www.pwc.

ch

Zero Trust
architecture:
a paradigm shift
in cybersecurity
and privacy
Intro 3

Zero Trust architecture: towards data protection

and compliance 4

Security architecture as an integrated part of

enterprise architecture 5

Six steps towards implementing Zero Trust 6

1. Identifying and discovering sensitive data (‘crown jewels’) 6
2. Identifying sensitive data flows 7
3. Definition and architecture of micro-perimeters/data enclaves 7
4. Security policy and control framework 7
5. Continuous security monitoring and intelligent analysis 8
6. Security orchestration and automation 10

Conclusion and next steps 11

Contacts 12
 Intro

Given that cyberattacks can lead to devastating losses of

Increasingly complex cyber- money, trust and reputation, companies have an intrinsic
incentive to strengthen their security set-up. The demand for
attacks and a reactive but an appropriate level of protection for specific data types is
sophisticated regulatory landscape increasingly formulated in regulatory requirements that
are pushing companies’ demand technical and organisational measures to ensure
data confidentiality, integrity, availability and privacy.
cybersecurity capabilities to the
limits. A paradigm shift in IT As cyber threats increase and Organizations simultaneously
security architecture – Zero Trust – show continued deficiencies when it comes to data protection,
the regulatory landscape is becoming more sophisticated and
has attracted increasing attention complex. According to PwC’s 23rd CEO survey*, Swiss CEOs
as a way of responding to these recognize this challenge. They consider cyber risks the third
largest threat to their growth prospects and believe that
challenges. By enforcing a 'no trust
regulation will become more fractured and complex. Even
without verification’ policy, Zero Trust though Swiss firms show a certain level of awareness, they still
strengthens a company’s cybersecurity maintain inadequate cybersecurity to be able to protect data,
detect attacks in two time and be able to respond to
posture by making cyber issues an attack.
more visible and facilitating
compliance with data protection Fighting the symptoms rather than the causes is insufficient.
Cyber-resilience starts at the root – the IT security
requirements. architecture – which manifests and conceptualises
information security. The IT security architecture determines
how technical security measures are established within the
overall enterprise architecture, aligning internal and external
requirements. The security architecture addresses the entire
life cycle of (electronic) data – from data generation, usage,
transfer and storage to archiving and destruction – and it
covers all components, including physical or virtualised client
and server end-points, IT and business applications, IT
platforms and infrastructure, as well as the network that
connects all the various resources together.

In the traditional approach to IT security, the network

perimeter is used as the enforcement point for security
controls. Once this point is passed, most resources can be
accessed. This perimeter enforcement is, however, not
sufficient any more, as many devices on a network have
access to the internet. If a device is compromised, the
attacker can access the corporate network without passing
through the perimeter. A new paradigm is therefore
required: Zero Trust.

* PwC’s 23rd Annual Swiss CEO Survey 2019, PwC

Switzerland, 2020 https://www.pwc.ch/de/insights/ceo-
survey-2020.html

Zero Trust architecture: a paradigm shift in cybersecurity and privacy | 3

Zero Trust architecture: towards data
protection and compliance
Unlike solely perimeter-based security, Zero Trust promotes a research company Forrester introduced the term Zero Trust
micro-perimeter approach based on user access, data location Architecture. The security concept gained vast attention when
and an application Hosting model. Within this micro- Google announced the implementation of a Zero Trust
segmented network, sensitive data is protected, and any network, BeyondCorp, a few years later. Google implemented
access is verified and requires authorisation. User behaviour this concept as a reaction to Operation Aurora, a series of
analytics and real-time threat intelligence identify anomalies, sophisticated cyber-attacks that hit Google in 2009.
and sandboxes ensure the isolation of potentially hostile data
processing activities. The Zero Trust approach is not limited Zero Trust has now gone mainstream. The National Institute
to the scope of the company’s data centres, but also of Standards and Technology (NIST) in the US just recently
encompasses controlled access and monitoring of data traffic published a Special Publication (SP 800-207) to formalise
to cloud, web services and IT services outsourced to a the approach, and the National Cybersecurity Center of
provider. Zero Trust is thus a very good way of modernising Excellence is currently documenting an example Zero Trust
network security in times of modern workforces and externally architecture that aligns to the concepts and principles in
hosted IT services. NIST SP 800-207. But even though the concept seems to
be on everyone’s lips and is used to promote many product
The term Zero Trust has attracted increasing attention launches, it is not yet widely implemented at a corporate level.
for quite some time. The architectural design was first The visualisation below introduces the main building blocks
introduced in 1994 by the Jericho Forum. Later, the market of a Zero Trust architecture.

