Zero Trust Controls Menu
By Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP
March 2021

Zero trust is a security model that accounts for adversaries within the internal network and insider
threat. It's interesting to focus on zero trust principles, where data flows, identifying controls
and to consider attack vectors in that environment.

Here is zero trust guidance from the NSA:

Adopt a Zero Trust mindset

To adequately address the modern dynamic threat environment requires:

  • Coordinated and aggressive system monitoring, system management, and defensive operations
    capabilities.
  • Assuming all requests for critical resources and all network traffic may be malicious.
  • Assuming all devices and infrastructure may be compromised.
  • Accepting that all access approvals to critical resources incur risk, and being prepared
    to perform rapid damage assessment, control, and recovery operations.

    Embrace Zero Trust guiding principles

    A Zero Trust solution requires operational capabilities that:

  • Never trust, always verify - Treat every user, device, application/workload, and data
    flow as untrusted. Authenticate and explicitly authorize each to the least privilege required using
    dynamic security policies.
  • Assume breach - Consciously operate and defend resources with the assumption that an
    adversary already has presence within the environment. Deny by default and heavily scrutinize all
    users, devices, data flows, and requests for access. Log, inspect, and continuously monitor all
    configuration changes, resource accesses, and network traffic for suspicious activity.
  • Verify explicitly - Access to all resources should be conducted in a consistent and secure
    manner using multiple attributes (dynamic and static) to derive confidence levels for contextual
    access decisions to resources.

  • NIST defines zero trust as:

    Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.

    With that said, here is a menu of controls that can be selected for a zero trust implementation:
    Zero Trust Controls
    Layer # Description
    Data ZT-01 Use tokenization to reduce where sensitive data is present
    Data ZT-02 Do not use sensitive data as identifiers (e.g. SSN and PAN)
    Data ZT-03 Use two-person integrity to protect against insider threat
    Application ZT-04 Protect high risk Internet-exposed apps w/a Web App FW
    Application ZT-05 Require MFA for web applications hosting sensitive data
    Application ZT-06 Code attack-aware application logging and alerting
    Host ZT-07 Validate hardening w/file integrity monitoring or config scans
    Host ZT-08 Require MFA for servers and virtual machines
    Host ZT-09 Install Endpoint Detection & Response software (S/VM/W)*
    Host ZT-10 Block access to malicious sites & web ads (workstations)
    Host ZT-11 Block access to external drive storage (e.g. USB drives)
    Host ZT-12 Control which binaries can execute with whitelisting software
    Host ZT-13 Role-based access control w/Privileged Access Management
    Internal Network ZT-14 Require MFA for routers, switches and firewalls
    Internal Network ZT-15 Role-based network segmentation (micro-segmentation)
    Internal Network ZT-16 Restrict access to sensitive networks w/a Jump Server w/MFA
    Internal Network ZT-17 Implement intrusion detection/prevention software
    Internal Network ZT-18 Implement Network Access Control (NAC)
    Internal Network ZT-19 Use an air gap to protect sensitive information (e.g. R&D)
    Perimeter ZT-20 Firewall rules w/granular source/destination & port/protocol
    Perimeter ZT-21 Use Data Loss Prevention to block sensitive data exfiltration
    Perimeter ZT-22 Block access personal e-mail access by default (e.g. Gmail)
    Perimeter ZT-23 Block Internet drive storage access by default (e.g. DropBox)
    Perimeter ZT-24 Block outbound access to file transfer protocols by default (e.g. FTP)
    Perimeter ZT-25 Require VPN w/MFA for remote access to the network
    Perimeter ZT-26 Implement Distributed Denial-of-Service (DDoS) protection
    Perimeter ZT-27 Block access to malicious sites and web advertisements
    Remote / Mobile ZT-28 Protect company data on mobile devices with MDM/apps
    Remote / Mobile ZT-29 Require MFA to connect to company network and apps
    Remote / Mobile ZT-30 Confirm hardening, patching and EDR (mobile & workstation)
    Remote / Mobile ZT-31 Ensure DNS web filter and DLP remain in place off network
    Remote / Mobile ZT-32 Configure laptops to enforce VPN login when off network
    * S/VM/W = Servers, virtual machines and workstations

    Additional zero trust controls follow in the tables below:

  • System hardening (HRD-XX)
  • Identity and access management (IAM-XX)
  • Network segmentation (SEG-XX)
  • Encryption (ENC-XX)
  • Security monitoring and response (SMR-XX)
    System Hardening
    Layer # Description
    Data HRD-01 Harden databases against attack with security configurations
    Data HRD-02 Install database security patches with a sense of urgency
    Data HRD-03 Centralize logging of databases to the SIEM/SOC
    Data HRD-04 Store backups offline (protect from ransomware encryption)
    Data HRD-05 Do not store sensitive data in non-production environments
    or require production quality controls to mitigate the risk
    Application HRD-06 Implement commercial application security configurations
    Application HRD-07 Install application security patches with a sense of urgency
    Application HRD-08 Centralize commercial application logging to the SIEM/SOC
    Application HRD-09 Embed cybersecurity w/in the system development lifecycle
    Application HRD-10 Harden custom apps w/secure coding practices (e.g. OWASP
    Top 10)
    Application HRD-11 Conduct source code scanning of all web applications
    Application HRD-12 Dynamic application scanning of apps w/sensitive data
    Application HRD-13 Penetration tests of Internet apps that host sensitive data
    Application HRD-14 Centralize custom application logging to the SIEM/SOC
    Host HRD-15 Secure OS configurations of servers, VMs and workstations
    Host HRD-16 Disable OS features and functionality that are not required
    Host HRD-17 Install security patches with a sense of urgency (S/VM/W)*
    Host HRD-18 Harden PowerShell to make it difficult to “live off the land”
    Host HRD-19 Centralize logging of S/VM/W to the SIEM/SOC*
    Internal Network HRD-20 Secure OS configuration of routers, switches and firewalls
    Internal Network HRD-21 Install security patches with a sense of urgency (R/SW/FW)*
    Internal Network HRD-22 Disable interactive logins of service accounts
    Internal Network HRD-23 Centralize logging of network devices to the SIEM/SOC
    Remote / Mobile HRD-24 Block users from downloading company attachments to
    mobile device storage
    * S/VM/W = Servers, virtual machines and workstations
    * R/SW/FW = Routers, switches and firewalls

    Identity and Access Management
    Layer # Description
    Data IAM-01 Restrict data access by least privilege (role-based)*
    Data IAM-02 Restrict data access by separation of duties*
    Data IAM-03 Do not allow shared accounts*
    Data IAM-04 Rescind accesses w/in 24 hours of a user’s last day*
    Data IAM-05 Conduct quarterly reviews and rescind legacy accesses*
    Data IAM-06 Rescind legacy accesses w/in 30 days of a role change*
    Data IAM-07 Compare a current list of employees and contractors to
    active system and application accounts
    Data IAM-08 Configure field-level permissions within databases
    Data IAM-09 Restrict access to storage arrays
    Application IAM-10 Integrate SSO with SaaS solutions to ensure systematic
    removal of accesses
    Application IAM-11 Control access with API authentication (e.g. OAuth or JWT)
    Application IAM-12 Conduct access reviews for third party applications
    Host IAM-13 Deny workstation administrative access for end users
    Internal Network IAM-14 Restrict internal network traffic with Access Control Lists
    Perimeter IAM-15 Include a deny-all rule at the bottom of FW rule bases
    Perimeter IAM-16 Compare a current list of employees and contractors to
    active ID access badges
    Remote / Mobile IAM-17 Require mobile device authentication via password or fingerprint
    * These controls should also be in place within application and network layers.
    Network Segmentation
    # Description
    SEG-01 Store sensitive data within isolated network segments (e.g. PCI and research
    & development)
    SEG-02 Establish a DMZ network(s) for systems that need to be exposed to the
    Internet (e.g. web and e-mail servers)
    SEG-03 Isolate administrative systems to their own network (e.g. backup servers,
    storage arrays, DNS web filters, etc.)
    SEG-04 Only allow DNS resolution to a web filter or to internal DNS servers and
    then trusted external DNS servers
    SEG-05 Block system attempts to resolve DNS from the Internet which can be used
    as a covert channel for data exfiltration
    SEG-06 Protect security systems by isolating them on their own network (e.g. SIEM
    and log servers)
    SEG-07 Isolate physical security systems on their own network
    SEG-08 Isolate Operational Technology (OT) on its own network (e.g. HVAC, elevators,
    etc.)
    SEG-09 Isolate VoIP phone systems on their own network
    SEG-10 Isolate Internet of Things (IoT) devices on their own network(s) (e.g. kiosks,
    copy machines, printers, etc.)
    SEG-11 Isolate specialty systems on their own networks (e.g., FedEx terminals,
    vending machines, FTP servers, fish tanks, etc.)
    SEG-12 Isolate the guest network. Only allow access to the Internet
    SEG-13 Restrict access to partners, vendors and suppliers with an Extranet or
    restrictive segmentation / ACLs
    SEG-14 Standardize network segmentation for common deployments (e.g. branch offices)
    Encryption
    Layer # Description
    Data ENC-01 Encrypt data-at-rest within databases with Transparent Data
    Encryption (TDE) or field-level encryption
    Host ENC-02 Encrypt data-at-rest within servers
    Host IAM-03 Encrypt data-at-rest within virtual machines
    Host ENC-04 Encrypt data-at-rest within workstations
    Host ENC-05 Encrypt data-at-rest within storage arrays
    Host ENC-06 Encrypt data-at-rest within backups
    Internal Network ENC-07 Encrypt data in transmission over the internal network
    Internal Network ENC-08 Encrypt data in transmission over wireless networks
    Internal Network ENC-09 Encrypt administrative console traffic
    Perimeter ENC-10 Encrypt web site and web application traffic
    Perimeter ENC-11 Encrypt VPN traffic
    Perimeter ENC-12 Encrypt e-mail with sensitive data present
    Remote / Mobile ENC-13 Encrypt company data in transmission for mobile devices
    Remote / Mobile ENC-14 Encrypt company data-at-rest within mobile devices
    Security Monitoring
    # Description
    SMR-01 Security Information and Event Management (SIEM)
    SMR-02 Use behavioral monitoring to detect suspicious behavior
    SMR-03 Use deception technology such as honeypots or honeynets
    SMR-04 Actively monitor 24x7 with a Security Operations Center
    SMR-05 Threat hunting, with activities documented in a log
    SMR-06 Use SOAR or another type of automated response to mitigate malicious activity
    SMR-07 Review security dashboards (e.g. Microsoft Secure Score and AWS Trusted Advisor)
    SMR-08 Toxic combination: Data exfiltration attempts
    Alert when user attempts X of the following within Y hours:
    SMR-08a Attempts to access personal e-mail (e.g. Gmail)
    SMR-08b Attempts to access Internet drive storage (e.g. Dropbox)
    SMR-08c Attempts to use a file transfer protocol outbound (e.g. FTP)
    SMR-08d Attempts to access external drive storage (e.g. USB drive)
    SMR-08e Attempts to send encrypted zip file
    SMR-08f Sends a file to a printer
    SMR-09 Alert when an account is added to the domain admin group
    SMR-10 Alert on admin activity late in the night
    SMR-11 Alert on service accounts performing interactive logins
    SMR-12 Alert when two systems communicate and that has not occurred within the past
    two months
    SMR-13 Alert when a system attempts to resolve DNS from the Internet versus the expected
    path of an internal DNS server or web filter
    SMR-14 Alert when a system stops replicating logs to the SIEM
    SMR-15 Integrate alerts into ticketing system for rapid response
    SMR-16 Enhanced monitoring for privileged users such as system administrators and
    finance personnel with the ability to manage funds
    SMR-17 Role-based monitoring for access to sensitive data (e.g. Call center operator
    accessing X or more PII records in an hour sends an alert to the supervisor)
    SMR-18 Enhanced monitoring when an employee gives notice
    SMR-19 Review logs for the past month when an employee gives notice
    SMR-20 Enhanced monitoring when an employee receives a significantly negative
    performance review, when an employee is subject to disciplinary action or when
    an employee is known to be disgruntled
    SMR-21 Search for unstructured data such as PII or PHI on laptops, servers,
    network file shares, SharePoint and in non-production environments
    SMR-22 Monitor for sensitive data posted on the dark web
    SMR-23 Monitor social media for company nonpublic information, confidential
    information and legal matters
    SMR-24 Conduct infrastructure vulnerability scans (external, internal and authenticated)
    SMR-25 Conduct infrastructure penetration tests annually
    SMR-26 Converge physical and IT security monitoring
    SMR-27 Maintain an Incident response plan w/scenarios
    SMR-28 Include a cloud IRP scenario (shared responsibility model)
    SMR-29 Conduct incident response exercises at least annually
    SMR-30 Subscribe to a data breach response service
    SMR-31 Assess service providers via a Third Party Risk Management Program
    SMR-32 Assess critical business processes subject to insider threat or fraud
    SMR-33 Commission an annual fraud prevention assessment
    Here is the NSA's guidance for zero trust design:

    Leverage Zero Trust design concepts

    When designing a Zero Trust solution:

  • Define mission outcomes - Derive the Zero Trust architecture from organization-specific mission requirements that identify the critical Data/Assets/Applications/Services (DAAS).
  • Architect from the inside out - First, focus on protecting critical DAAS. Second, secure all paths to access them.
  • Determine who/what needs access to the DAAS to create access control policies - Create security policies and apply them consistently across all environments (LAN, WAN, endpoint, perimeter, mobile, etc.).
  • Inspect and log all traffic before acting - Establish full visibility of all activity across all layers from endpoints and the network to enable analytics that can detect suspicious activity.

  • Next steps:

  • Evaluate your IT environment by zero trust principles. Consider using the control menu to delve deeper. Add your own controls to the mix.
  • When discussing each control identify:
    - Controls that are in place
    - Controls that need to be investigated to determine if they are in place
    - Controls should be added in the near-term
    - Controls to consider for the future
    - Controls that are not a good fit for the organization
  • Consider vendor zero trust implementations (e.g. AWS and Azure). Conduct analysis to identify gaps or to account for a shared security model.
  • Create alerts based on the MITRE ATT&CK Framework
  • Establish an insider threat program

    This is my interpretation of zero trust controls. The control menu above includes technical and administrative controls that align with zero trust guiding principles (Never trust, always verify; Assume breach; Verify explicitly). The menu is not a control framework or a complete listing of zero trust controls. Whether or not a control is appropriate will depend on where sensitive data is stored, processed or transmitted, the risk tolerance of the organization and available resources.

    References: NIST SP 800-207 Zero Trust Architecture and NSA Embracing a Zero Trust Security Model

    Disclaimer: The controls listed above are not warrantied or guaranteed for a particular purpose. It is the responsibility of an organization to select, implement and maintain appropriate cybersecurity controls for their IT environment.


    Click here for more professional development tips

  • Zero Trust Controls