Future-proof IT

Lessons learned along the way to zero trust

Jun 29, 2022
Zero trust lessons learned

What’s the meaning of transformation, and how do companies go about achieving it? At Zenith Live 2022 last week, my colleague and CXO REvolutionary Larry Biagini and I tackled this topic from our shared perspective as former Zscaler customers. Before joining Zscaler, I was head of global network services for a multinational healthcare and medical device company. In his previous role, Larry was the CTO at a large industrial manufacturer where he led the push for zero trust transformation. 

At our session “Transforming for the Future with Zero Trust,” we shared lessons from our journeys and some of the approaches we’ve seen companies take to zero trust transformation in terms of deployment, initial steps, and key milestones along the way. We also talked about common reasons companies adopt zero trust and the benefits that come with it.

Recognizing the need for change

I’ll be the first to admit that I was skeptical about moving to a SaaS-based security architecture when I first heard about it. After numerous meetings I then met with Larry who changed my mind. He told me bluntly, “I did it for my company of over 400 thousand people, and I did it a couple of years ago. You’re kind of behind the times.” He explained how he did it including the technical and business benefits, I began to open up to the possibilities.

Moving to the cloud and SaaS solutions meant changing how we thought and acted, specifically our reliance on enterprise castle-and-moat architecture. Recognizing momentous change had to occur, we decided to tackle it in stages rather than all at once to minimize disruption. 

So, that’s what we did.

In my role at Zscaler, when I talk with peers I tell them to learn from the lessons Larry and I experienced, both good and bad. So here are some tips for companies just beginning their zero trust transformation journeys.

Lesson 1: Look at the logs before you go live

They'll already know the technology works by that time, so instruct your teams to focus on logs and how operational procedures will change during the proof-of-value phase. Start with the logs you know you need and add from there. Don’t inundate your security information and event management (SIEM) solution with everything all at once. Also, counsel your teams to start thinking about how operational procedures will change. Don’t wait until you're ready to implement before considering operational readiness.

Lesson 2: Don’t let the little things stop you from moving forward

When you hit a snag, don’t stop. Set the issue aside for the time being and keep moving forward. If you treat this like a five-year project, that’s how long it will take. If you treat it like something you need to do because you’re exposed or vulnerable, you’ll do it much quicker than you believed possible. But you can’t do that if you focus too much on the one-offs or areas requiring more in-depth focus. If Voice over Internet Protocols (VOIPs) aren’t working, for instance, bypass them. Identity is another example. Don’t wait until you’ve conquered identity and access management before starting your transformation. Look at it as just another component you’re working on as you go.

Lesson 3: Manage expectations with the C-suite

Some of my peers have said their transformations were easy. I and others I know didn’t have the same experience. When you have significant technical debt, legacy instances, and validated environments – or when you’ve grown through acquisitions – there are many more bandages holding things together than you expect. 

Companies whose technical staff spend their entire careers there lose institutional knowledge when those employees retire. While there may be documentation, it's not the same as wisdom personally imparted by longtime practitioners. This isn't meant to discourage or scare anyone on change, but rather to acknowledge the reality that stopgaps emerge when unpacking any legacy technology operations. Teams should be ready to unwind and simplify these temporary fixes. 

Lesson 4: Deploy coexistent with VPN

The great thing about Zscaler is that it can be deployed and run alongside most VPNs. This allows for application discovery to confirm (or, for some, to understand) the application portfolio while ensuring it works with updated technology. 

With a VPN, users connect to the network. With Zscaler Private Access (ZPA), users connect to applications for which they have permission, thus removing the network layer. This means that, if applications still running on legacy technology don’t cooperate with ZPA, users who need to access them can do so via the VPN. In that case, ZPA would go dormant until the user disconnects from the VPN, at which point ZPA would seamlessly resume functioning.

Lesson 5: Configure policies as you would on premises – or not

It’s up to you and your organization to block prohibited websites on corporate devices. Zscaler solutions allow you to set policies that mimic the experience of being in the office. If users are prohibited from accessing a website while in the office, they can also be prohibited from accessing it outside the office. Or, alternatively, admins can grant open internet access to off-premise users, and do it securely by continuing to route traffic through the Zscaler cloud.

Lesson 6: Prioritize visibility

Many organizations today struggle with incident ticket-hopping due to a lack of visibility. When calling the help desk, a user who complains of an email issue may be routed to the network team, when in fact it should belong to the collaboration team. To help avoid such issues, Zscaler created its Zscaler Digital Experience (ZDX) solution. 

With ZDX, you can set which applications – external or internal – are monitored. Imagine how wonderful it would be for the help desk to be able to call a user and say, “Hey, it looks like you’re having a problem with latency. Is that true?” ZDX takes a previously reactive function like user support and makes it proactive. In addition, if a user calls the help desk with an issue, the agent can look at a graphical, hop-by-hop view to determine where the problem may be and route the ticket accordingly. 

It’s all about simplification

Identifying and unwinding the complexities implemented over the years can be nerve-racking and may leave some feeling vulnerable. Many also find daisy-chaining within their security stack adds latency. Finally, some struggle with maintaining firewall rules that have multiplied over the years, since it's unclear what they all do. But bypassing or eliminating the edge security stack is a benefit of zero trust network architecture. With Zscaler, single-scan multi-action inspection at scale promotes security without impacting user experience. 

Cutting costs and strengthening security

Apart from improving user experience, Zsaler also helps cut costs. Today’s economy has forced organizations to examine how to compensate for losses. Eliminating aging hardware, MPLS wide-area networks, and the need to react to fire drills helps organizations realize the value of transforming. Of course, zero trust architecture enhances overall security posture, but it also helps ease the struggle of simply keeping the lights on. 

Many companies are also taking advantage of market opportunities to expand through mergers and acquisitions. They often expect connectivity only days after a deal closes. Zscaler’s ZIA and ZPA solutions can ensure these connections are secure by linking users to applications rather than disparate networks. Zscaler also helps facilitate M&A by pinpointing where shadow IT may have spun up a cloud instance by using ZIA to see where users go on the internet, allowing admins to apply the full security suite to protect internet-bound traffic, and by running ZPA alongside the acquired company's VPN while performing application discovery.

The bottom line

Zero trust architecture can be implemented in steps – and it’s well worth getting started. But it’s up to you to take the lead. Don’t expect technical teams to lead the transformation. They’re too busy with their day-to-day responsibilities and may be unnerved by anything too foreign. 

Ultimately, ZIA and ZPA will help to enhance your security posture, reduce your attack surface, improve end-user experience, and reduce cost. 

View the session on-demand

What to read next 

CXOs see blurring lines between teams - Zenith Live 22 panel recap

Choose zero trust for security and spend – a conversation on business enablement