The core principles of Zero Trust — The Open Group

Note: This is part four of a five-part series on the origins and tenets of Zero Trust. 

The Open Group is an international vendor- and technology-neutral consortium that includes hundreds of member organizations. The consortium develops technology standards and certifications, and it absorbed the work of the Jericho Forum when it sunset in 2013. The Open Group maintains a library of publications, including the white paper defining Zero Trust Core Principles. Below are the 11 core principles organized into four common themes:

1. Organizational Value and Risk Alignment principles address key goals for business, IT, and security stakeholders to address overall strategic drivers.
   
   
   
   1. Modern work enablement
   
   
   2. Goal alignment
   
   
   3. Risk alignment
   
   
   
   


2. Guardrails and Governance principles address compliance, risk, and information security stakeholders to guide the adoption of Zero Trust and ensure sustainability of assurances.
   
   
   
   1. People guidance and inspiration
   
   
   2. Risk and complexity reduction
   
   
   3. Alignment and automation
   
   
   4. Security for the full lifecycle
   
   
   
   


3. Technology principles address the IT organization, information security, and risk and compliance stakeholders and determine technology decisions that underlie the development of a ZTA, including concerns associated with identity, access, and reduced threat surface area.
   
   
   
   1. Asset-centric security
   
   
   2. Least privilege
   
   
   
   


4. Security Controls principles address security and IT architects to ensure strong foundations of confidentiality, integrity, and availability assurances.
   
   
   
   1. Simple and pervasive
   
   
   2. Explicit trust validation
   
   
   
   

The language describing these principles and themes is taken directly from The Open Group Zero Trust Core Principles document. There is much more detail in the document.

An example of Zero Trust in action

You can use these themes to help you address business needs and risk management concerns. The Open Group provides the example of Acme Banking Corp, a face-to-face bank that is losing business due to COVID disruption, digital transformation, and the changing regulatory environment. In this example, Acme leadership has asked for a strategy that will meet these new requirements:

• Acme Banking Corp. must support remote work for employees to work from home and use their own devices to do their job (including their banking staff interacting with clients in an online model).


• The push to agility requires migrating to a digital world with more online interactions and fewer physical banking centers.


• Managing increasing complexity is required due to continuously evolving sales and client relationships (and applications) to keep up with competitors and customer preferences.

Using The Open Group’s structure of principles and themes, you can align the new business requirements with the security of Zero Trust. From the first theme, Organizational Value and Risk Alignment:

• Core principle 1: Modern work enablement — Respond to rapidly evolving consumer needs and business relationships by leveraging the Zero Trust capability of adaptive identity.


• Core principle 2: Goal alignment — Identify, respond to, and mitigate threats as they arrive by leveraging the Zero Trust capability of real-time/near real-time response.


• Core principle 3: Risk alignment — Report compliance to their regulators using the Zero Trust capabilities of quantitative risk through industry-standard risk frameworks and automated audit.

Structuring your security strategy this way will reveal anything you may have missed. It also helps you communicate the Zero Trust concept using the language of the business driver.

In our next post we’ll look at the CISA Zero Trust Maturity Model. You can read all posts in the series here.