When embarking on a zero trust architecture, many find themselves in a cycle of fits and starts because of roadblocks. Those that overcome the roadblocks ascend to agents of change and enable their businesses to grow. But how do you know what to expect or how do you plan for the unexpected? In this article, we cover the main roadblocks that virtually every digital transformation leader faces and how to overcome them so that you can better plan your zero trust strategy. First up: the natural, normal, universal fear of change.
Fear of change and disruption
Unless you’ve committed to a life off the grid and have picked up hunter-gatherer skills during the pandemic, you, like everyone else, are contending with a world defined by accelerating change. Consider the questions millions of workers are now asking themselves: “What if I have to go back to the office?” “Will the technology in place meet the new and evolved business needs?” “Will everything work the same way as before?” “Will I commute just to spend most of my day on video calls?”
The negative aspects of how our disrupted workdays and the risks we’ll face come to mind right away, but why not take into equal or more measure the advances we can make through all of this change?
For those who can’t let go of on-premise technology solutions, the change must come from above. Change means risk, and risk can go either way: it can pay off handsomely or it can bring loss or painful disruption. The risk of adopting a new technology means being comfortable with some of the unknowns as you embark since there’s no way to control for all variables, especially as they relate over time. Zero trust is still new to many and requires a major change in mindset before you can fully appreciate what it brings. Moving from a network-centric model to direct user-to-application access sounds simple enough, but can be jarring to someone who has been patching firewalls for a decade or two.
IT staff often find themselves firefighting since they are busy and focused on what is in front of them. But it is important that they take a step back to look at the bigger picture, and ask the hard questions: “Why are we always firefighting? “Is it because of too much legacy gear and thinking?” “Has the tech landscape become too complex?” Why not simplify network architecture so that data packets move reliably and as fast as possible and then focus on what really matters––protecting users, devices, applications, and data.
“A mindset change and making sure everyone is in the Zero Trust boat is rowing in the same direction.”
To assure everyone is rowing in the same direction, define what your ultimate goal is and how the organization fits into the future, including updated roles and responsibilities. Take, for example, policy. Going forward, decide who writes it and who enforces it. Will it be the security team or the network team? By answering the question upfront about how each of your staff members fit into the future, allows all your technicians to focus on how to change and grow at the same time.
The struggle between network and security teams
Too many organizations find themselves stuck because although roles and responsibilities were defined, they didn’t include an operational structure ensuring the security and network teams worked together and not as two ships passing in the night and not working as one organization. The network team is focused on reliability, stability, and moving traffic as fast a possible. Change is difficult because preparing for network maintenance and an outage window is painful and often not approved due to the disruption of the business. Meanwhile, the security team is fixated on ensuring nothing bad happens, which means control. Control causes friction and often results in poor user experience or project roadblocks. Find a balance where both teams enable the business and accelerate business goals.
Defining zero trust and building a strategy
Now that your security and network teams have a clear understanding of their roles and responsibilities, you can define what zero trust means for your organization. There are many publications from the White House, NIST, CISA, Gartner, etc., to help you with the true definition of zero trust. Determine what you want to achieve with a zero trust architecture. How will it enable your business and enhance your security posture? Once you can articulate that, your organization can lay out the capabilities needed in the overall architecture. Use a comprehensive approach versus a tactical one. Don’t get caught up reacting to a specific situation or pain point but rather define a zero trust strategy. That means accounting for users, applications, workloads, whether they be on-premise, off-premise, or in the cloud. This zero trust “fabric” should encompass all the connectivity scenarios: user-to-app, app-to-app, IoT-to-app, third-party access, workload-to-workload, cloud-to-cloud, and abstract it from the network.
Then your stakeholders will understand the technical solutions that may fulfill the strategy and displace costly infrastructure.
More products don’t equate to more security
Previously, IT focused on best-of-breed solutions that increase operational overhead and risk because each would need a designated technician(s) to master it. Today, that view is changing. Many are looking to reduce the number of point solutions in favor of platforms. These can support ecosystems and are open to provide economies of scale, simplifying operational overhead, reducing cost, and turning vendors into partners. A platform minimizes the configuration overhead, consolidates features, and uses common, foundational services. Yes, there could be tradeoffs as some features in a platform portfolio may not be as specific as those offered by a best-of-breed provider.
A zero trust journey doesn’t mean flipping a switch and throwing away your legacy technology or completely rearchitecting your network overnight. Changes can be made in methodical stages. But it must be software-defined so that you have a separate control and data plane. This allows for a zero trust-based security overlay on top of your existing network and legacy architecture. In turn, you can reduce firewalls and other redundant aspects of the corporate network so that it is distilled down to do one thing: transport data reliably.
Letting go of legacy systems
The final roadblock when moving to a zero trust architecture is what to do with previous, overlapping, and redundant technology. The urge to reduce risk is high, so understandably, many implementation plans call for leaving legacy hardware on-premise as an “insurance policy.” However, this legacy environment becomes a dust collector and yet is seldom decommissioned. Decommissioning irrelevant hardware will not only reduce costs but also eliminate a potential risk exposure for systems that may not be properly patched and maintained.
True transformation requires removing legacy infrastructure and will probably be one of the hardest hurdles to get over. Many organizations skip this part. But to reduce risk, you must reduce legacy hardware, and you need someone that is willing to drive this aspect of a project. The last thing IT needs is to introduce a new system, have the old system in place due to some dependencies that should have been accounted for upfront, and before they know, are running and maintaining both systems.
Zero trust is not a leap of faith but a proven, superlative approach for successful enterprise cybersecurity. By planning for and expecting roadblocks, CXOs can lead the charge to digital modernization and enable their business partners with new models that will power the future.
What to read next
Secure digital transformation is business transformation [podcast]