With the current culture of rapid IT innovation and transformation, Zero Trust has become an intimidating buzz term. Many engineers can say they have been implementing Zero Trust for years, while others say their organization will never achieve Zero Trust, and every vendor claims to have the optimal solution. With all the conflicting information and overuse of the term, how should organizations define the achievement of Zero Trust?
In an ideal world, no device and/or user can access an organizations’ data without real-time verification. When a user attempts to access information, the user, account, and device should be verified, their access to the data confirmed, and a secure connection established. Zero Trust is continuous and dynamic, allowing access to be revoked at any time based on changes in the environment or with the user.
Real-time decision-making requires a strong foundation, and tight integration across multiple domains (Identity, Device, Network, Application, and Data). Historically these domains have operated in silos, and in most organizations are at varying levels of maturity, and likely include a number of legacy systems. This is also often the case within the same domain (i.e., multiple identity stores). The combination of organizational and technical debt can be daunting, and many organizations struggle with where to start.
The journey to Zero Trust can resolve real business problems and many organizations are already working on components of Zero Trust without realizing it. Focusing on the tangible value to the organization will: help gain buy-in from leadership and stakeholders; support the establishment of cross-functional teams with clear objectives to help integrate the siloed domains; and drive incremental improvements in the organization’s overall cybersecurity hygiene. Figure 1 provides examples organizations can target as part of their roadmap, which provide value to end users and to the organization. As part of our initial engagement with customers, we help prioritize Zero Trust initiatives that will help you (1) reach your long-term goal, (2) maximize your near-term value by mitigating the most critical risks, and (3) enhance the user experience, while also using terms and identifying targets that impact the organization.
Potential Business Value Achieved While on Your Zero Trust Journey
Consolidate Identity Services — Streamline login experience with less accounts for users to remember.
Deploy Enhanced Authentication Methods — No more password resets for users through password-less authentication.
Migrate to a Software Defined Network — Simplify firewall rules and increase the potential for secure cross-functional collaboration.
Cataloging and Tagging Business Data — Improve compliance and tracking of official records for capstone and auditable projects.
Deploying a Zero Trust Broker to Establish Secure Connections Directly to Applications — Secure access for users to internal applications from mobile devices.
Establishing Dynamic Contextual Authentication Rules for Application Access — Users can gain access to the applications they need faster.
Guidehouse has helped federal agencies and departments’ key stakeholders develop a more dynamic security mindset by identifying Zero Trust as a paradigm shift. Guidehouse drove this effort through a programmatic assessment of roles and responsibilities, technology, culture, and systems management practices across the organization. Guidehouse then developed a strategy using National Institute of Standards and Technology SP 800-207 and the Cybersecurity and Infrastructure Security Agency Zero Trust as pillars. This strategy identified the key components to helping the department measure maturity, identify strategic investments, and make the highest impact in their Zero Trust journey.