets in hybrid environments
SaaS & PaaS
Application release & DevOps
ICS, OT, & IoT
What is a gap analysis?
A gap-analysis is an industry-accepted tool for helping organizations realize their objectives.
It consists generally of four steps:
- Determine current state
- Determine target state
- Create a roadmap to close the gap
- Requirements
What are crucial steps for determining the ZT current state?
- Define current protect surfaces and implications for each ZT pillar
- List current controls for each pillar
- Determine/declare the current CISA maturity stage for each pillar
- Risk appetite determination feeds into scoping activities/decisions
What is the goal of determining the ZT target state?
- Define the protect surface and the impact for each in-scope pillar across the organization
- Determine/declare the desired target CISA maturity stage per pillar
What does the roadmap for moving from ZT current state to ZT target state contain?
The roadmap contains the future controls required to raise the current maturity stage to the future desired state
What is the role of requirements in ZT planning?
ZTA implementation are a key output of the gap analysis
Which requirements areas should typically be defined for ZTA?
- Source of truth for unique identities
- Full life cycle identity management for employees, contractors and vendors
- Definition, provisioning and management of entitlements
- Definition, provisioning and management of access controls
- Segmentation/micro-segmentation
- Incident detection and response
- Reporting and analytics
- Special considerations
- Concept of least privilege
- Segregation of duties
Which considerations are relevant for the identity pillar of the target architecture?
Proper identity validation of the entity requesting access to a resource
Frequency/technology determined by sensitivity of information being accessed
MFA for validating identity of the entity
Real-time machine learning to highlight unusual user/device behavior
Identity stores with entities and associated information, queried during authentication process
Process for ensuring user identities are mapped to real users
Accuracy of claims controlled during the user lifecycle
Integration of PKI with the identity system
Which considerations are relevant for the devices and endpoints pillar?
Devices/endpoints require authentication validation before accessing ZTA-protected resources
Security posture validated against security policies before being allowed access
Validation steps performed continuously
Device behavior analyzed for any unusual activity
Complete and accurate inventory of all devices/endpoints is highly sought-after goal
Failures primarily due to vast number/relatively short life cycle of deployed devices\Helps achieve device and endpoint data quality goals
Gateway/VDI solutions should be explored (for unmanaged devices and contractors)
Which considerations are relevant for the network & environment pillar?
Micro-segmentation coupled with encryption to improve network security posture
Data plane used for application/service communication
Control plane used for network communication control
Decision to allow application access made over the control plane
Application interaction/data exchange with requesting device occurs via data plane
Micro-segmentation technologies and traffic segmentation based on data flow
Which considerations are relevant for the workload & application pillar?
Access authorization continuously evaluated with real-time risk analysis
Security testing implemented in all stages of CI/CD
Integration into monitoring system for sending internal insights
Which considerations are relevant for the data pillar?
Data classification policy should codify required data security controls/processes per defined data class
Can include secure encryption and network segmentation for highly sensitive data
Should include how entities gain access to data and required steps for end-of-life data disposal
Which considerations are relevant for the visibility & analytics capability?
UEBA for continually evaluating user behavior against a baseline of previous activity
Running regular device posture assessments to ensure accessing devices are properly configured/secured
Monitoring application health/security by leveraging systems/sensors external to the application
Which considerations are relevant for the automation & orchestration capability?
Takes advantage of automation by using infrastructure-as-code and CI/CD
Orchestrating/automating the identity lifecycle
Dynamic user identity and group membership/JIT application access
Which considerations are relevant for the governance capability?
Helps define ZTA policies
Manages/reduces complexity with focus on protect surfaces
Governance policies should be enforced by the PEP
Which categories do ZTA generally fall into?
- ZTA using enhanced identity governance
- ZTA using micro-segmentation
- ZTA using network infrastructure and SDP
Which architecture variations are listed by NIST SP 800-207?
Device agent/gateway-based deployment
Enclave-based deployment
Resource portal-based deployment
Device application sandboxing
How is a transaction defined in the context of ZT?
Any action within a system that needs verification
Which questions are relevant for each step in the transaction?
Who, what, where, when, how, and why
What needs to be considered when collecting data?
Begin with an initial understanding of the data
What it is, where it is, and where it goes
Start with existing knowledge about the organizations business process and underlying architecture
Leverage numerous sources (packet captures, logs, traffic analysis)
When should a transaction inventory be created?
New deployments - transaction inventories defined/developed during architecture/design phase
- Organizations should create inventory as part of planning exercises
Existing deployments - collect/inventory known transactions to maintain
- Highlight transactions that will change or become deprecated
- Create entries for new transactions expected to be part of the solution
