Zero Trust Security: An Enterprise Guide

If you are cybersecurity novice confused about zero trust and zero trust architecture (ZTA), then Zero Trust Security – An Enterprise Guide by Jason Garbis and Jerry W. Chapman is the book for you.Overall, I am struck by how much zero trust is nothing more than security practices that we should have been doing all along within our information technology (IT) environments.The common explanation that zero trust eliminates the perimeter defense security model is oversimplified. Zero trust redefines implicit trust zones, but that does not mean you discard your current firewalls or abandon security on your border routers. Deny-all / permit-by-exception (DAPE) for ports, protocols, and service management (PPSM) is still a valid part of defense in depth.Yes, there are new technologies to consider within the ZTA, such as new generation firewalls (NGFW), and new concepts to explore, such as policy enforcement points (PEP) and policy decision points (PDP). Cloud computing offers novel opportunities (as well as unique challenges) to introduce a new security architecture. But the confidentiality, integrity and availability security triad is still relevant, and practices that everyone should be doing now, such as multifactor authentication and least privilege access, are cornerstones of zero trust security.On the other hand, there is one technology that the authors warn against, and that is virtual private networks (VPN). They emphasize that VPNs are a remote access solution, and were never meant to be considered a security solution. While the authors explain – throughout their book – that zero trust can and should be introduced into an IT environment incrementally and carefully, they beseech the reader to start by replacing their VPN architecture.Here is a synapsis of what awaits you inside this book:Chapter 2 – What is Zero Trust?: The authors retrace the history of zero trust from the term’s conception in 2010, through early adoption by organizations such as Google, and up to the definitions prescribed by the National Institute of Standards and Technology (NIST).Chapter 3 – Zero Trust Architecture: As you plan this new security architecture, focus on how and where to deploy PEPs and PDPs.Chapter 4 – Zero Trust in Practice: The authors acknowledge that most organizations will implement zero trust through commercially available solutions. They explain how to evaluate these solutions before making decisions.Chapter 5 – Identity and Access Management: Before you can allow users access to resources within a ZTA, you must confirm the identity of the user and confirm the user’s authorization. This concept is crucial to zero trust security, and authorization changes over time and depending on circumstances, known as the identity lifecycle.Chapter 6 – Network Infrastructure: The authors reiterate that some components of your network infrastructure will need to be replaced, while others will need to be modified to adapt to zero trust security. This process can be incremental and should not cause grave disruption to services provided within your network infrastructure.Chapter 7 – Network Access Control: The 802.1x-based network access control (NAC) protocol is not suitable for a true zero trust solution. The authors explain why and how to proceed to NAC solutions that are suitable.Chapter 8 – Intrusion Detection and Prevention Systems: These devices still play a vital role in zero trust security, potentially as policy enforcement points.Chapter 9 – Virtual Private Networks: Within the ZTA, there should be no such thing as remote access, just access. Virtual private networks must go!Chapter 10 – Next-Generation Firewalls: The authors foresee next-generation firewall (NGFW) vendors adding more and more zero trust capability to their products. Be on the lookout for the best solution for your network infrastructure.Chapter 11 – Security Operations: In a successful ZTA, Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) tools will provide the critical role of bringing together security solutions across your network infrastructure as part of security operations.Chapter 12 – Privileged Access Management: Current privileged access management (PAM) solutions are no substitute for zero trust security, but can be integrated into a zero-trust solution to enhance both capabilities.Chapter 13 – Data Protection: Data is a special resource that must be protected through data lifecycle management and data governance.Chapter 14 – Infrastructure and Platform as a Service: When your network infrastructure resides within a cloud service provider (CSP) as either infrastructure as a service (IaaS) or platform as a service (PaaS), there is a shared security model that must be considered when implementing zero trust solutions.Chapter 15 – Software as a Service: The authors consider software as a service (SaaS) to be “an interesting and dynamic space to watch”, especially with regards to zero trust-aware SaaS applications that provide not only identity, authentication, and access services, but authorization services as well. This is one area where the authors anticipate the SaaS providers themselves lead the way.Chapter 16 – IoT Devices and “Things”: Welcome to the 21st century, where the Internet of Things (IoT) is a thing! The carelessness with which these devices have been strewn all over many network infrastructures makes them a particularly challenging problem to secure properly at all, much less within a holistic ZTA. But the authors still think you should try.Chapter 17 – A Zero Trust Policy Model: The authors examine the logical components of zero trust policies (subject criteria, actions, targets, and conditions) from a deployment and flow perspective within several policy scenarios to see how internal and external mechanisms provide contextual information with which to make access decisions. This chapter is important but one of the more difficult ones to follow. You will need to read it several times.Chapter 18 – Zero Trust Scenarios: This is where the rubber meets the road. The authors take everything they discussed from the previous chapters to describe and analyze seven different scenarios for applying zero trust within an IT enterprise. Another chapter to read and reread again and again.Chapter 19 – Making Zero Trust Successful: The authors realize that understanding chapter 18 is like swallowing an elephant whole; so, in this chapter they describe top-down and bottom-up approaches to initiating the implementation and deployment of zero trust products and solutions within your IT enterprise. Enjoy!

