The CISO Guide to Zero Trust Security

Book written by Raj Badhwar

Book review by Ashok Kumar Kakani

Bottom Line

I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.

Review

Security controls in compliance with the Zero Trust Security architecture and paradigm has repeatedly been mentioned as a solution to combating the exponential increase in cyber threats and attacks being faced by our businesses and governments, but there is a lack of simplistic yet effective guidance on what these security controls are and how can they be practically implemented by cybersecurity and information technology teams.

This book provides a CISO perspective and practical guidance using simplistic language on how to use the tenets like least privilege and continuous authentication among many other security paradigms to implement the needed security controls as recommended by Zero Trust. 

This book also expands the security domain coverage to many other security domains (e.g., Product, IoT or API Security) in addition to the traditional domains (e.g., Data and Network Security).

Detailed chapter by chapter review –

1.            Zero Trust Security  

Provides a brief overview of the concept of Zero Trust in cybersecurity, including its origins, its importance to application and system security, and current trends in the adoption of Zero Trust. It also introduces the other associated paradigms of ‘Least Privilege’ and ‘Continuous Authentication’, which are important for augmenting Zero Trust.

2.            Device Security 

Details how to implement Zero Trust based security controls to protect computing devices. These devices include but are not limited to user laptops and desktops, mobile devices like iPads and iPhones, IoT devices, physical and virtual servers, and other network and security computing assets used in data centers.

3.            Network Security 

Details how to implement micro and macro network segmentation as a form of Zero Trust based security controls for network security. This chapter also shares details on the concept of macro and micro network segmentation and least privileged access for network-based resources.

4.            Data Security 

Details how to implement Zero Trust based security controls to protect (physical and logical) data at rest, using techniques like data encryption, obfuscation, and digital rights management (DRM). It also covers how to protect data in motion while it is traversing public and private networks, and how the use of encryption and session level protection ensures the secure transmission of data.

5.            Application and Product Security 

Details how to implement Zero Trust based security controls to protect applications hosted in hybrid (private or public cloud) environments or installed on physical or virtual personal computing assets. This chapter also shares details on concepts like single sign on (SS0) and secure application development (to create products) to prevent ‘dependency and namespace confusion’ attacks used in the SolarWinds breach.

6.            Email Security 

Details how to implement Zero Trust based security controls to protect emails from various attacks including but not limited to phishing, spoofing, spam and other business email compromise (BEC) attacks. 

7.            Operational Technology (OT) and Internet of Things (IoT) Security 

Details how to implement Zero Trust based security controls to protect OT and IoT devices and SCADA networks from cyber-attacks, network and data breaches.

8.            API Security 

Details how to implement Zero Trust based security controls to protect APIs from credential theft, man in the middle attacks and unauthorized access by internal and external threat vectors.  

9.            User and Identity Security

Discusses methods to implement Zero Trust based security controls for user authentication and authorization, as well as for Identity and Access Management (IAM) Paradigms like Single Sign on (SSO) and Identity Federation.

10.          Machine Security 

Details how to implement Zero Trust based security controls to establish Machine Identities to enable bi-directional trust between machines and systems.

11.          Cloud Security

Provides details on how to prevent cloud-based security breaches by implementing Zero Trust based security controls to develop an enterprise cloud operating model based on a cloud-first approach.

12.      AI Security 

Details how to implement Zero Trust based security controls to protect AI systems from sophisticated attacks.

13.          Information Security 

Details how to implement Zero Trust based security controls regarding how best to securely share information with internal and especially external parties and thereby help establish Information Trust.

14.          Third-Party Security  

Details how to implement Zero Trust based security controls for third-party applications and systems (especially SaaS).

15.          Human Security 

Details how to implement Zero Trust based security controls to protect systems from the weakest link in the cybersecurity chain – imperfect (and sometimes malicious) human behavior.

16.          Physical Security 

Details how to implement Zero Trust based physical security controls for our offices and data centers.

Conclusion

I found this book to provide useful and referenceable guidance that can be used to design and implement security controls required to achieve compliance with the Zero Trust paradigm and principles, across all the various IT and Security domains.

Reference

https://www.amazon.com/dp/B09RM5HXGR/

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!