Zero Trust Security: An Enterprise Guide First Edition

If you are cybersecurity novice confused about zero trust and zero trust architecture (ZTA), then Zero Trust Security – An Enterprise Guide by Jason Garbis and Jerry W. Chapman is the book for you.Overall, I am struck by how much zero trust is nothing more than security practices that we should have been doing all along within our information technology (IT) environments.The common explanation that zero trust eliminates the perimeter defense security model is oversimplified. Zero trust redefines implicit trust zones, but that does not mean you discard your current firewalls or abandon security on your border routers. Deny-all / permit-by-exception (DAPE) for ports, protocols, and service management (PPSM) is still a valid part of defense in depth.Yes, there are new technologies to consider within the ZTA, such as new generation firewalls (NGFW), and new concepts to explore, such as policy enforcement points (PEP) and policy decision points (PDP). Cloud computing offers novel opportunities (as well as unique challenges) to introduce a new security architecture. But the confidentiality, integrity and availability security triad is still relevant, and practices that everyone should be doing now, such as multifactor authentication and least privilege access, are cornerstones of zero trust security.On the other hand, there is one technology that the authors warn against, and that is virtual private networks (VPN). They emphasize that VPNs are a remote access solution, and were never meant to be considered a security solution. While the authors explain – throughout their book – that zero trust can and should be introduced into an IT environment incrementally and carefully, they beseech the reader to start by replacing their VPN architecture.Here is a synapsis of what awaits you inside this book:Chapter 2 – What is Zero Trust?: The authors retrace the history of zero trust from the term’s conception in 2010, through early adoption by organizations such as Google, and up to the definitions prescribed by the National Institute of Standards and Technology (NIST).Chapter 3 – Zero Trust Architecture: As you plan this new security architecture, focus on how and where to deploy PEPs and PDPs.Chapter 4 – Zero Trust in Practice: The authors acknowledge that most organizations will implement zero trust through commercially available solutions. They explain how to evaluate these solutions before making decisions.Chapter 5 – Identity and Access Management: Before you can allow users access to resources within a ZTA, you must confirm the identity of the user and confirm the user’s authorization. This concept is crucial to zero trust security, and authorization changes over time and depending on circumstances, known as the identity lifecycle.Chapter 6 – Network Infrastructure: The authors reiterate that some components of your network infrastructure will need to be replaced, while others will need to be modified to adapt to zero trust security. This process can be incremental and should not cause grave disruption to services provided within your network infrastructure.Chapter 7 – Network Access Control: The 802.1x-based network access control (NAC) protocol is not suitable for a true zero trust solution. The authors explain why and how to proceed to NAC solutions that are suitable.Chapter 8 – Intrusion Detection and Prevention Systems: These devices still play a vital role in zero trust security, potentially as policy enforcement points.Chapter 9 – Virtual Private Networks: Within the ZTA, there should be no such thing as remote access, just access. Virtual private networks must go!Chapter 10 – Next-Generation Firewalls: The authors foresee next-generation firewall (NGFW) vendors adding more and more zero trust capability to their products. Be on the lookout for the best solution for your network infrastructure.Chapter 11 – Security Operations: In a successful ZTA, Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) tools will provide the critical role of bringing together security solutions across your network infrastructure as part of security operations.Chapter 12 – Privileged Access Management: Current privileged access management (PAM) solutions are no substitute for zero trust security, but can be integrated into a zero-trust solution to enhance both capabilities.Chapter 13 – Data Protection: Data is a special resource that must be protected through data lifecycle management and data governance.Chapter 14 – Infrastructure and Platform as a Service: When your network infrastructure resides within a cloud service provider (CSP) as either infrastructure as a service (IaaS) or platform as a service (PaaS), there is a shared security model that must be considered when implementing zero trust solutions.Chapter 15 – Software as a Service: The authors consider software as a service (SaaS) to be “an interesting and dynamic space to watch”, especially with regards to zero trust-aware SaaS applications that provide not only identity, authentication, and access services, but authorization services as well. This is one area where the authors anticipate the SaaS providers themselves lead the way.Chapter 16 – IoT Devices and “Things”: Welcome to the 21st century, where the Internet of Things (IoT) is a thing! The carelessness with which these devices have been strewn all over many network infrastructures makes them a particularly challenging problem to secure properly at all, much less within a holistic ZTA. But the authors still think you should try.Chapter 17 – A Zero Trust Policy Model: The authors examine the logical components of zero trust policies (subject criteria, actions, targets, and conditions) from a deployment and flow perspective within several policy scenarios to see how internal and external mechanisms provide contextual information with which to make access decisions. This chapter is important but one of the more difficult ones to follow. You will need to read it several times.Chapter 18 – Zero Trust Scenarios: This is where the rubber meets the road. The authors take everything they discussed from the previous chapters to describe and analyze seven different scenarios for applying zero trust within an IT enterprise. Another chapter to read and reread again and again.Chapter 19 – Making Zero Trust Successful: The authors realize that understanding chapter 18 is like swallowing an elephant whole; so, in this chapter they describe top-down and bottom-up approaches to initiating the implementation and deployment of zero trust products and solutions within your IT enterprise. Enjoy!

I have read a fair amount about Zero Trust. This book is the best resource I have found. While I haven't finished reading yet, so far I have learned a lot. Some key takeaways:* Any book's forward that can work in "Grand Moff Tarkin" has got to be good.* The terminology explanation and clean up is terrific. Technical types often make things more complicated than they need to be. From explaining that zero trust is really about getting rid of implicit trust to simplifying NIST's Policy Engine and Policy Administrator into a single Policy Decision Point (PDP), this book has practical insight.* I guess this is still on terminology but I really like the Zero Trust definition on page 17.* The Core and Expanded Principles of the book help set a foundation for the meaning of Zero Trust.* Zero Trust Platform Requirements is a great list for evaluating your Zero Trust deployment.I will continue to update as I make progress through the book.

It has many interesting topics to integrate in security it but a little bit overprice

I've worked in IT for twenty years (route/switch focus). I am not a fan of security bc it often just gets in the way of getting work done, and the topic bores me to death. I say all of that to put a finer point on what I'm about to say next. This book is a very easy read. It's dense with useful information, but it's written in a style I can only call "semi-conversational". I've read the entire thing, taken notes, etc. I'd recommend reading NIST SP 800-207 first bc it's referenced a few times. I wouldn't say it's required though.I find it's far easier to get through this book than the O'Reilly book on this topic.

I've been in the Identity space for a long time and still found this book, even at the beginning, to frame things in an insightful way. An excellent book.