In Zero Trust, instead of focusing on the macro level of the attack surface, we determine what we need to protect: the smallest possible reduction of the attack surface, or the protect surface. Typically, a Zero Trust network defines a protect surface based upon at least one of these four things (remembered by the acronym DAAS):
- Data: What data needs to be protected?
- Applications: Which applications consume sensitive information?
- Assets: Which assets are most sensitive?
- Services: Which services, such as DNS, DHCP, and Active Directory, can be exploited to disrupt normal IT operations?
The awesome thing about the protect surface is that not only is it orders of magnitude smaller than the overall attack surface but it is always knowable. You may not know what it should be today, but you can always find out. Most organizations can’t really define the attack surface, which is why penetration testers always get inside. There are myriad ways to intrude upon an organization’s macro-perimeter. This is why the idea of a large perimeter-based security approach has demonstrated itself to be unsuccessful. In the old model, controls such as firewalls and intrusion prevention technologies were pushed to the edge of the perimeter, which is as far away from the protect surface as you can possibly get.
Source: Define a Protect Surface to Massively Reduce Your Attack Surface