Apress Zero Trust Security: An Enterprise Guide

If you are cybersecurity novice confused about zero trust and zero trust architecture (ZTA), then Zero Trust Security – An Enterprise Guide by Jason Garbis and Jerry W. Chapman is the book for you.Overall, I am struck by how much zero trust is nothing more than security practices that we should have been doing all along within our information technology (IT) environments.The common explanation that zero trust eliminates the perimeter defense security model is oversimplified. Zero trust redefines implicit trust zones, but that does not mean you discard your current firewalls or abandon security on your border routers. Deny-all / permit-by-exception (DAPE) for ports, protocols, and service management (PPSM) is still a valid part of defense in depth.Yes, there are new technologies to consider within the ZTA, such as new generation firewalls (NGFW), and new concepts to explore, such as policy enforcement points (PEP) and policy decision points (PDP). Cloud computing offers novel opportunities (as well as unique challenges) to introduce a new security architecture. But the confidentiality, integrity and availability security triad is still relevant, and practices that everyone should be doing now, such as multifactor authentication and least privilege access, are cornerstones of zero trust security.On the other hand, there is one technology that the authors warn against, and that is virtual private networks (VPN). They emphasize that VPNs are a remote access solution, and were never meant to be considered a security solution. While the authors explain – throughout their book – that zero trust can and should be introduced into an IT environment incrementally and carefully, they beseech the reader to start by replacing their VPN architecture.Here is a synapsis of what awaits you inside this book:Chapter 2 – What is Zero Trust?: The authors retrace the history of zero trust from the term’s conception in 2010, through early adoption by organizations such as Google, and up to the definitions prescribed by the National Institute of Standards and Technology (NIST).Chapter 3 – Zero Trust Architecture: As you plan this new security architecture, focus on how and where to deploy PEPs and PDPs.Chapter 4 – Zero Trust in Practice: The authors acknowledge that most organizations will implement zero trust through commercially available solutions. They explain how to evaluate these solutions before making decisions.Chapter 5 – Identity and Access Management: Before you can allow users access to resources within a ZTA, you must confirm the identity of the user and confirm the user’s authorization. This concept is crucial to zero trust security, and authorization changes over time and depending on circumstances, known as the identity lifecycle.Chapter 6 – Network Infrastructure: The authors reiterate that some components of your network infrastructure will need to be replaced, while others will need to be modified to adapt to zero trust security. This process can be incremental and should not cause grave disruption to services provided within your network infrastructure.Chapter 7 – Network Access Control: The 802.1x-based network access control (NAC) protocol is not suitable for a true zero trust solution. The authors explain why and how to proceed to NAC solutions that are suitable.Chapter 8 – Intrusion Detection and Prevention Systems: These devices still play a vital role in zero trust security, potentially as policy enforcement points.Chapter 9 – Virtual Private Networks: Within the ZTA, there should be no such thing as remote access, just access. Virtual private networks must go!Chapter 10 – Next-Generation Firewalls: The authors foresee next-generation firewall (NGFW) vendors adding more and more zero trust capability to their products. Be on the lookout for the best solution for your network infrastructure.Chapter 11 – Security Operations: In a successful ZTA, Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) tools will provide the critical role of bringing together security solutions across your network infrastructure as part of security operations.Chapter 12 – Privileged Access Management: Current privileged access management (PAM) solutions are no substitute for zero trust security, but can be integrated into a zero-trust solution to enhance both capabilities.Chapter 13 – Data Protection: Data is a special resource that must be protected through data lifecycle management and data governance.Chapter 14 – Infrastructure and Platform as a Service: When your network infrastructure resides within a cloud service provider (CSP) as either infrastructure as a service (IaaS) or platform as a service (PaaS), there is a shared security model that must be considered when implementing zero trust solutions.Chapter 15 – Software as a Service: The authors consider software as a service (SaaS) to be “an interesting and dynamic space to watch”, especially with regards to zero trust-aware SaaS applications that provide not only identity, authentication, and access services, but authorization services as well. This is one area where the authors anticipate the SaaS providers themselves lead the way.Chapter 16 – IoT Devices and “Things”: Welcome to the 21st century, where the Internet of Things (IoT) is a thing! The carelessness with which these devices have been strewn all over many network infrastructures makes them a particularly challenging problem to secure properly at all, much less within a holistic ZTA. But the authors still think you should try.Chapter 17 – A Zero Trust Policy Model: The authors examine the logical components of zero trust policies (subject criteria, actions, targets, and conditions) from a deployment and flow perspective within several policy scenarios to see how internal and external mechanisms provide contextual information with which to make access decisions. This chapter is important but one of the more difficult ones to follow. You will need to read it several times.Chapter 18 – Zero Trust Scenarios: This is where the rubber meets the road. The authors take everything they discussed from the previous chapters to describe and analyze seven different scenarios for applying zero trust within an IT enterprise. Another chapter to read and reread again and again.Chapter 19 – Making Zero Trust Successful: The authors realize that understanding chapter 18 is like swallowing an elephant whole; so, in this chapter they describe top-down and bottom-up approaches to initiating the implementation and deployment of zero trust products and solutions within your IT enterprise. Enjoy!

