The objective of this document is to provide guidance for iteratively executing the first step in the five step Zero Trust implementation process described in the NSTAC Report to the President on Zero Trust and Trusted Identity Management (pg. 7), originally formulated and socialized by John Kindervag. Separate CSA research documents are being developed to elaborate detailed guidance for each of the five steps.
This crucial first step, Defining the Protect Surface, entails identifying the organization’s Data, Applications, Assets, and Services (DAAS) elements, accompanied by business risk and current security maturity assessments to help with implementation prioritization. The paper focuses on the methodology behind this process, including grouping DAAS elements into a Protect Surface comprising a business information system. Key considerations and concepts are explored, including the interplay between attack and Protect Surfaces and how the CISA Zero Trust Maturity Model V2 can be leveraged for implementation prioritization. This guidance empowers organizations to adopt a repeatable process for navigating the complexities of Zero Trust implementation.
Views: 9
