The document discusses the Zero Trust security framework, emphasizing its importance in today’s cybersecurity landscape as a means to prevent unauthorized access and enforce granular access control. It outlines the key principles of Zero Trust, including the necessity of assuming a hostile environment and validating user access continuously. Additionally, it highlights the need for an effective implementation strategy and community engagement to adapt to evolving security challenges.

2. 2
Zero Trust and Data Security
Uma Arjunan
Director - Ford Motor Company
Sierra Robinson
Deputy Program Manager –
Leidos Inc
Autumn Leake
Chief Engineer – Naval Air
Systems Command

3. 3
What is Zero Trust and why is it important in today's
cybersecurity landscape?
Definition:
“A collection of concepts and ideas designed to minimize
uncertainty in enforcing accurate, least privilege per-request access
decisions in information systems and services in the face of a
network viewed as compromised…”
– NIST SP 800-207
Goal:
Prevent unauthorized access to data and services coupled with
making access control enforcement dynamic and as granular as
possible for each data/resource request and session.
Tenets/Principals:
o Assume a Hostile Environment - Never Trust, Always Verify
o Grant appropriate user resource access on a per-session basis
o Rigorously perform authentication, and authorization enforcement
o Use explicit permissions; determine by policy and dynamic attributes
o All communications must be secured regardless of network location
o Apply unified operations and analytics
– NIST, CISA, GSA, and DoD consolidation

4. 4
Connectivity is increasing the attack surface
4
Always connected, quick time to value, and collaborative needs are pushing security controls to the limit.
Digital
transformation
Flat
network
Brand
Protection
Bring your
own device
All or nothing
access
User
Experience
Work from
anywhere
Lateral
movement
Consistency &
Accuracy
Fast
Collaboration
Insider
threat
Secure
Cloud
Delivery
Pace
Rigid
access
Secure
Delivery
Drivers
0
1
Pain
points
0
2
Value
0
3

5. 5
A Single Defensive Line Does Not Flex
5
Servers
Applications
Services/APIs
Platforms Devices
Data
Cloud
Providers
Once inside, assets
are at risk
Vehicle
Manufacturing
What’s wrong with this approach?
Relying On the Network As our
Primary Access Control Creates a
False sense of Security
Once into our network we allow open
access and rely on application teams
to implement security controls
We route all traffic through VPNs which
is an antiquated approach with a poor
user experience
New collaborative needs require our
security controls to know why users
are granted access
CSR
JV
Consultant
Employee
Risk is exponential
given connectivity

6. 6
2020
NIST Zero Trust
Architecture
(SP 800-207)
EO 14028; DoD ZT RA;
Draft CISA ZT MM
2021
2022 2024
OMB M-22-09
Castle & Moat “Defense in Depth” Zero Trust Architecture Implementation
How does Zero Trust differ from traditional network security models?

7. 7
Zero Trust Reference Model
7
Zero trust is focused on Identity, Device, Network/Environment, Application Workloads, and Data which can be achieved
through maintaining Visibility and Analytics, Automation and Orchestration, and Governance.
Pillars of Zero Trust by CISA
Identity: Includes an attribute that uniquely describes an org, user, or entity. Organizations
must ensure that the right users have the right access to the right resources at the right
time.
Device: Refers to any device that connects to the network. This includes IoT devices,
laptops, phones, and servers. Organizations must ensure that unauthorized devices cannot
access network resources.
Network/Environment: Involves encryption, threat identification and mitigation, and the
network’s logical configuration. Organizations are suggested to segment and control
networks to direct internal/ external data flows.
Application Workload: Comprises of computer programs, systems, and services that
execute on-premises and in a cloud environment. Focuses on container management to
achieve secure application delivery.
Data: Involves the needs to be protected on devices, applications, and networks.
Encourages that organizations should categorize, label, and protect data at rest and in
transit.
Provided by KPMG US Market Intelligence
Source(s): CISA; Forrester.
Are there any industry standards or frameworks that provide
guidelines for implementing Zero Trust?

8. 8
Zero Trust Strategy
8
The model uses three key principles:
- Assume Nothing (Never trust)
- Check Everything (Always verify)
- Limit Access (Least Privilege)
We will grant access based on:
- Identity (Users, Device and Apps)
- Devices (Laptops, Servers, Mobile devices)
- Connectivity (Network, Cloud, etc.)
- Services and Workloads (Apps, Platforms, Microservices, etc.)
- Information (Data, Encryption, Classification, etc.)
And Enhance :
- Enterprise Security Architecture
- Risk management
- Cyber Governance
- Cyber Engineering, Resilience and Recovery
- Cyber Culture, awareness and training
Threat
protection
Classification
Backup
Encryption
DLP
Identity
Lifecycle
Mgmt. Governance &
Admin
PAM
Data & Apps.
Cloud EDR
SaaS
Device
Health
Location
App. Lifecycle
IoT & OT
SDLC
Visibility &
Analytics
Encryption
Segmented
Zero Trust
Operating
Model
Moving away from a one-time challenge granted through VPN technology, to continually evaluating a users’ need, the devices they are using, and only granting access based on an
actual need will reduce risk, provide scalability, and simplify our security services. This is a layered security approach that is connected and continually aware.
What are the key principles or tenets of a Zero Trust security framework?

