Develop a Clear Picture of Your Security Landscape with Zero Trust

Although many in the industry are exhausted by the term, zero trust remains incredibly relevant and viable as a modern-day framework for cybersecurity, taking into account the complexities inherent to hybrid infrastructures. Among the factors contributing to this growing complexity are the steady adoption of multicloud environments, investments in both Software and Platform as a Service, the outsourcing of operations to third parties, and organizations enabling hybrid workforces that can access systems both virtually and in person.

Zero trust has the right idea, ensuring that no matter where a digital identity is in that extended infrastructure, access to data down to the finest grain is constantly monitored and enforced appropriately. This shift in focus from infrastructure controls to identity- and data-centric controls is where zero trust holds a lot of power in how organizations are making investments to modernize their security posture.

A key tenet of a zero-trust architecture is ensuring a continuous understanding of precisely what data identities and devices are accessing across an environment. The continuous understanding requirement underpinning ZTA demands visibility into who or what is entering the network from what device, what application workloads are affected by that identity, and what infrastructure is being leveraged to access that data. As a result, ZTA improves observability for organizations, typically through policies, rules, controls and analytics driven by artificial intelligence.

Recent research conducted by CDW indicates that 41 percent of survey respondents have reached an advanced level of maturity in their zero-trust journey. But more than half are still finding their way to greater maturity.

This disparity didn’t surprise me, because many factors affect where organizations are on their ZTA journeys. Everyone has a different starting point based on their needs, which are predicated on the nature of their business. A publicly held company will need more visibility into its data than a private one. A large global company with a complex infrastructure will require more work in areas such as network segmentation and identity. A company with a fully virtual workforce will need very different tools and processes than a company with a hybrid workforce. And an institution that’s been around for more than 50 years, though probably further down the zero-trust road than most startups, is likely to have legacy tools, business logic and infrastructure that aren’t well suited for a ZTA model, requiring evaluation and eventual replacement.

Regardless of an organization’s zero-trust maturity level, some common challenges crop up that can make implementation more difficult. Survey respondents frequently cited these obstacles:

• C-Suite Buy-In: It can be a complicated process to get top-down support from executives with an appropriate incremental investment strategy that is realistic and aligns with your organization’s agility (ability to execute change) and budget.
• Stakeholder Support: Difficulties coordinating with the right stakeholders across the entire organization — including legal, finance and line-of-business leaders — can further hinder full-scale adoption of zero trust.
• Vendor Selection: It’s important to choose technology investments that suit your organization’s specific requirements and use cases. Many tech vendors say they are the answer to ZTA, but which ones fit your organization’s needs and align best with your desired business outcomes?

Facing any of the challenges above — or the many others our survey respondents mentioned — can inhibit a wholesale adoption of ZTA. To overcome these common obstacles, here are some solutions that have worked well for many of the organizations CDW has worked with on ZTA initiatives:

• Focus on business outcomes to get top-down buy-in. Detail how your ZTA initiative will reduce enterprise risk, lower the cost of a breach and better fortify your organization against cyberattacks (i.e., build in cyber resiliency). Promote operational efficiencies, such as automation, to overcome staff constraints, ensure faster time to market in areas where your organization is trying to innovate and improve agility to meet customer needs. Making these value statements quantifiable can be enticing to an executive committee and board of directors.
• Develop a good communications strategy and change management plan around the ZTA initiative. Clearly identify all the institutional stakeholders who need to be involved in executing the program in the long term. In many cases, ZTA is seamless to end users and should not negatively affect accessibility and availability. But ensuring that all constituents fully understand the service-level agreements and key performance indicators is essential. Prioritizing which applications, devices or infrastructure teams will be in scope as you roll out your program will ensure that you don’t boil the ocean or overwhelm your committed resources.
• Document where you are on the ZTA journey in relation to your priorities. Where do you have gaps? Where are you covered? How does this approach align with or add value to your larger IT and business initiatives or current security projects? Ensure that your approach to zero trust best fits your specific organizational needs and goals. A zero-trust maturity assessment can help you determine where to prioritize your time, people and budget.

There’s a powerful overarching message that comes out of the research report: A lot of organizations are in the same boat, and the more we collaborate on ways to solve these common challenges, the better off we’ll be. And while it’s comforting to know that your organization is not alone, there is also value in reaching out to peers in your industry (and to consulting firms such as CDW) to understand how others have solved these problems.

It’s clear that zero-trust architecture is not only here to stay but also will undoubtedly evolve along with other technology, tools and cybersecurity strategies. Zero trust is an ever-evolving framework because IT environments will also continue to grow and change.

I think much of the evolution will be around data protection, data security and data governance. Identity and access management is already crucial to ZTA strategy, but it frequently starts with identity and ends with data. Going forward, organizations should focus on IAM first, but then identify and segment their data — especially their most valuable intellectual property — as we begin to adopt more large language models residing in data lakes on an enterprise scale.

Data is already a pillar in zero trust, but an emphasis on data governance and data protection is on the horizon. Artificial intelligence will continue to drive increased attention and new innovation in that space in particular.