Introducing the Zero Trust Blueprint

A Structured Approach for Implementing Zero Trust

Zero Trust, as a security strategy, is by its very nature broad in scope. However, enterprises also recognize that they have an imperative to rapidly deliver results even while early in their Zero Trust journeys. This is a challenge, perhaps even a paradox, and requires a structured approach to avoid wrong turns, frustration, dead ends, or analysis paralysis.

Through our extensive collaboration with enterprises implementing Zero Trust, we’ve distilled these lessons into our new Zero Trust Blueprint — a structured methodology designed to help organizations execute Zero Trust initiatives effectively and realize tangible benefits quickly.

Security as Business Enablement

A core principle of our blueprint is the recognition that (as much as it may pain us to admit it) security teams exist primarily to securely enable the business. As such, each phase of our blueprint explicitly involves business stakeholders, including application owners, data custodians, and business process leaders. And, although many Zero Trust activities are technical in nature, our roadmap process uniquely starts from a business asset perspective. These two angles ensure that teams never lose sight of this big picture (even as we dive into the Protect Surface and its associated elements), thereby tying Zero Trust to business value throughout the process.

OK, I think that’s enough background; let’s talk about the blueprint itself. Note that I’m only giving a light introduction here, for complete information visit the blueprint web page.

The Blueprint

The blueprint is our way of bringing a method to the madness (so to speak), via a structured and thoughtful process across four phases. We found that this was needed, as so many enterprise security leaders didn’t know where to best begin their Zero Trust journey, and often dove too quickly into the vendor tool selection process.

For example, I’ve had many calls which began on the ‘help us choose between vendors A, B, and C” topic, but which we successfully zoomed out to instead have a healthy conversation about the overall process. It was these kinds of in-depth discussions ultimately led to this blueprint.

It also led us to the recognition that before any execution, it was necessary to first obtain a clear picture of the organization’s Zero Trust readiness, and its current security maturity. These two elements make up the initial Assessment phase, which is intentionally short in duration in order to establish a sense of urgency, as well as to kick off the project with a high level of energy and focus. 

(While on the topic of urgency — if you want to get started immediately, we have a free, short Zero Trust Readiness survey available online here.   And if you want to learn about ZTMM+, our enhanced and extended Zero Trust Maturity Model, read more here.)

After the Assessment phase, is the Strategy phase, in which the organization describes its Vision for how Zero Trust will benefit their enterprise, and also defines the makeup and structure of their Zero Trust Program. We advise enterprises to complete these two strategy exercises quickly — ideally within two calendar weeks — in order to maintain the project’s momentum.

Next is perhaps the most important phase, which is the Roadmap phase. It’s where the actual work occurs to define intended access policies for specific protect surfaces, and map them to actual implementation activities. We designed this phase to overcome the frustration that so many enterprises have faced when trying to apply traditional IT project management roadmap planning tools and models. Simply put: these are unsuitable for modeling Zero Trust initiatives.

Gantt charts and other professional project management systems are extremely useful, but cannot capture the interdependencies between access policies (the things we need to enforce), the capabilities required to enforce those policies, and the IT tasks necessary to obtain any missing capabilities (close the gaps) by making technology or process changes. 

This is what we’ve done in our roadmap planning model — we’ve created a simple way to document and plan out exactly these steps. The resulting roadmap complements traditional IT project management, and gives enterprises a better way to see how technology and process changes lead to enforced Zero Trust access policies. 

(For a complete description of the roadmap model, see the Blueprint web page)

Finally, the Execution phase is where enterprises measure and monitor their progress, utilizing metrics defined throughout this process. And, should involve periodic checkpoints to validate progress, refine the strategy and roadmap as needed, and ensure the metrics and measurements remain sound.

Thanks for reading — there’s a lot to talk about within this roadmap, and it’s going to be the organizing principle for many of our conversations and future blog posts. We look forward to engaging with you about it — to learn more, visit our Blueprint page, or sign up for your personalized Zero Trust Blueprint briefing here.

Watch our Zero Trust Blueprint webcast replay here.