Zero Trust is not a project but a new way of thinking about information security.

— John Kindervag, author of the founding zero trust paper,“No More Chewy Centers”

Transitioning to ZTA [zero trust architecture] is a journey concerning how an organization evaluates risk in its mission and cannot simply be accomplished with a wholesale replacement of technology.

—National Institute of Standards and Technology (NIST)Special Publication 800‐207

Overview

Remember from Chapter 2 the difference between strategy and tactics? Strategy is what we want to get done. Tactics are how we might go about it. In this chapter, the strategy we are talking about is zero trust, and there are several tactics to consider to help accomplish this goal. I will describe the details, or the tactics, to consider to implement a zero trust strategy. I use the Edward Snowden insider threat case as the poster child for why zero trust is necessary and explain why pursuing it is more of an ongoing journey than an end state. I talk about how you can travel a long distance down that journey with tools and equipment you likely are already using. I explain why vulnerability management is an important zero trust tactic and not a stand‐alone strategy. I make the case that you should be organizing your internal systems right now to use software bill of materials (SBOMs) and that a software‐defined perimeter (SDP) is a better security architecture for zero trust than the current models. I conclude ...