Zero Trust Security Framework
The security framework that takes into account vulnerabilities, threats and cultural and sector-related compliance guidelines. By linking together policy, architecture as well as operation, a clear overall view of information security is developed.
Protection and compliance
The ON2IT Zero Trust Security Framework enables organizations to demonstrate the protection and (continued) compliance of their network and data with national and international guidelines and legislation.
Starting with the policy and the organization’s principles as the foundation, the ON2IT Zero Trust Security Framework searches for weak spots and possible risks in the existing IT security in order to better secure the network and data.
As a result of quickly changing technologies and threats, conventional IT security has been radically changed into Zero Trust Security.
Thanks to the basic principle ‘never trust, always verify‘ and the segmented protection of the various components in the network, Zero Trust Security provides an immediate reduction in the impact of cybercrime, wherever the data may be located.
Unique through simplicity and automation
The ON2IT Zero Trust Security Framework (ZTSF) originated with the Zero Trust strategy by Forrester’s John Kindervag.
It is based in practice, existing (literary) sources and proven frameworks like those from the National Institute of Standards & Technology (NIST) and the National Cyber Security Center (NCSC) guideline.
The Zero Trust Security Framework, however, goes further and is unique thanks to:
the simplicity and therefore user-friendliness: no extensive, detailed framework but a summary of best practices; practical and easy to apply
the automation and therefore efficiency gain: (semi) automatic verification and validation mechanisms continuously determine the maturity level of IT security within the organization
Zero Trust Security Framework
The building blocks
The building blocks within the Framework help you to bring risk management, policy and practice in line with each other. Collectively, the building blocks determine the maturity of the IT security of the organization.
- Program – strategic determination of what information security entails
- Governance – usable and provable policy in relation to relevant laws and regulations
- Architecture – design of solid and safe IT networks within the organization
- Operation – for implementation, execution, monitoring, etc.
Building block 1: Program
At a strategic level, we set the framework within which the organization’s IT security must function. Management and board determine issues such as:
- which laws and regulations are applicable;
- what are the commercial interests that apply and which data we are to secure;
- which objectives and principles are in effect within the organization;
- which risks are present, how significant they are and how they should be mitigated;
- how to describe the internal procedure for continuous monitoring of the protection.
Building block 2: Governance
In the governance stage, the conditions established by the program are further interpreted in the form of concrete policy documents and procedures. The goal is for the organization to be compliant – both now and in the future – with the various relevant standards, so in this stage we define:
- which (external) standards are used;
- which procedures are present and how these should be interpreted;
- how to define control of this and how that is performed.
Building block 3: Architecture
The policies in the governance stage can now be translated into conceptual architecture (high-level designs) and logical architecture (low-level designs).
The IT security is elaborated into a strategic plan in the high-level design, and the low-level plan describes the logical flow of the various steps in the secure processing of company information.
Building block 4: Operation
Operation is the last set of components and processes within the ZTSF. Processes for operational support are defined in this stage. Attention will be given to the management of events, incidents, compliance, vulnerability and assets.