I have read a fair amount about Zero Trust. This book is the best resource I have found. While I haven't finished reading yet, so far I have learned a lot. Some key takeaways:* Any book's forward that can work in "Grand Moff Tarkin" has got to be good.* The terminology explanation and clean up is terrific. Technical types often make things more complicated than they need to be. From explaining that zero trust is really about getting rid of implicit trust to simplifying NIST's Policy Engine and Policy Administrator into a single Policy Decision Point (PDP), this book has practical insight.* I guess this is still on terminology but I really like the Zero Trust definition on page 17.* The Core and Expanded Principles of the book help set a foundation for the meaning of Zero Trust.* Zero Trust Platform Requirements is a great list for evaluating your Zero Trust deployment.I will continue to update as I make progress through the book.

It has many interesting topics to integrate in security it but a little bit overprice

I've worked in IT for twenty years (route/switch focus). I am not a fan of security bc it often just gets in the way of getting work done, and the topic bores me to death. I say all of that to put a finer point on what I'm about to say next. This book is a very easy read. It's dense with useful information, but it's written in a style I can only call "semi-conversational". I've read the entire thing, taken notes, etc. I'd recommend reading NIST SP 800-207 first bc it's referenced a few times. I wouldn't say it's required though.I find it's far easier to get through this book than the O'Reilly book on this topic.

I've been in the Identity space for a long time and still found this book, even at the beginning, to frame things in an insightful way. An excellent book.

Sono al 70% del libro, ma mi sento di dargli 5 stelle.Per i lettori italiani: il libro è scritto in un inglese straordinariamente chiaro, uno dei migliori manuali in inglese che abbia mai letto.A livello strettamente istruttivo è quello che cercavo: illustra chiaramente terminologia, concetti la metodologia per implementare coerentemente una strategia zero trust. Mi riservo di correggere quest’ultima affermazione se, a lettura completata, dovessi essere smentito.

This book doesn't provide anything except high level description about the Zero Trust concept. If you look for some details or interesting things - you won't find it here. I think that you can find better resources on the internet.

A very good book on Zero Trust security which every cyber security and network professional need to have a glance at. Very well depicted and the flow is very good. Thanks for such a wonderful book...

This is a very good book. It's new (circa 2021), and touches on most of the concerns of a modern enterprise network environment (SaaS/IaaS/PaaS, IoT, remote/mobile workforce, BYOD, MFA, etc.).This book is aimed at I.T. leaders or C-suite execs who are running enterprise networks and who want to learn what "Zero Trust" is all about and if/when/how they should implement ZT in their own network stack. That said, this is not really a technical book. It's almost entirely about the philosophy and approach that forms the foundation of a "Zero Trust" approach to network security.The book does a good job of methodically defining and exploring all the core components that a Zero Trust platform comprises - both human (users), and technical (networks, servers, services, policies, etc.). It explains each major conceptual component in some detail, as well as how they all fit together. It really does do a great job of explaining all the theories and patterns of Zero Trust as it is being practiced in enterprise networks today.My only major complaint about this book is that it draws a very hard stop at the theoretical boundary. The authors make an explicit point of never mentioning any actual real world "Zero Trust" commercial offering available on the market today (i.e. no ZT platforms/packages/vendors are named or reviewed, whatsoever). They admit upfront that these things change so fast anything they write would be outdated in short order – but while I appreciate their candor, it left all the terrific theory to suffer from remaining completely ungrounded in any real world executions / implementations. (Note: The authors do refer to 2 famous Zero Trust case studies (that were also written about in another very well known Zero Trust book), but even these were covered only briefly and in minimal detail).While Parts 1 & 2 of the book didn't suffer too much for this theory-only abstraction, Part 3 (the final 3 chapters of the book) is all about "bringing it all together" – but while their goal was to ground all the components into real world examples to tie it all together, by not citing any actual implementations or details of real world examples, the last 80 pages of the book basically read to me as all fluff. Lots of great advice - but nothing to tether it to reality.Going back to the top, this really is a great book overall. I just wish they'd added 2 chapters where they reviewed at least the leading real world commercial Zero Trust products/vendors/platforms available in the market today, and shared their deep experience with the pros and cons of each. This would have grounded their many great insights in a real-world foundation to help readers understand what actually IS the state of the art *right now*. As it is, their theoretical writing will still suffer from being outdated within a few years – but their 2022 readers won't get as much value as they could have had the authors just gotten their hands dirty with some nitty gritty implementation examples. Oh well.PS: The editor also deserves a scolding. There were just a few too many sloppy typos to go unnoticed.

Für englisch sprechende das richtige 360 seitige Buch um nicht nur einen Einstieg in die Materie zu bekommen, zumal diese Thematik durch die aktuellen Hacks, die tausende Firmen betreffen, immer wichtiger wird.Interessant und überraschend auch, welche aktuellen Technologien wie VPN als nicht mehr sicher genug beleuchtet werden.