9. 9
How can organizations implement a zero-trust data security
framework?

10. 10
What happens if we don’t execute zero trust now?
10
• Flexibility to support our
operating
companies/affiliates is
burdensome
• Security of new
collaboration is basic; not
advanced
• User experience is
adversely impacted
• Role and responsibility
ambiguity will create issues
• No defined ZT service
taxonomy infers limited
capabilities
• Affiliates will implement
their own capabilities
• Service overlap and tool
sprawl will occur
• Pillar teams continue to
implement based on their
interpretation of ZT
• No context shared between
capabilities when ZT
effectiveness implies
sharing signals
• Under-developed
capabilities or service
basics will limit progress
toward automation, visibility
and orchestration
Limited Secure
Technology Vision
Perception of Inadequate
Security Capabilities
Inability
to Scale Security
Any incident response finding will ask why this was not done.
Any potential security issue could be tied back to basic zero-trust
defense hygiene or deterrents.

11. 11
What challenges should one expect when implementing Zero Trust within their organization? Can
any of them be avoided?

12. 12
Zero Trust Center For Enablement 12
Assets Community Cyber Aware Success
Focused on the development of assets
with practical examples of solutions
patterns, solution accelerators and
leading-practices.
Key activities include the development
of the following artefacts;
• Architecture template(s)
• Roadmap and Strategy template(s)
• Blueprint and technical designs
• POC assessments and reports
• Principles
Focused on the development of a
collaborative community and self-
service ways of working, evangelizing
the contribution, publication and
promotion of reusable assets.
Key activities include the setting up
and governance of the following;
• Steering committee
• Zero Trust Community of Interest
• Blogs / Monthly newsletters
• ZT Internal publications
• Monthly Roundup
Building and fostering a “Open,
Collaborative and Security-focused”
mindset through consistent
messaging, community awareness
and support via Zero Trust champions
and regular training.
Key activities include the following;
• Nomination of Zero Trust champions
• Creation of an organization Zero Trust
microsite
• Development of Training packs and
Cheat sheets including Self paced
online trainings
• Roadshow and Brownbag (Internal
and Vendor)
• Vendor trainings and certifications
• Training rollout / roadmap
Measure success against the
awareness vs. security incidents,
consumption of assets and how it
accelerates the delivery of secure
project.
Key activities include the following;
• Adaptive cybersecurity awareness -
progress review sessions
• Project support, success
measurement and Programme
success/wins
• Track metrics such as
• ZT as primary driver
• ZT as business enabler
• Monitor and measure risk reduction by
increasing control effectiveness
Establishing a Centre for Enablement will enable an organisation to build reusable assets, leverage leading
practices, develop self-services, establish a ZT community and implement new ZT solutions faster
How would you enable Zero Trust in your organization ?

13. 13
Template Zero Trust Organizational Structure
13
Objective:
1. Ensure business buy-in and
sponsorship for the Zero Trust
strategy and programme
Objective:
1. Act as an escalation point for any
execution challenges
2. Provide oversight on outcomes and
alignment with business objectives
Objective:
1. Provides access to a global pool of
Zero Trust SMEs within organisations
2. Provides a safe forum for exchange
of ideas and approaches around
implementing Zero Trust
3. Provides and manages a central
repository for artefacts and other
documentation
4. Develops the relevant artefacts – ref.
architecture, blueprints, patterns,
deployment guides, etc.
5. Informs and involves operations
(DevSecOps model) on changes as
well as gains feedback for continuous
improvement of services
Review and align operational capabilities with output
from Zero Trust projects
Ensure ownership at C-Level
Create a Zero Trust steering committee and
Community of Interest
Review and align existing business objectives with IT
and Cyber security strategies
Determine the top high level business risks and align
with assets/data value
Review the current risk tolerance / appetite and outline
the impact of embedding a Zero Trust approach to the
appetite
Evaluate current security architecture, design
principles and control methodology to identify uplift
requirements based on Zero Trust principles
Review and align cybersecurity for users and leadership
to promote awareness of Zero Trust approach
Enterprise
Business
Cyber
security
Operations
and Users
Development, Delivery & Implementation
IT/Security architects & Technical Managers
IT & Security Operations
Technical Governance and Leadership
IT Cyber EA & SA DevSecOps
Steering committee
Stakeholders
Business Leadership
Zero Trust community

14. 14
Template Zero Trust Governance Model
14
Business and Security
Integration
Implementation
Technical Planning
Architecture, Principles and
Standards
IT & Cyber Strategy,
Programs, and KPIs
Business objectives
Zero Trust model &
framework
Zero Trust Reference
Architecture (ZTRA)
ZT Blueprints & Patterns
Vendor/Product Docs
Industry Leading practices and
Benchmarks
Ref. Architecture / HLD / LLD
(Workload Owners)
Operations
Zero Trust Strategy &
roadmap
ITSM documentation Service & Ops manual
Responsibility
Artefacts
Alignment
Development, Delivery & Implementation
IT/Security architects & Technical Managers
IT & Security Operations
Technical Governance and Leadership
IT Cyber EA & SA DevSecOps
Steering committee
Stakeholders
Business Leadership
Zero Trust community