Zero Trust Blueprint

Zero Trust is widely understood to be a modern and effective security strategy, which encapsulates our industry’s best practices. It overcomes the many weaknesses of traditional enterprise security architectures, and provides demonstrably better security. This has resulted in an exciting and significant shift in the information security industry, towards adopting and promoting Zero Trust. In fact, it’s now largely acknowledged that the Zero Trust approach to security is a necessary and urgent imperative.

However, many enterprise security leaders struggle to turn this strategy into a concrete and practical Zero Trust initiative — one which achieves strategic goals and delivers substantive value to the business. Without proper guidance and structure, enterprises risk having Zero Trust initiatives fail to obtain appropriate support from the business, and fall short of their potential, leaving the business at continued risk of breach.

As security industry leaders—we literally wrote the book on Zero Trust for the enterprise—we’ve developed a proven blueprint for success with Zero Trust. This blueprint is based on our real-world experience helping dozens of enterprises successfully define and execute Zero Trust strategies.

Our blueprint provides a simple, structured approach across four clear phases, as shown in the diagram below. For each phase, we’ve developed simple tools, processes, and templates, embodying our practical approach with a bias toward rapidly delivering value to the business.

The Zero Trust Blueprint

By following this blueprint, our enterprise customers can ensure that they obtain a sufficient level of support (and even excitement) from the business, and can quickly and reliably deliver results. Each phase is designed with specific goals in mind, with its outputs serving as inputs into the next phase.

Assessment Phase

This initial phase provides your enterprise with a clear picture of its current state from both organizational and functional perspectives, as well as guidance on how to design your best path forward. With this as your starting point, you’ll identify areas of strength and weakness, available resources (including people’s time, attention, budget, and priorities), and potential challenges.

The Organizational Readiness assessment — which can be delivered as part of a larger consulting engagement, or via our free online survey — evaluates three aspects of your current state: Its level of commitment to Zero Trust, the anticipated level of formality for your Zero Trust program, and an enumeration of business initiatives which your Zero Trust program can support. Each of these will impact your Zero Trust program in specific ways.

The Zero Trust Maturity Assessment leverages our unique maturity model, ZTMM+. Based on our extensive experience evaluating Zero Trust maturity across many private-sector and public-sector enterprises, we created an enhanced and extended version of the CISA Zero Trust Maturity Model. ZTMM+ provides more detailed definitions of pillar functions, clarifies maturity levels, and adds new functions to address evolving enterprise needs. It also offers a structured methodology for conducting maturity assessments, providing organizations with a repeatable and consistent approach to evaluate their Zero Trust progress.

Note that this phase is intended to be completed in a short period of time; our structured methodology is designed for completion within two calendar weeks. This ensures an appropriate sense of urgency, and avoids getting bogged down in unnecessary detail.

Strategy Phase

After completing the Assessment phase, our blueprint takes enterprises through the creation of focused Zero Trust initiative vision and program definition documents. Like the previous phase, this is also intended to be completed within two calendar weeks, and is centered on the creation of two short deliverables, the Vision document, and the Zero Trust Program Definition.

The vision document is intended to serve as a “north star” reference, to set direction and to validate decisions, investments, and projects. It provides a way to ensure that each project or decision is aligned with the overall strategy. It’s also written to be accessible and understandable by a broad audience within the enterprise. As a short and non-technical document, it succinctly explains why and how the organization is adopting Zero Trust, including its goals, expected outcomes, and benefits. Taking the time to create this in structured, written form using our template ensures that security leaders and stakeholders discuss, debate, and clearly articulate these aspects of their intended Zero Trust initiative.

The other outcome of the strategy phase is a Program Definition document, which describes the makeup, structure, and operating cadence of the Zero Trust initiative’s Steering Committee (sometimes called a Program Council or a Governance Board). This group of people provides overall leadership for the enterprise’s Zero Trust initiative, typically including the definition and communication of higher-level goals, metrics, and resource planning. Following our guidance, organizations can be confident that their Steering Committee will be well-formed, and have clear tasks and goals.

Roadmap Phase

Traditional IT project management planning models are poorly-suited to Zero Trust, and often cause a great deal of frustration. Of course, project management, resource planning, and Gantt charts are necessary. But Zero Trust’s holistic nature demands a better and more accurate view of the dependencies between enforced access policies — which is how we actually deliver improved security — and the underlying technologies, and processes that provide those capabilities utilized within the access policies.

It’s this linkage that has been missing in our industry, and closing this gap is at the heart of our Roadmap phase. This novel roadmap methodology is based on our work with many enterprises throughout their Zero Trust journeys, and we’ll introduce this process here (contact us for an in-depth briefing).

We approach this by enumerating business assets and their constituent protect surfaces, and then identifying the transaction flows, which are the ways by which users (as well as non-person entities) access each of these systems. Then, we define the access policies which are intended to be deployed across the enterprise’s Zero Trust policy enforcement points.

These access policies are where Zero Trust systems enable enterprises to use an identity and context-aware language to describe the who, what, where, when, and how of permitted access. So far, so good. However, the key next step is the realization that not all access policies are ready to be enabled. Our model uniquely recognizes that in order to execute on any given policy in its roadmap, the enterprise must possess a required set of capabilities. 

To give one simple example, consider an access policy that requires the enforcement of step-up authentication prior to permitting user access to a given resource. Clearly, in order to activate this policy, the enterprise must be able to trigger this authentication prompt, and they may or may not currently possess this capability. This brings us to the recognition that there are actually two related roadmaps in any Zero Trust initiative, as shown below.

First, we have an Access Policy Roadmap, which is where the organization maps out and schedules the activation of access policies — that is, when they begin to be enforced. This roadmap is only useful for those access policies that utilize fully available capabilities in the enterprise’s IT and security ecosystem.

It’s important to realize that there will be policies that cannot yet be activated, because they require capabilities that don’t yet exist or are too immature. And, therefore, the enterprise needs to create a parallel roadmap to plan out and execute on the technology and process changes that are necessary to obtain the required capabilities. Only then can those access policies be enabled.

Execution Phase

Finally, the execution phase is where enterprises perform the hard work of acting on these roadmaps; deploying any necessary technology and process changes, and enabling the enforcement of these access policies. We don’t impose any particular execution or project management model on enterprises, instead we work with the security team to identify an appropriate set of metrics and monitoring processes, designed to measure and highlight the anticipated security and business impacts of their initiative. 

We also recommend that enterprises plan for a series of regular checkpoint sessions, to ensure that their Zero Trust initiative remains on track at both strategic and tactical levels. Strategically, these checkpoints ensure that the organization is on an effective pathway toward realizing their stated vision, and opens the discussion to any necessary course corrections. Tactically, the checkpoints will validate the measured progress as denoted by metrics, and likewise many any necessary adjustments.

Learn More

View our launch webcast replay here.

To find out more about Numberline’s Zero Trust Blueprint, and about how it can deliver concrete results for your organization, contact us for a free 30-minute briefing.

Download the Zero Trust Blueprint datasheet here.

And, if you want to get started, take the 5-minute Organizational Readiness survey and immediately receive your customized report via email.