What's Your Zero Trust strategy?

I’ve been following the Zero Trust movement for about a year and Solarwinds has pushed it to the foreground. There is some sales bull-:poop: around it but some decent content from:


More importantly, the NSA is saying:

NSA strongly recommends that a Zero Trust security model be considered for critical networks to include National Security Systems (NSS), Department of Defense (DoD) networks, and Defense Industrial Base (DIB) systems.

So it’s just a matter of time before the contractors are going to need to comply so better start now…

1 Like

We are in process of building a security program from the ground up based on the NIST Cybersecurity Framework. Our other regulatory obligations include PCI, HIPAA, and GDPR to a small degree. So the challenge before us is designing a robust security program that works for a very small company (27 people) but covers all the bases needed. Additionally, because the NIST CSF doesn’t tie into HIPAA 1:1, considerations needed to be made for policies and procedures to support that. The third hard thing is that I don’t have unlimited budget, a CISO, or basically any guidance from above me. To append the skill set, I’ve consulted with both our legal team and outside security experts to work on this plan.

The first thing we did was undergo a security and risk assessment against the NIST CSF for critical infrastructure. This gave us a good idea of how the sensitive data flows through the systems and what controls we already have in place. Based on the results, it gave us a good idea of what areas to focus on first.

Next, I am leading an awareness and training campaign for the human firewall, as this is one of the most common breach vectors. Not only is this a good idea, it’s also a requirement for HIPAA and PCI I believe.

In tandem, I am building a Key Policy statement that employees will attest to annually, which states the companies stance on a very broad scope of technology usage and data security.
Under the key policy, I am building individual policies that fit within each category identified in the NIST CSF Functional areas. After that, I will build out Standards based on the sub-categories, and finally will create Standard Operating Procedures to support each Standard.

I’ll probably have some HIPAA specific polices that reference the NIST policies, but I figured this is a good place to start.
At the end of this, I will have built a security program for the company that is ready to audit and expansion, versus random controls and scattered/undocumented ways of securing the environment.

Gut instinct as a “doer” is to throw controls in place, especially ones that are best practice. I’ve found this to be a balancing act, and showing restraint on my approach is unnatural. Of course, there are things that should be in place (endpoint protection, MFA where available, encryption), but it is best if these can be identified, documented, and place in support of a specific policy of policies.

You’re probably looking for more of a tactical answer, which I was too when I started this project, but it has opened my eyes as to how more mature organizations should handle this particular topic and be ready for the future.


Oh, I have tactical thoughts and, as you might have guessed, I’m leaning on cloud capabilities that are easier to implement there - micro-segmentation being the primary reason. If my ERP system is not in my domain and only available from https then I have made it difficult for a on prem breach to move laterally to attack it. The same is true for EDI-like workflows. If I keep the transactions off the local network so that the only communication is via REST calls with least-privilege access to ERP then I’m protecting the customer transactions from local trouble too. This also addresses one of the premises of Zero Trust: assume breach.