Implementing Zero Trust Architecture: An Enterprise Guide
By Umair Akbar
5/5
()
About this ebook
Recognize the ways in which Zero Trust security can and should be implemented in your company. This book goes into the complexities of business settings and provides the practical principles and requirements that your security team will need to develop and execute a successful Zero Trust path while maximizing the value of your present enterprise security architecture. After reading this book, you will be ready to construct a credible and defendable Zero Trust security architecture for your company, as well as a step-by-step road to significantly improved security and operational efficiency.
Zero-trust security has become a popular business practice, but its ramifications are yet unknown. The goal of Zero Trust is to fundamentally change the underlying philosophy and approach to enterprise security by moving away from archaic and demonstrably ineffective perimeter-centric tactics and toward a dynamic, identity-centric, and policy-based approach.
It may be challenging to make such a transformation. It may be difficult to change direction if your company has already implemented and operationalized enterprise security assets such as directories, identity and access management systems, intrusion detection and prevention systems, and SIEM. Zero Trust Security is unique in its coverage of enterprise security and information technology architectures, providing valuable architectural support and technical analysis to help your company get to Zero Trust faster.
You will master the following:
- Understand why Zero Trust security concepts are important and why they must be implemented.
- Consider the security and operational benefits of Zero Trust.
- Make informed decisions about the best places, timeframes, and approaches to adopt Zero Trust security architectures.
- Determine the impact of your organization's and security architecture on the route to Zero Trust.
- Prepare to sketch out your road to Zero Trust while looking for measures that will enhance your company's security right away.
Umair Akbar
Umair received his education from the University of Houston in Biomedical Sciences in 2017; he was accepted to medical school, however, ultimately, he resigned at the end of his second year in favor of "tech bro" job. He obtained his Master of Science in Cybersecurity and Information Assurance with a 4.0 GPA from Western Governor's University. He is currently employed full time and has plans to receive thirteen additional Master's degrees. As a seasoned cloud system architect and cloud engineer, Umair has worked extensively on designing highly scalable, cost effective Cloud solutions to meet stringent requirements of businesses ranging from small start-ups to Fortune 50 companies. Umair has the expertise to architect, design, and implement on leading cloud platforms such as GCP, AWS, and Azure. He has architected large scale web applications in the domain of healthcare, education, and financial industries. He has a proven track record in delivering quality enterprise-grade cloud infrastructures for his clients. Accreditations: • Master of Science (M.S.) in Cybersecurity and Information Assurance • AWS Certified Solutions Architect - Professional (SAP-C01) • AWS Certified Solutions Architect - Associate (SAA-C02) • Certified Information Systems Auditor (CISA) • Certified Ethical Hacker (CEH) • Certified Data Privacy Solutions Engineer (CDPSE) • Google Professional Cloud Network Engineer
Related to Implementing Zero Trust Architecture
Related ebooks
Security Engineering: CISSP, #3 Rating: 0 out of 5 stars0 ratingsCloud Security and Governance: Who's on your cloud? Rating: 1 out of 5 stars1/5Framework for SCADA Cybersecurity Rating: 5 out of 5 stars5/5Certified Cybersecurity Compliance Professional Rating: 5 out of 5 stars5/5Zero Trust Security: An Enterprise Guide Rating: 0 out of 5 stars0 ratingsHow to Measure Anything in Cybersecurity Risk Rating: 4 out of 5 stars4/5PKI A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsCybersecurity First Principles: A Reboot of Strategy and Tactics Rating: 5 out of 5 stars5/5Cyber Security Consultants Playbook Rating: 0 out of 5 stars0 ratingsThreat Modeling: Designing for Security Rating: 4 out of 5 stars4/5Operationalizing Information Security: Putting the Top 10 SIEM Best Practices to Work Rating: 0 out of 5 stars0 ratingsBuilding Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5NIST Cybersecurity Framework: A pocket guide Rating: 0 out of 5 stars0 ratingsSecuring the Cloud: Cloud Computer Security Techniques and Tactics Rating: 5 out of 5 stars5/5Simplified Cybersecurity Sales For MSPs Rating: 0 out of 5 stars0 ratingsThe Cloud Security Ecosystem: Technical, Legal, Business and Management Issues Rating: 0 out of 5 stars0 ratings7 Rules To Become Exceptional At Cyber Security Rating: 5 out of 5 stars5/5An Executive Guide to Identity Access Management - 2nd Edition Rating: 4 out of 5 stars4/5Zero Trust Network A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsProject Zero Trust: A Story about a Strategy for Aligning Security and the Business Rating: 0 out of 5 stars0 ratingsSecurity Engineering: A Guide to Building Dependable Distributed Systems Rating: 4 out of 5 stars4/5Enterprise Security: A Data-Centric Approach to Securing the Enterprise Rating: 0 out of 5 stars0 ratingsCompTIA PenTest+ Study Guide: Exam PT0-001 Rating: 0 out of 5 stars0 ratingsBuilding an Effective Cybersecurity Program, 2nd Edition Rating: 0 out of 5 stars0 ratingsThe Official (ISC)2 CCSP CBK Reference Rating: 0 out of 5 stars0 ratingsModern Cybersecurity Practices: Exploring And Implementing Agile Cybersecurity Frameworks and Strategies for Your Organization Rating: 0 out of 5 stars0 ratingsAdvanced API Security: OAuth 2.0 and Beyond Rating: 0 out of 5 stars0 ratings
Security For You
CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsHacking For Dummies Rating: 4 out of 5 stars4/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA Security+ Certification Study Guide, Fourth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5IAPP CIPP / US Certified Information Privacy Professional Study Guide Rating: 0 out of 5 stars0 ratingsWireless Hacking 101 Rating: 4 out of 5 stars4/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5CompTIA CySA+ Cybersecurity Analyst Certification Passport (Exam CS0-002) Rating: 5 out of 5 stars5/5Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry Rating: 4 out of 5 stars4/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Practice Tests: Exam CS0-002 Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsUltimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5Blockchain Basics: A Non-Technical Introduction in 25 Steps Rating: 5 out of 5 stars5/5The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5
Reviews for Implementing Zero Trust Architecture
1 rating1 review
- Rating: 5 out of 5 stars5/5I have never been so enthralled by a book before. Zero Trust is an incredible and detailed read that covers the human aspect of security through the lens of trusted people, not trusted systems. I found myself highlighting entire sections in this book because it was so insightful and there were a lot of great takeaway messages for me to apply to my work. This is a must-
Book preview
Implementing Zero Trust Architecture - Umair Akbar
Implementing Zero Trust Architecture
Umair Akbar, CISA, CDPSE, GCP-NE, AWS-SAA, CEH, ABCDEFGHIJKLMNOPQRSTUVWXYZ
Security Problem ........................................................................................................................................... 6
Background Information About The Problem .............................................................................................. 6
A Root Cause Analysis Of The Problem ...................................................................................................... 7
A Description Of The Stakeholders .............................................................................................................. 9
An Analysis Of Systems, Processes, Or Both ............................................................................................. 10
A Description Of The Project Requirements .............................................................................................. 11
The Data Available Or The Data That Needs To Be Collected To Support The Project ........................... 12
The Industry-Standard Methodology You Used To Guide And Support The Solution’s Design And
Development ............................................................................................................................................... 13
Deliverables Associated With The Design And Development Of The Technology Solution .................... 14
The Strategy For Implementing The Solution And Anticipated Outcomes From The Project, Including
Phases Of The Rollout, Details Of Project Launch, And Training Plan For Users .................................... 15
The Quality Assurance Plan For The Solution, Including Formative And Summative Evaluation Plans
And Plans For Revision .............................................................................................................................. 16
Assessment Of Risks Associated With The Implementation ...................................................................... 17
The Technology Environments, Tools, And Any Related Costs, As Well As The Human Resources, That
Are Necessary To Execute Each Project Phase .......................................................................................... 18
A Projected Timeline, Including Milestones, Start And End Dates, Duration For Each Milestone,
Dependencies, And Resources Assigned To Each Task ............................................................................. 20
The Framework That Will Be Used To Assess The Success Of The Project And Assess If The Security
Solution Meets Stakeholder’s Needs, Including Test Cases And Acceptance Criteria .............................. 20 Design and develop a technology-supported security solution that addresses your identified business
problem or organizational need................................................................................................................... 22
Your solution must contribute to at least one of the following major security areas: Systems Security,
Security Planning and Management ........................................................................................................... 24
Facilitates Development of Consensus-based codes of conduct ................................................................. 25
Promotes the Adoption of Standards and Practices .................................................................................... 26
Promotes Automation in Cybersecurity ...................................................................................................... 27
Improves and modernizes security assurance ............................................................................................. 28 Implements industry-standard security tools and infrastructure or environment ........................................ 28 collects digital evidence, including data for analysis or forensics .............................................................. 29
Provides cybersecurity plans, strategies, and policies and Implements confidentiality, integrity, and
availability................................................................................................................................................... 31 Mitigates cybersecurity threats ................................................................................................................... 33
Investigates cybersecurity incidents or crimes ............................................................................................ 34
Includes decision-support functionality ...................................................................................................... 36
Provides a training plan for users ................................................................................................................ 37
Analysis of the alignment of the solution with organizational cybersecurity initiative or regulatory
compliance .................................................................................................................................................. 37
