Book Review: Project Zero Trust

Project Zero Trust: A Story about a Strategy for Aligning Security and the Business by George Finney

Buy on Amazon: https://amzn.to/47J3f5N

The term “Zero Trust” gets thrown around a lot, and many times in a sarcastic manner (buzzword bingo). If you look past the buzzwords you quickly see there is something powerful behind this concept.

I’ve been on a big kick recently of campaigning to pull security responsibility back from the end users and into the security departments where I feel it belongs. Many of the concepts discussed in the Zero Trust model work towards that end. If we can devalue the end user credentials, we can stop bashing end users for falling victim to a social engineering attack.

With that out of the way, let’s refocus back onto the book itself.

The first thing I loved about this was the style. This isn’t a textbook. This is a fictional story told where the concepts shine through without being forced. I say this as the biggest compliment – it reminded me very much of the Patrick Lencioni books.

The book’s goals

• John Kindervag’s five-step methodology for implementing Zero Trust
• The four Zero Trust design principles
• How to limit the blast radius of a breach
• How to align security with the business
• Common myths and pitfalls when implementing Zero Trust
• Implementing Zero Trust in cloud environments

Each chapter does conclude with a “Key Takeways” section which helps frame the lessons you should have pulled out of the previous few pages, and I’ve pulled out some of the quotations I felt were worth memorializing below. At the end of the day, this was a quick read (start to finish in a single flight) and is worth adding to your list if zero trust principles are on your radar. This is everyone in the cybersecurity space thanks to the May12, 2021 Executive Order on Improving the Nation’s Cybersecurity.

Noteworthy Quotes

Zero Trust is about getting rid of trust when it comes to technology.

p. 11

A successful Zero Trust implementation will be custom tailored for each business to meet their unique needs, tools, and processes.

p. 11

A strategy is like a plan on how to achieve a specific goal, right? So at the end, you’ll know when you’ve reached your goal. Now, here’s my question: How do you know when you’ve successfully achieved your goals with defense in depth?

p. 14

1. Focus on business outcomes.
2. Design from the inside out.
3. Determine who/what needs access.
4. Inspect and log all traffic.

p. 16 (Design Principles)

1. Define the protect surface.
2. Map the transaction flows.
3. Architect a Zero Trust envrionment.
4. Create Zero Trust policies.
5. Monitor and maintain.

p. 17-18 (Implementation Steps)

1. Learning protect surfaces
2. Practice protect surfaces
3. the “crown jewels” (aka business-critical protect surfaces)
4. Secondary protect surfaces
5. Tertiary protect surfaces

p. 28 (implmentation order)

Process before technology

p. 45

The reason that I get frustrated with the NIST Zero Trust architecture […] is that there’s nothing in it about aligning with the business”

p. 51

The seven IDSA components are:

• Identity
• Device
• Network
• Compute
• Applciation
• Storage
• Data

p. 72

If we’re going to have a Zero Trust SOC, we want to report on how many false positives we’ve reduced. I’d like to know how many new rules you have added to your runbook and how many of them have been applied in our environment. How does that compere to the previous month? And how does it compare to the same time the previous year since we may have seasonal changes. Does it look like attacks are advancing through the MITRE ATT&CK framework and are we being successful at disrupting the later stages like command and control?

p. 96

People aren’t the weakest link […] People are the only link.

p. 126

[T]rust with business leaders is earned. Security teams shouldn’t simply ask for an unlimited budget and expect to get everything they ask for.

p. 129

Our secret motto in security is ‘people are the weakest link.’ If we believe this, we’re setting ourselves up for failure – first, because the statement is wrong and, second, because of the way it changes the way we act. People are the largest attack surface in our organizations. It’s more accurate to say that people are the only link in the chain when it comes to security.

p. 131

Further Reading

Below is a subset of the further reading recommended in the book.

• Executive Order on Improving the Nation’s Cybersecurity
• NIST Special Publication 800-207: Zero Trust Architecture
• Google’s BeyondCorp
  • An overview: A New Approach to Enterprise Security
  • Migrating to Beyond Corp: Maintaining Productivity while Improving Security
  • The human element: The User Experience
• Books
  • Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare
  • Zero Trust Networks: Building Secure Systems in Untrusted Networks
  • Zero Trust Security: An Enterprise Guide