Core Principles When organizations undertake the journey towards a new, enterprise-wide change, a core set of principles7 provides a succinct, easily shared “North Star” to guide and coalesce the organization. This set of Core Principles acts as a set of fundamental guidelines for organizations to adopt Zero Trust and implement ZTAs. They focus on factors specific to Zero Trust – linking people, processes, and technology – and should both be used for all new security initiatives and retroactively applied to old security activities. The Core Principles are grouped into common themes that address different aspects of Zero Trust: • Organizational Value and Risk Alignment principles address key goals for business, IT, and security stakeholders to address overall strategic drivers • Guardrails and Governance principles address compliance, risk, and information security stakeholders to guide the adoption of Zero Trust and ensure sustainability of assurances, addressing: — Rapidly evolving compliance and regulatory needs, requiring proactive integration of industry and organizational controls — Lagging industry controls and compliance standards, resulting in an expectation to create supplemental organizational controls — Increasing complexity and agility requirements that drive the need for rapid, near real-time or real-time audits, requiring automation of data collection, traceability, and processes • Technology principles address the IT organization, information security, and risk and compliance stakeholders and determine technology decisions that underlie the development of a ZTA, including concerns associated with identity, access, and reduced threat surface area • Security Controls principles address security and IT architects to ensure strong foundations of confidentiality, integrity, and availability assurances All of the elements of the Core Principles must fit within the business strategy and organizational culture. Simple axioms are provided below to aid in communicating and remembering the principles. Guardrails and Governance help bind business goals and technical reality, and these principles are depicted to the side in Figure 7 as they should not impede direct connections between the organizational mission and the technology and security that support it. Figure 7: Summary of Zero Trust Core Principles Organizational Value and Risk Alignment 1. Modern Work Enablement – Users8 in organizational ecosystems must be able to work on any network in any location with the same security assurances, increasing productivity. 2. Goal Alignment – Security must align with and enable organization goals within risk tolerance and threshold. 3. Risk Alignment – Security risk must be managed and measured consistently using the organization’s risk framework and considering organizational risk tolerance and thresholds. Guardrails and Governance 4. People Guidance and Inspiration – Organizational governance frameworks must guide people, process, and technology decisions with clear ownership of decisions, policy, and aspirational visions. 5. Risk and Complexity Reduction – Governance must both reduce complexity (i.e., simplify) and reduce threat surface area. 6. Alignment and Automation – Policies and security success metrics must map directly to organizational mission and risk requirements and should favor automated execution and reporting. 7. Security for the Full Lifecycle – Risk analysis and confidentiality, integrity, and availability assurances must be sustained for the lifetime of the data, transaction, or relationship. Asset sensitivity must be reduced where possible (removing sensitive/regulated data, privileges, etc.), and assurances should be provided for the risk of data in use, in-flight, and at rest. Technology 8. Asset-Centric Security – Security must be as close to the assets as possible (i.e., data-centric and application-centric approaches instead of network-centric strategies) to provide a tailored approach that minimizes productivity disruption. 9. Least Privilege – Access to systems and data must be granted only as required and removed when no longer required. Security Controls 10. Simple and Pervasive – Security mechanisms must be simple, scalable, and easy to implement and manage throughout the organizational ecosystem (whether internal or external). 11. Explicit Trust Validation – Assumptions of integrity and trust level must be explicitly validated against organization risk threshold and tolerance. Assets and/or data systems must be validated before being allowed to interact with anyone/anything else.