Assessment of the solution’s implementation, including testing results and implemented revisions ......... 38
Applications, tools, installation, and user guides for any other environment used ..................................... 39
Assessment of the efficiency of the solution .............................................................................................. 39 Post-implementation systems and process analysis, including diagrams or descriptions of the environment
.................................................................................................................................................................... 40
Post-implementation risk assessment.......................................................................................................... 41
Analysis of the collected data and final output ........................................................................................... 42
Stakeholder impact analysis ........................................................................................................................ 43
Post-implementation and maintenance plans for the solution, including supporting resources and the
results from the solution testing and revisions ............................................................................................ 44 Domain: Cyber Risk Management and Oversight ...................................................................................... 45
Organization Chart ...................................................................................................................................... 45
Cybersecurity-related policies and procedures ........................................................................................... 46
Strategic plans ............................................................................................................................................. 46
Cybersecurity job descriptions .................................................................................................................... 47
Cybersecurity personnel qualifications ....................................................................................................... 47
Risk assessments ......................................................................................................................................... 48
Data loss prevention analysis ...................................................................................................................... 48
IT audit schedule, audit reports, correspondence and audit exception tracking ......................................... 49
Domain: Cybersecurity Controls ................................................................................................................ 52
Baseline security configuration standards and list of physical access controls (e.g., key cards, biometric
controls, video cameras) ............................................................................................................................. 52 Vulnerability or patch management policies and procedures ..................................................................... 53
Continuous monitoring strategy .................................................................................................................. 55
List of third parties and subcontractors and Third-party employee access reviews .................................... 56 Contracts governing all third-party relationships and inventory of all third-party connections ................. 57
Network topology/diagram ......................................................................................................................... 58
Independent reports on the service provider’s security controls ................................................................. 58
Vendor management policies and procedures ............................................................................................ 58
Remote access logs ..................................................................................................................................... 58
Domain: Cyber Resilience .......................................................................................................................... 62
Business impact analysis ............................................................................................................................. 62
Business or corporate continuity plan ......................................................................................................... 62
Conclusions ................................................................................................................................................. 63
References ................................................................................................................................................... 65
Security Problem
Adoption of a Zero Trust security model, as well as the attitude required to install and run a system designed in accordance with Zero Trust standards, would assist cybersecurity practitioners in better preparing them to secure sensitive data, processes, and services as business networks evolve, fragment, and become more diverse. To name just one example of the increasing complexity associated with Advanced Persistent Threats (APTs), consider the SolarWinds hack, which resulted in the compromising of more than 18,000 commercial customers, as well as the United States Government. There is little doubt that this breach is one of the most serious in modern history; an espionage effort of such scope that the consequences are still being felt months after the act took place. Threat actors were successful in infiltrating some of the most prestigious companies in the United States. If businesses adopt a Zero Trust approach, these issues can be mitigated, and the resulting damage can be contained. The Department of Defense's CISA arm recently released guidance advising businesses to begin implementing a Zero Trust strategy to their information systems. The implementation of a Zero Trust framework in a real-world scenario will be discussed in this paper. Prior to submitting this document, all confidential material was erased, and pseudonyms were employed to identify the various institutions