Project Zero Trust: A Story about a Strategy for Aligning Security and the Business
Book written by George Finney
Book review by Rick Howard
Bottom Line
I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.
Review
I've known George Finney for years. He is one of the smartest cybersecurity practitioners on the planet and when I heard that he published a book on one of my favorite topics (Zero Trust) and that he got John Kindervag (The father of zero trust) to write the forward, I knew it was going to be good.
I've been thinking about zero trust for years and have written a lot about it in an effort to get my arms around the topic and to simply find the edges. As you all know, there's a lot of hype in the vendor space around the idea of zero trust. But I'm here to tell you that George gets it. And his method of explaining the key concepts of it is genius.
He takes a page from Gene Kim's “The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win" and Eliyahu Goldratt's “The Goal: A Process of Ongoing Improvement." Instead of writing a dry zero trust technical manual that only die hard fans of the subject would appreciate, he wrote a novel with real characters and a significant business crisis (a ransomware attack) that explains how the ideas and concepts of zero trust could be applied in a realistic scenario.
The main character is Dylan (Director of Infrastructure) and on his first day on the job, the company gets hit with a ransomware attack. The CEO tells him to implement the first ever company wide zero trust strategy in time for a new product rollout in six months. The CEO doesn't want another ransomware attack to derail that major company milestone. Similar to the Phoenix Project, Dillan even has an Obi-Wan-Kenobi-like mentor that guides him in his efforts.
Throughout the story, readers learn that some of the infosec community's best practices (like Best of Breed tools, Defense-in-Depth, and compliance checklists) don't really form meaningful strategies with goals and progress metrics whereas zero trust can. We learn that trust in our technology and people is a vulnerability just waiting to be exploited.
Dylan believes that the primary goal of Zero Trust is to prevent breaches and that prevention is possible. His team members come to believe in this too but they also learn that Zero Trust is not achieved through one or more vendor tools. Zero trust is more of a philosophy, a way of thinking, and is never done. It's a journey and can be begun with the tools and people you already have in place.
In the story, Dylan's team is presented with various scenarios (attack surfaces) that they apply the zero trust strategy to like physical security, the company's crown jewels ( ERP and CRM), Identity, DevOps, the cloud, and APIs. Each time, the team gets more proficient in applying the zero trust methodology (Kindervag's 9 rules). The team notices that there are many zero trust frameworks out there (Gartner, Forrester, Google, and NIST) but their Obi Wan mentor recommends the NIST Framework. They also realize that it's not enough for the technicians to simply implement a bucket full of zero trust controls. They discover that they have to develop a company wide culture that embraces zero trust as a philosophy and it starts at the senior leadership level.
This book is a must read for all cybersecurity professionals especially if you have an imminent zero trust project on the books.