Jason Garbis - Zero Trust Security: An Enterprise Guide

Zero Trust wasnt born out of a need to sell another security control or solution. It was born from a desire to solve a real enterprise issueZero Trust is focused on simplicity and the reality of how things are now.

Dr. Chase Cunningham, aka Dr. Zero Trust

I have been waiting for this book for over two decades and am delighted to introduce its arrival.

Well before the Jericho Forums bold 2004 declaration of a new security strategy featuring de-perimeterization, many of us in the national security community had come to the realization that the perimeter security model was no longer a viable security strategy for Internet-connected systems and enterprises. The unsatiable thirst to connect everything to the Internet, the rising cost and complexity of the layers of security tools, and the rapid pace of technological change were fracturing the perimeter security model around us. Our defense-in-depth security perimeter was a dike springing too many leaks for us to keep up with in any meaningful or fiscally responsible manner. The Jericho Forums work pointed in a different direction, giving many of us a new hope.

Sadly, like Grand Moff Tarkin on the Death Star, many security professionals and pundits had grown comfortable with the status quo and scoffed at the notion that a new approach to securing modern enterprises was needed. One security commentator went so far as to say the Jericho Forum missed the mark and derisively forecast that its work would likely end up on the scrap heap of unrealized ideas and wasted effort. I hope that he reads this book with a tinge of guilt and regret.

The work of the Jericho Forum did not go for naught, but it did not yield fruit right away either. After a little more than 5 years from the introduction of the de-perimeterization concept, John Kindervag, then an analyst at Forrester Research, in 2010 coined the phrase Zero Trust to describe the security model that organizations should not automatically trust anything outside or inside their perimeters, and instead must verify everything and anything before connecting them to their systems and granting access to their data.

For those of us in the military, Zero Trust was not a revolutionary security model. We had been practicing it with physical security throughout our careers. For example, every person was greeted by security personnel at the gates and had to produce proper identity credentials before being given access to the base. We practiced segmentation with protection zones around what were called priority A, B, and C resources. The flight line areas were the home of priority A assets and had tightly controlled access with armed guards. Role-based entry was tightly controlled and use of deadly force authorized against those who broke the red line. As a lieutenant, I had to go through four levels of security before I could even get into my office. Security was ingrained in our culture, our processes, and our expectations.

Sadly, as my generation incrementally built out the Department of Defense Information Networks, while we followed a Zero Trust physical security model to protect our most valued facilities and weapons systems, the technology to implement a Zero Trust security model to protect our increasingly valuable and Internet-connected digital assets was lacking. Commercially available tools were exquisitely complex and expensive. For example, we had to contract with one noted vendor to create an academy just to train our already highly skilled workforce to properly use their complex networking products. Costs continued to soar as we continued our march to digitize every function we could, yet the security perimeter dike around us continued springing leaks. By the time I retired from federal service as the Chief Information Security Officer of the US government, I had come to the conclusion that the Zero Trust security strategy was our only hope to secure our digital ecosystem.

The COVID-19 pandemic spurred a massive pivot from traditional office environments to a work-from-home model that has accelerated the long-anticipated move to the Zero Trust security strategy. The illusion of the security perimeter has been shattered by massive mobility, cloud computing, Software-as-a-Service, and unparalleled Bring-Your-Own-Device implementation as organizations everywhere pivoted from traditional enterprise environments to todays modern digital reality. Todays reality is that the traditional network security perimeter is dead; there is no outside or inside anymore.

Sadly, many people and organizations, including that naysayer who scoffed at the Jericho Forums vision, have jumped on the Zero Trust bandwagon. Many declare allegiance to Zero Trust yet dont know what it really is or how to practice it. Organizations whose legacy networking gear and methodologies have proven exceedingly complex and vulnerable have their marketing teams miraculously declare their vulnerable capabilities to be Zero Trust. Despite the great Zero Trust research conducted by Forresters Dr. Chase Cunningham and Gartners Neil MacDonald, until this book, there wasnt a practical definitive guide to Zero Trust.