Written by 
Beyond the four principles, there is a five-step process to actually implementing zero trust. As an approach to cybersecurity, zero trust starts with considering what you as an organization or company need to protect.
“By understanding what you need to protect and what stuff is sensitive to your organization, you can start to figure out how you need to protect that,” Kindervag says. When Kindervag consults with a company or organization, this is the first question he asks, as it will define the plan going forward.
These five steps for implementing zero trust can be applied to any type of company of any size—either a one-person company or a business with thousands of employees.
This five-step process, as outlined in the NSTAC report, is as follows:
1. Define Your Protect Surface
The protect surface refers to the area that an organization needs to protect. The first step is to identify what’s known as DAAS (data, applications, assets or services) to put into a protect surface. Below are examples of what could go into a protect surface.
- Data: Sensitive data that would pose the biggest risk to your company if exfiltrated or used with malicious intent. Credit card information, health information, personally identifiable information (PII) and proprietary information are all examples.
- Applications: This refers to applications that require use of sensitive data or control critical assets.
- Assets: This includes the internet’s information technology (IT), Internet of Things (IoT) and operational technology.
- Services: These are the services the company relies on the most. This could include Domain Name System, Dynamic Host Configuration Protocol and Directory Services.
2. Map the Transaction Flows
The next step is to map the transaction flows to and from the protect surface in order to understand how the networks work. This includes how different DAAS components interact with the network and will help inform where to establish necessary controls.
3. Build a Zero-Trust Architecture
The third step is to apply the appropriate controls to protect the system you are building. “The way traffic moves across the network specific to the data in the protect surface should determine the design. The architectural elements cannot be predetermined, though a good rule of thumb is to place the controls as close as possible to the protect surface,” the NSTAC report states.
“We’ve always started with the controls first, before we understood the system, and that’s why we have failed because the controls didn’t fit the needs of the system. You have to understand the system before you determine how you’re going to protect it from a technology perspective,” Kindervag says.
4. Create a Zero-Trust Policy
Here’s where you determine who or what can access your protect surface. Zero trust is based on the principle of only granting specific access to those who need it.
5. Monitor and Maintain the Network
The final step is to inspect and log all traffic. “The telemetry from this process helps prevent significant cybersecurity events and provides valuable security improvement insights over the long term. As a result, each subsequent protect surface can become more robust and better protected over time,” the NSTAC report states.