Users

– Business users
– Clients and partners
– IT users

Devices Policy engine

– Unmanaged and mobile devices Internet Public
– Managed devices Policy administrator browsing email

Access network

Policy Decision Point (PDP) / Internet

Policy Enforcement Point (PEP) services
(User and device access)
PDP / PEP
Core Provider
GW to internet
network and cloud network

PDP / PEP PDP / PEP PDP / PEP

application access application access application access

Business app Outsourced app Cloud app / SaaS

PDP / PDP / PDP / PEP

infrastructure
PEP access infrastructure
PEP access Paas / IaaS access
IT infrastructure Outsourced IT Cloud services
in data centre infrastructure IaaS / Paas

Data Data Data

On-premises Co-location / IaaS Cloud IT

data centre private cloud services

Figure 1: PwC Security Reference Architecture with Zero Trust Policy Decision / Policy
Enforcement Points

4 | Zero Trust architecture: a paradigm shift in cybersecurity and privacy

The most important building blocks are the so-called policy The diagram above shows that PDPs and PEPs aren’t just on
decision points (PDPs) and policy enforcement points (PEPs) the external perimeter, but on many different points to segment
within the corporate network, used to build data enclaves and the network into zones. Depending on the size of an organi-
micro-perimeters. PDPs and PEPs are the points where se- sation’s IT estate, the segmentation of network Areas might
curity information is collected and used to either decide what include several server Areas to separate applications with dif-
path a transaction should take (PDP) or to enforce a specific ferent trust levels. Further segmentation is possible between
policy, such as requesting an additional factor for authentica- the middle tier and the back-end data storage.
tion or blocking a transaction if it’s considered non-trusted .

Security architecture as an integrated

part of enterprise architecture
To make the right decisions on network segmentation and the architecture can be used as a starting point to identify sensitive
positioning of PDPs and PEPs, the security architecture needs electronic data and data with enhanced regulatory
to be closely aligned with the business architecture in order requirements processed in business services. Once this data
to understand the data types processed, data classification is identified, data classification defines the protection level
applied and derived protection levels to be compliant required to process, transfer and store sensitive data in an
with internal policies and external regulations. As a guiding organization. The business architecture is thus the starting
principle, the business should drive IT, and IT security should point for identifying applications used along the business
be considered a quality aspect of IT. This means that the process to make use of electronic data in the specific context
business needs to formalise requirements for IT and IT security of an organization and data governance drives the process to
to appropriately protect data processed along the business classify data according to the applicable regulations.
processes. The visualisation below shows how the business

Architecture principles, vision and requirements

Architecture principles Technology strategy Architecture vision Stakeholder map

Architecture Ga
requirements ps

Business Information system Technology

architecture architecture architecture

Motivation and drivers Data Application IT

services
• Entities • Info system
Organization actors, roles services IT platform and
• Logical view
Virtualization

components

middleware
Logical tech
and SDN

• Physical view • Logical view

Business services, processes,
products, controls • Physical view

Data and IT governance, IT platform and

compliance middleware

IT security and cybersecurity architecture

Architecture realisation

Opportunities, solutions and Implementation governance,

Gap closing plan
migration planning standards and specifications

Figure 2: The security architecture as part of an enterprise architecture

framework

Zero Trust architecture: a paradigm shift in cybersecurity and privacy | 5

Six steps towards implementing
Zero Trust
• Payment card industry data according to PCI DSS
Applying Zero Trust to a specific • Business data such as financial statement information and
environment of an organisation tax-relevant data
requires six steps: • Business secrets concerning intellectual property and
other sensitive data such as mergers and acquisitions
(M&A) information.

