Many companies shy away from leveraging a zero trust infrastructure as they fear their business agility might be compromised without a strong investment supporting the implementation
Many businesses fail to enforce zero trust infrastructure because they lack the understanding or are influenced by certain myths. Viewing zero-trust as an all-or-nothing strategy and believing that benefits can be reaped only after the full system integration is far from the truth.
Companies that possess ‘brownfield’ environments claim that their technical debt makes it unviable to implement and invest in a zero-trust model as it may also affect their business agility. They might be under the belief that only ‘greenfield’ environments can pull off this security approach. On the contrary, it is possible for any company, provided they follow a systematic process.
Although Forrester presented a zero-trust framework of seven pillars, experts suspect that the companies might be overwhelmed by the various business areas that would be involved. They call it a ‘boiling the ocean’ problem. The solution should be looked at with an incremental and agile perspective where benefits are acquired at every stage. It would allow organizations to measurably improve their security along the process. How can this be done?
The first step would be to identify one or a set of applications that would probably benefit the most from a zero security mode. This would be a critical application that CISOs or even CEOs are most aware of as it demonstrates ROI. Once the security priorities are locked in, choosing the first best zero trust pillar is imperative.
It would be counterproductive and over-ambitious to enforce the process across all business verticals. The business goal should be to choose the right initial pillars. There are several zero trust infrastructure assessment tools at companies’ disposal. It will help them locate gaps in the organization and provide insights to make the major decision about the pillars that also require the most focus.
Another vital decision lies in sourcing the right security controls. After the primary focus point is identified, businesses can specify the controls that they are trying to achieve. For instance, if an assessment locates excess network access to application workloads, recommendations are made to establish a micro-segmentation strategy, which would curb the risks.
Meanwhile, to implement the controls properly, the organization should identify essential data. It is a crucial step as the most effective zero trust implementation depends on contextual information access. With good visibility, the process will help create certain policies to achieve the required results. It is important to remember that the zero-trust segmentation policy requires three types of data, real-time traffic of the secured workloads, and application dependency map, which is based on the former data points.
Once the process is successful in place, companies can work on it all over again while focussing on another area. Eventually, with repeated processes, the overall zero trust security of the entire infrastructure can be achieved without affecting business agility.
IT experts strongly recommend companies to not stop here. They should continuously monitor traffic events and look out for unexpected activities that might invite threat trouble. It is critical to remember that zero-trust is not a fool proof outcome but only a powerful security strategy.