In the zero trust network model it's more important than ever to know your users, devices, services and data
In order to get the benefits from zero trust you need to know about each component of your architecture, including your users, devices, and the services and data they are accessing.
A proper understanding of your assets will most likely involve an asset discovery phase as one of the first steps in your zero trust journey. In some environments this can be challenging and may involve the use of automated tools to discover assets on the network. In other cases, you may be able to determine your assets by following a non-technical procedure, such as querying procurement records.
It is also important to know what data is being stored within your environment, its location and its sensitivity. Knowing your data and its associated sensitivity will help you develop effective and appropriate access policies that will help achieve 4. Use policies to authorise requests.
Transitioning to zero trust
Asset discovery is of equal importance, whether you are transitioning to a zero trust architecture from an established system with many pre-existing services, or starting a brand new architectural deployment.
If a zero trust architecture is implemented without considering existing services, they may be at higher risk. These services may not be designed for a hostile, untrusted network and therefore will be unable to defend themselves against attack.
Conduct a risk assessment
Once you know your architecture, you are in a better position to determine the risks to your new target architecture and ensure they are being mitigated.
It would be sensible after the asset discovery stage to start with a risk assessment, including threat modelling your approach to zero trust. This assessment can be used to help you understand whether the zero trust components under consideration will mitigate - protect against - all your risks.
The degree of risk mitigation may depend on criticality of assets and your risk appetite. So, it is imperative to evaluate the importance of the assets and provide the appropriate safeguards for them.
If all the risks cannot be mitigated using a zero trust approach, the existing security controls from your current network architecture will need to stay in place.