1. Identifying and discovering You might consider the holistic micro-segmentation of all
data to be too costly. At the minimum you should use
sensitive data (‘crown jewels’) application processing data with a certain criticality level – in
terms of confidentiality, integrity, availability and privacy – to
An organization can outsource its entire IT infrastructure. create data enclaves with segmented sub-perimeters (see
However, the responsibility for data protection and step 3 below) . To establish a data inventory, you need to
compliance remains with the organization. It’s therefore discover all the data processing activities within the entire IT
crucial to set up an Inventory of data repositories. This environment to be able to assign the data sets to a data
inventory will allow the organization to identify the protection inventory and verify that the categorisation and classification
level and criticality of data, which is determined by internal of the data set is correct and a data owner is assigned. You
(e.g. intellectual property and business value) and external also need to of the an inventory of all data processing
(e.g. legal and regulatory compliance) requirements. applications, along with additional details to determine the
underlying IT infrastructure and the sourcing option used.
Depending on the different set of regulations and internal This should include data storage locations, backup
data requirements that apply, it’s a good idea to distinguish locations, file shares and other storage locations. The data
between the following data types (the list isn’t exhaustive): repository needs to be linked to the application inventory to
inform the data owner where data processing activities take
• Personal identifiable data (PII) according to the Swiss
place and who has access to these data. This is the basis
regulations and the EU General Data Protection
for identifying sensitive data traffic as outlined in step 2.
Regulation (including client identifying data, CID, as a
subset of PII to comply with local banking regulations)

6 | Zero Trust architecture: a paradigm shift in cybersecurity and privacy

2. Identifying sensitive data flows • IT users with privileged access who are able to modify
user access rights and security configurations, ending in
the ability to access sensitive data
To properly design network segments and detect anomalous
activities, your organization needs to be aware of the flows of • Clients and partners with access to sensitive data.
sensitive and critical data. This step has to involve IT and
business staff to understand the dependencies between For each user group – and potentially at sublevels – you have
the applications required along the business processes, the to define a set of controls that documents joiner-mover-leaver
involved IT components, the data traffic and the required processes, user entitlements and regular recertification cycles.
access rights. The business architecture is a good starting
point to understand the data types being processed In addition to user access management, data resources
by departments/corporate functions. The link to the IT (large- age and processing resources) with similar data
applications that process these data allows you to under- protection requirements might be grouped in a dedicated
stand the data flows. 'enclave' that can only be accessed by end-points with a
certain trust level. Such policies can be enforced at the PEP
A good way to document sensitive data flows is to use by protecting access to the data enclave thus offloading
swimlanes indicating what roles (impersonated by business security enforcement from each IT system and IT application.
users) process sensitive data as a task to perform a relevant A data enclave can either
step of a business process by using an IT application. It be a network segment in a data centre, in the cloud or with an
needs to be clear whether a business application processing IT service provider.
sensitive data is operated and hosted by the local IT unit, is
outsourced to a partner, or is provided as a cloud service.
This presumes adequate device management covering
4. Security policy and control
framework
• End-user devices (e.g. unmanaged, BYOD, mobile
devices or corporate managed devices) In step 1, data types with specific regulatory requirements
were identified, discovered and filed in an inventory of data
• Network devices (owned/managed by your IT organization)
repositories. Based on external and internal requirements
• Corporate IT devices in the data centre (servers, storage, applicable to the various data types, the criticality of data
etc., owned/managed by your IT organization) can be formalised along the criteria of confidentiality, integrity,
availability and privacy. For PII additional considerations
• Inventory of sourced IT services if SaaS, IaaS or Paas from need to be applied to address also privacy requirements
a public or private cloud is used appropriately. In accordance with industry good practice
standards, technical and organisational security controls are
Verifying that all sensitive data flows are captured is a defined in a security policy framework.
joint exercise. The business has the contextual information
regarding data processing, and IT can ensure that all business The security policy framework is applied to the IT security
applications, data repositories – as identified in step 1 – and architecture which implements policy enforcement. NIST SP
devices are covered in the sensitive data traffic analysis. 800-207 distinguishes between policy enforcement points
Once you have that you can deploy adequate measures (PEPs) and policy decision points (PDPs). This ensures that
determining how to protect data at rest, in motion or in use. policies are enforced at all gateways and data enclaves or – in
case of a policy violation – an action is triggered. As shown in
Figure 1, the following network segments with PDPs/PEPs are
3. Definition and architecture of suggested as a minimum:

micro-perimeters/data enclaves • PDPs/PEPs for user & device access: Only users
with an appropriate entitlement can access IT systems
The definition of sub-perimeters depends on step 1 (the that process sensitive data. This can be achieved (i)
identification of sensitive data) and step 2 (flows of these road managed end user devices, (ii) by onboarding an
data within networks, sites and IT systems). The unmanaged device (e.g. a bring your own device [BYOD])
identification of sensitive data repositories means at first road a mobile device management (MDM) system
implementing need-to- know/need-to-do, and is based on or (iii) by providing a virtual desktop infrastructure as a
least privilege principles for access controls. This requires a precondition to grant access to sensitive data.
data owner to understand and define what roles need to
access data, approve access requests from users holding • PDPs/PEPs on the application level: On the application
that role, and entitlement management. But user level, access to sensitive data is granted based on the
entitlements aren’t a one-off exercise: access controls least privilege (need-to-know/need-to-do) principle. This
require continuous revisions and auditing. means that application users only have access rights
An adequate user management process hedles the following to data required for their daily work. Privileged roles are
broad groups of IT users separately: implemented road step-up mechanisms or road a
• Business users with access to an IT application that separate login. In addition, application security controls
processes sensitive data and application logging are enforced, and logs are sent
to a centralised log repository.

Zero Trust architecture: a paradigm shift in cybersecurity and privacy | 7

• PDPs/PEPs on the IT infrastructure level: This includes To ensure that the policy framework includes all the necessary
privileged IT roles on the platform and IT infrastructure level safeguards, you need to of the a threat assessment that simu-
to operate and maintain IT platforms (operating systems, lates common threats along the critical data flows in the entire
databases, storage, network and virtualization). Access IT estate controlled by your organization. This enables you to
to sensitive data for privileged IT accounts should be verify that any identified cyber risk is mitigated to an accept-
limited to a minimum road access control, data encryption able level, and helps ensure that detection measures are in
technology and break-glass procedures. In addition, you place and effective.
might use dedicated management Areas with jump host
and other security measures might to block management
access road standard user access Areas. 5. Continuous security monitoring
• Access to data is granted either road an application or and intelligent analysis
an IT infrastructure. There is No direct access to data
on storage level. Sensitive data should therefore not be All relevant end-points, gateways (PDPs and PEPs) and all
downloadable to a personal device, personal storage sensitive data traffic require logging and real-time inspection
device or public cloud storage outside the organisation’s for malicious activities. Depending on the maturity and size of
access management. your organization monitoring functions can be distributed
across several IT divisions, which is a challenge when it
• PDPs/PEPs to internet & cloud services: This refers to comes to reliably detecting security relevant incidents. You
gateways for specific protocols and IT services: should make sure monitoring covers the following focus areas:

– Web browsing (outbound): This gateway ensures that

• IT operations monitoring usually refers to the availability of
only legitimate sites and content are accessed, and that
IT services, network components and communication links.
sensitive data are not uploaded to unauthorised cloud
storage services or shared externally. In addition, there • Enterprise security monitoring refers to all IT
should be mechanisms to detect infected end-points infrastructure components owned and managed by the
contacting known command and control (C2C) corporate IT organization. A centralised log repository with
infrastructure structure and detect the installation of visualisation, dashboards and reporting provides
malware at an end- point, along with other anomalies. a viewfinder into the organisation’s IT security estate. In
– Web access (inbound): Access road the public internet, addition, a security information and event management
i.e. road a web application, needs a gateway referred to system (SIEM) should be in place to process and correlate
as web application firewall (WAF) or reverse proxy to events to be able to reliably detect security incidents.
enforce access policy for web services from the internet
and enable malware detection. Organizations with a higher level of maturity extend the scope
of security monitoring from monitoring their own IT devices to a
– Secure email gateway: This is the gateway separate- full view of their IT infrastructure, including public cloud
ing internal and external email. It detects and protects services or wherever corporate data are processed, transferred
against data leakage road email and ensures email to/from or stored.
secu-
Rita. This includes detecting spam, phishing and malware • Compliance monitoring includes all aspects that are not
delivery via email. covered by security monitoring or IT operations. Usually the
–
following aspects are covered in compliance monitoring:
Cloud security gateway or cloud access security
broker (CASB): This gateway ensures that business – Security configuration baseline monitoring
data is only shared and processed with authorised
– File integrity monitoring/detection of unauthorised
cloud providers and that security measures for data
changes
protection, confidentiality and access control are applied
accordingly. A CASB is usually able to encrypt sensitive – IT asset discovery and vulnerability scanning
data before it’s sent and stored in a SaaS application such
– Data breach detection
as Microsoft SharePoint, Microsoft Dynamics, Salesforce,
etc.
– Zero Trust introduces compliance monitoring as a subset of
Remote access: Remote access by business users, (enterprise) security monitoring, and assumes that event
IT users and partners with privileged access to sensitive logs are a central service and available to all monitoring
data needs to pass a special gateway for management functions. In reality, logs, events and information are often
access to IT infrastructure and policy administration. duplicated and not shared among all monitoring functions.
To ensure appropriate handling, your organization therefore
The security policy and control framework cover the entire IT needs to determine which log information has to be retained
scope, whether it’s on-premises, outsourced or in the cloud. and whether additional requirements for legal admissibility and
Trust is not given based on a concept or a service level e-discovery might apply for investigations and audit purposes.
agreement, but is verified before access to IT services and You also need to define whether additional measures are
data is granted. Trust is conditional on a non-exclusive required to maintain integrity and avoid deletion or alternations.
combination of the user’s ID, the connecting device, the It’s important to realise that the different aspects of enterprise
connecting location and the accessed service. security and compliance monitoring vary in terms of their focus
areas and the immediacy with which alerts and deviations are
responded to.

8 | Zero Trust architecture: a paradigm shift in cybersecurity and privacy

Security monitoring aspects Compliance monitoring aspects
Usually the security operation centre (SOC) is in charge of The compliance aspect in security monitoring adds business
analysing security-relevant events and verifying security awareness to data processing activities across the entire
incidents to detect cyberattacks at the IT infrastructure level, technology stack. It involves defining the regular/unsuspicious
advanced persistent threats, lateral movement and other use of sensitive data within an organization. The aim is to
common cyber threats. Identifying attacks can be facilitated provide evidence to the data owner and to internal/external
using information from end-point agents acting as PDPs audit that all relevant security controls are in place and
and PEPs to enrich the network and device logs used by the effective, and that the need-to-know principle for data access is
SOC – usually processed in an SIEM. Security monitoring enforced. The aspects current regulations require evidence for
also requires access to the software package repository and include:
configuration management database (CMDB) to verify that the
applicable security configuration baseline is applied.
Deploying user and entity behaviour analytics (UEBA)
together with threat intelligence feeds of known bad IP
addresses
and domains, anomalies can be detected by correlating data
from different sources in the SIEM and enriched to make
use of automation to minimise human resources for manual
verification by the SOC analysts.

Compliance aspect Details Evidence

Security Technical baselines are Compliance report for all

1 configuration defined and applied to all IT IT infrastructure elements in scope
baseline (SCB) infrastructure elements. SCBs are of regulations; process to manage
monitoring regularly monitored road a tool. SCB and deviations.
Deviations are managed by a
formal process.
File integrity On the application and platform Authorised & unauthorised changes
2 monitoring (END) level critical system parameters for each platform and app; change
are identified and monitored for process; END alert handling
changes.
procedure.

Vulnerability In all relevant network segments, List of IT assets with a status

3 monitoring IT assets are discovered and of known vulnerabilities; vulnerability
regular vulnerability scans are management process.
conducted.

Data breach PII/CID data leakage is detected or Application logging; use cases for
4 detection prevented at client end-points, suspicious behaviour in application;
application and relevant gateways. upload, email security incident
processes.