This book doesn't provide anything except high level description about the Zero Trust concept. If you look for some details or interesting things - you won't find it here. I think that you can find better resources on the internet.

A very good book on Zero Trust security which every cyber security and network professional need to have a glance at. Very well depicted and the flow is very good. Thanks for such a wonderful book...

This is a very good book. It's new (circa 2021), and touches on most of the concerns of a modern enterprise network environment (SaaS/IaaS/PaaS, IoT, remote/mobile workforce, BYOD, MFA, etc.).This book is aimed at I.T. leaders or C-suite execs who are running enterprise networks and who want to learn what "Zero Trust" is all about and if/when/how they should implement ZT in their own network stack. That said, this is not really a technical book. It's almost entirely about the philosophy and approach that forms the foundation of a "Zero Trust" approach to network security.The book does a good job of methodically defining and exploring all the core components that a Zero Trust platform comprises - both human (users), and technical (networks, servers, services, policies, etc.). It explains each major conceptual component in some detail, as well as how they all fit together. It really does do a great job of explaining all the theories and patterns of Zero Trust as it is being practiced in enterprise networks today.My only major complaint about this book is that it draws a very hard stop at the theoretical boundary. The authors make an explicit point of never mentioning any actual real world "Zero Trust" commercial offering available on the market today (i.e. no ZT platforms/packages/vendors are named or reviewed, whatsoever). They admit upfront that these things change so fast anything they write would be outdated in short order – but while I appreciate their candor, it left all the terrific theory to suffer from remaining completely ungrounded in any real world executions / implementations. (Note: The authors do refer to 2 famous Zero Trust case studies (that were also written about in another very well known Zero Trust book), but even these were covered only briefly and in minimal detail).While Parts 1 & 2 of the book didn't suffer too much for this theory-only abstraction, Part 3 (the final 3 chapters of the book) is all about "bringing it all together" – but while their goal was to ground all the components into real world examples to tie it all together, by not citing any actual implementations or details of real world examples, the last 80 pages of the book basically read to me as all fluff. Lots of great advice - but nothing to tether it to reality.Going back to the top, this really is a great book overall. I just wish they'd added 2 chapters where they reviewed at least the leading real world commercial Zero Trust products/vendors/platforms available in the market today, and shared their deep experience with the pros and cons of each. This would have grounded their many great insights in a real-world foundation to help readers understand what actually IS the state of the art *right now*. As it is, their theoretical writing will still suffer from being outdated within a few years – but their 2022 readers won't get as much value as they could have had the authors just gotten their hands dirty with some nitty gritty implementation examples. Oh well.PS: The editor also deserves a scolding. There were just a few too many sloppy typos to go unnoticed.

I am in a place to explain to customers what Zero Trust Security is, how it could be used with their own situation.Many times I felt I needed a comprehensive guide-book, both for my understanding and for better conversations with customers.I found this book and it is exactly what I wanted. It is a great guide-book, very informative, worth reading for people no matter how much who already know Zero Trust.One recommendation is to have a quick look at Chapter 18: Zero Trust Scenarios first, with these scenarios in mind, I found it is much easier to read other chapters.