What does “buying zero trust” even mean? You’ve bought into the modern security concepts that governments and industry bodies have been promoting? You’ve received funding and resources from your enterprise to start the journey? Or maybe you have just bought a box or a service from a vendor that has promised zero trust by cutting them a PO?
Whatever the case may be, taking that initial step towards a zero trust transformation can be daunting, but you're not the first to embark on this journey! Explore some helpful recommendations to get yourself started. These are sourced from my own zero trust journey, my peers, and working with many large enterprises around the globe.
Figure out your priorities
A zero trust transformation will touch your whole IT organization along with the entire enterprise…. so don’t boil the ocean. Take things easy at the beginning while everyone is still learning. Play with the new concepts, get everyone’s fingers dirty, and identify quick wins based on security and business needs. Much of your initial progress will come through experimentation and skunkworks projects as you form the more extensive formal zero trust program.
Build a vision, create a cause
Perhaps most importantly, you need a long-term vision that your organization can get behind. Unlike previous IT “upgrades,” zero trust is not something you can slot into the data center unnoticed. You need moonshot visions to help the cause. What will the user experience look like? How about infrastructure design? How will apps be presented in the new environment? Publish your visions, get people behind you, and maintain momentum. You will cause discomfort through changes in procedures and policy. Doing so without organizational understanding and support will only piss people off.
Set out rules of engagement
People, particularly their attitudes, help determine the success or failure of a project. Every organization has detractors and opponents of change. Set some guidelines or even semi-amusing commandments to keep people and their attitudes in check.
- We’ve always done it this way is not an excuse
- You did sign up for this by working in IT
- It is OK to rewrite the policy
- It is now in your wheelhouse
Automation is not a choice, it's a lifestyle
Zero trust is more than networks and infrastructure. In my humble opinion, much of the focus should be on people and the policies and procedures that allow errors and misconfigurations. Manual deployments and configuration are ripe for mistakes, which introduces risk. Manual work processes breed errors. Encourage automation everywhere, and remove human error from the equation.
Plan education and support
Zero trust is about undoing “what we all know and have done” over the past 20-30 years. Not only will education be required for people to adapt, but they will also need your support. Your security and networking personnel may require some extra attention due to the changes they will endure, and no, bourbon will not be enough.
Don’t forget the Identity
Many enterprises have lumped the responsibility of knowing “who needs access to what” into IT, giving them an impossible task. Many say, “Identity is the new security perimeter” regarding zero trust. Having robust entitlement policies sourced from employees’ roles or personas will ensure efficiency and compliance (HR + application and data owners have a prominent role to play here). Run an identity modernization program the business supports in parallel with the zero trust program. Trust starts at zero, but it builds upon verifiable identity.
Don’t do it on your own
Talk to your peers. Everyone is doing zero trust. Everyone is learning as they go. Everyone needs a little help from each other.
Government agencies around the globe have also published frameworks and maturity models to help. Find one that aligns with your needs and use it as a guide, not a strict rulebook, to help you through the journey.
The concept of zero trust architecture is causing the biggest upheaval the IT industry has ever seen, even more, significant than the cloud. Many IT pros will be working on zero trust projects for the rest of their career. Treat these changes differently than any other IT project you have undertaken, and you will give yourself and your organization a good chance at success.
What to read next
Non-technology-related considerations for zero trust deployments
Zero trust illustrated: Secure cloud migration
How to solve common zero trust deployment obstacles