To have comprehensive compliance monitoring in place you relevant IT security controls are in place and effective.
first need to establish IT governance and data governance. A compliance alert (e.g. an unauthorised change of a security-
Depending on the maturity of your enterprise security relevant configuration) would not require an immediate
monitoring, tools, sensors and logs may already be in place, response from compliance monitoring if it is not caused by the
and it may only be necessary to create new reports, lateral movement of a malicious threat actor.
dashboards and Visualizations. Many Organizations are
aware that they currently lack visibility and need to evaluate Compliance monitoring therefore delivers valuable evidence
and deploy new tools. for IT hygiene, internal and external audits, and speeds up the
process of evidence collection for the auditor. If required,
The main difference between enterprise security compliance monitoring tools can be used for continuous
monitoring and compliance monitoring is their response time to auditing to eliminate the need to provide ad-hoc evidence for
alerts and deviations. Security relevant alerts could trigger an the auditor.
immediate reaction from the computer security incident
response team (CSIRT). Compliance monitoring, on the other
hand, involves verifying IT hygiene and IT quality aspects to
ensure that

Zero Trust architecture: a paradigm shift in cybersecurity and privacy | 9

6. Security orchestration and
automation
As soon as enterprise security monitoring and compliance
monitoring are established and have reached a basic maturity
level, successive improvements follow.

As speed is paramount for the detection and remediation of

cyber-threats, your organization may decide to implement The transformation towards Zero
automated security analytics to minimise exposure to
vulnerabilities. For instance, if malicious behaviour is identified
Trust is a time-consuming and
with a high degree of confidence, the user in question can complex task. It’s therefore advisable
automatically be isolated from the network. There’s also great to initiate it in an area of the network
potential for automatically updating the rule and policy base for
that’s
access controls by integrating it in your HR department’s joiner-
mover-leaver process to efficiently maintain trusted identities well understood in terms of the data
and assigned roles. To make use of automation, you need an types and data flows it’s attached to.
orchestration layer combining all policy enforcement points with Other parts can then be transformed
the policy administrator. The orchestration layer allows you to
include additional aspects – such as threat intelligence feeds or
successively without disrupting your
DNS sink hole information – to increase confidence when business environment.
identifying policy violations and suspicious processing of
sensitive data.

If you opt for such an integration, you need to make sure

different tools and data sources are interconnected. SOAR
(security orchestration, automation and response) is a solution
stack of compatible software programs that allow an organize-
tion to collect data about security threats from multiple sources
and respond to low-level security events without human
assistance. The goal of using a SOAR stack is to improve the
efficiency of security operations. The term, which was coined
by the research firm Gartner, can be applied to compatible
products and services that help define, prioritise, standardise
and automate security incident response functions.

According to Gartner, the three most important capabilities

of SOAR technologies are:

These technologies These technologies help

support the remediation an organization plan,
of vulnerabilities. Threat and Security manage, track and
They provide formalised vulnerabilit incident coordinate the response
workflow, reporting y response to a security incident.
and collaboration managem
capabilities.

Security
operations
automation

These technologies support the automation and orchestration

of workflows, processes, policy execution and reporting.

10 | Zero Trust architecture: a paradigm shift in cybersecurity and privacy

Conclusion and next steps

Zero Trust isn’t a product or status. It’s a concept that helps

an organization gain transparency on data processing PwC is happy to support
activities, identify sensitive or critical data, and apply an
adequate level of protective, detective and reactive security
Organizations and service providers
measures. with the implementation of Zero
Trust and compliance monitoring by:
It’s crucial to understand that trust isn’t guaranteed merely
on the basis of a promise made by a vendor or provider or a
policy statement accepted by a user. Trust needs to be • Helping them identify and discover
verified at policy enforcement points (PEPs) or policy decision critical or sensitive data types
points (PDPs) before access to a data enclave or a network
segment is given. To of the so it’s necessary to segment the • Defining and applying data
network and use of centrally managed next-generation firewalls categorisation and classification
– as policy enforcement points in front of data enclaves where
sensitive data are stored and processed – regardless whether
• Providing architecture guidelines
this in the cloud, on premises or at an
IT provider’s. to integrate Zero Trust in security
architecture and aligned enterprise
Finally, the best way of detecting cyberattacks and architecture
unauthorised access to sensitive data is to process all
security relevant information and logs centrally to verify • Helping them implement data
that data protection measures are in place.
Comprehensive security monitoring allows you to identify protection solutions and processes
suspicious data
processing by learning from the legitimate day-to-day use of • Running compliance monitoring
sensitive data, threat intelligence and correlation. PEPs and as a service or helping
PDPs deliver the necessary information to correlate security- Organizations operate compliance
relevant information so that automation can be applied and
suspicious transactions can be contained.
monitoring independently.

Zero Trust architecture: a paradigm shift in cybersecurity and privacy | 11