ACT IAC on Zero Trust trends

Posted by     Alexander Goller on Sunday, August 25, 2019

The American Council for Technology-Industry Advisory Council (ACT-IAC), a non commercial organisation for creating a more innovative government published a paper on Zero Trust

I would recommend this paper for anybody remotely thinking about Zero Trust, be it because you start thinking about introducing it or because it is just one of those trends that you want to catch up on.

There is a huge amount of truth and knowledge in this document and it is not having any marketing in it. I read it and thought this is sound advice for anyone that looks to improve their security posture with the ultimate, long term Zero Trust goal in mind.

Zero Trust is an evolutionary framework, not a revolutionary approach. It builds on existing security concepts and does not introduce a radical new approach to cybersecurity. Like most security concepts, Zero Trust relies on a fundamental understanding of an organization’s services, data, users, and endpoints to be effective. There is no “free lunch” regarding up-front resource investment. Policy definitions, concepts of deployment, trust determination (and decay), enforcement mechanisms, logging aggregation, etc., all need to be considered prior to deploying a solution. That said, many large-scale organizations (such as Google, Akamai, and Purdue) that have made the investment show real return on security investment. The critical question becomes whether ZT is mature enough to be a compelling choice for government today.

The paper does a great job talking about the basics and i screenshoted this one here:


What i found even more relevant for this blog is their steps to microsegmentation, that i really liked and i would recommend a very similar approach. Start with visibility and risk and go from there. Do not invest in technology first unless it helps you get the visibility you need or the knowledge to assess the risk needed to segment.

Steps to microsegmentation

The article also gives some great input into metric you can use for segmentation once you start that journey and i will use some of the input in my articles about metrics for segmentation.

All screenshots and quotes copyright by ACTIAC.

comments powered by Disqus