Digital transformation occurs not only in technology but also in a number of non-technology areas. These include changes in culture and mindset, organizational structure, processes, and skill sets. While often not prioritized during secure digital transformations, these areas all play a critical role in its success.
If done correctly, non-technology transformations can have lasting positive effects on how the organization functions. They may improve an organization’s abilities to cater to business requirements, become agile, and break down silos. However, these changes do not happen overnight. They rely on the fortitude of dedicated CXOs exercising effective top-down leadership.
Culture and mindset
Culture and mindset are areas that are hard to define, measure, and influence, but are crucial to the adoption of zero trust technology. Persuading the business culture and mindset to embrace zero trust greatly affects the success of its deployment and operation. Organizations trapped in a legacy mindset may find pockets of resistance to change. Within every IT department there are people who love their network, have faith in their firewalls, and believe there's nothing wrong with VPNs.
Companies selling traditional solutions have no interest in disrupting the market because they can simply create another point product to address the next problem. Another product equals another sale, including fees for upgrades and maintenance– and the cycle is perpetuated.
Many companies have invested so much in point security and networking products that it's not easy for them to try something new, even if the benefits are measurable and significant. Zero trust represents a departure from long-standing norms, and a journey into unfamiliar territory.
When trying to change culture and mindset, it can be useful to use the analogy of embracing cloud-hosted applications. This usually begins with a lift-and-shift approach (moving data center apps into the public cloud), and ultimately ends with building cloud-native applications and adopting SaaS. This process was daunting at first, but it is now mainstream.
A similar shift in mindset is needed when transforming network and security. That which can be implemented in the cloud must be, for both operational and scale benefits. That which can remove the inherent security risks in legacy architectures, a pillar of zero trust, must be embraced as well.
While changing business culture and mindset is difficult, CXOs are leaders by nature and have the benefit of implementing a top-down approach. For example, changing KPIs and incentive structures may nudge their teams toward accepting a new way of thinking.
Traditionally, organizational structures within IT tend to be siloed in nature and aligned along functional responsibilities (e.g., network, security, and application). Daily operations among these groups are not particularly aligned:
- The network team’s remit is to provide fast and reliable connectivity to resources.
- The security team’s function is to provide security and controlled access to the same resources.
- The application team’s goal is to ensure employees’ application usage is optimal for the business.
While each of these goals sometimes seems at odds with one another, the ultimate goal of all of these parties is the same: ensuring employees have fast, reliable, and secure use of business resources. Zero trust architecture is a key enabler of this unified goal.
Zero trust optimizes the efforts of various IT teams by allowing them to work together. A few examples of cross-functional collaboration include zero trust connectivity and application access policies:
- While security often takes the lead in operating ZTA, network and security must work together on the architecture. Zero trust control is provided via a security cloud. Therefore, network teams working closely with security are critical to ensure the connectivity of users, branches, things, or workloads to the service edge.
- Additionally, the ownership of the hardware-based security stack that typically fell to the network infrastructure team now becomes a joint effort when migrated into a cloud-based ZTA. Configuration of the service edge now falls to both network and security.
- User access policy is set from a user-to-app perspective and no longer at the network level. This means application teams working closely with security are responsible for setting the granular access policy that ZTA allows.
CXOs can consider creating zero trust team structures (that have representatives across teams), and realigned KPIs or incentive structures. All of these techniques can encourage cross-functional collaboration.
Moving to zero trust architecture can greatly simplify cumbersome manual processes. As with any transformation, adopting zero trust technology requires processes to be rethought to ensure both the deployment and operationalization of zero trust technology take advantage of the desired security and network benefits.
Under a ZTA, there are far fewer disparate systems to manage. This leads to reduced complexity, including the following:
- Being able to segment apps by simple identity-based rules, not by manually intensive network-based configurations
- Leveraging a cloud-based intelligence engine to simplify updating threat intelligence or data classification rules
- Visibility into app access and usage leading to insights that can improve workflows and processes
There are five areas where a ZTA can simplify existing processes:
1. Configuration of a consolidated cloud security platform
ZTA removes much of the configuration required by network level controls. Network layer segmentation rules, done through VLANs and ACLs, are now done at the user-to-app level through logical policies (only Department X can access Application Y). Other configurations are greatly simplified. For example, DLP, firewalls, SWGs, etc., performed on hardware-based appliances procured from a variety of vendors (each with its own UI), are now centrally consolidated on a cloud security platform. A single UI from a single vendor yields significant advantages by removing the many processes required to maintain individual security point solutions.
2. Creation of application access policies
Zero trust eliminates many network layer processes while introducing the initial setting and upkeep of granular application segmentation policies. These policies govern which users can access specific resources. Shifting from network level to app-based requires some investigative work. Processes must be initiated to discover who needs to connect to what so that proper policies can be set. There will also need to be procedures to change these policies if they are too stringent or lenient, or when user requests come in.
Zero trust solutions simplify this process by revealing application flows and making policy recommendations. This process extends to understanding identity (as defined by the IdP), user context, and user risk. These factors will influence the type of access granted to a connection (e.g., allow, isolate, warn and allow, etc.).
3. Remote access setup of branch office and remote workers
Processing the configuration of a branch or remote worker also changes in a zero trust architecture. A single agent sitting on the end user’s device facilitates all secure connectivity (through the zero trust cloud). Any network-layer configuration, other than basic routing, goes away, as does the need for branch office firewalls or other security stacks. Under certain configurations, there may be a need to configure a GRE or IPSec tunnel to forward traffic to the zero trust edge, but all other functions are handled by the security cloud.
Setting up remote workers is also greatly simplified. The same always-on agent secures access for remote and mobile users (based on user-to-app policy). The agent intelligently forwards internal and external traffic through the appropriate controls. This eliminates the complex processes needed to deploy, maintain, and write configurations for VPNs.
4. M&A integration
The IT process that accompanies a merger and acquisition (or divestiture) can be daunting, given the complexities of integrating disparate network stacks, with its unique addressing and technical debt. A ZTA greatly simplifies M&A integration, since the network is abstracted–all integration happens at the application level. This allows users to access applications without ever having to integrate at the network layer.
5. Security stack maintenance and upgrade
Processes to maintain and upgrade a hardware-based security stack can be cumbersome, especially given recent supply chain issues. A cloud-based zero trust provider can replicate the same security stack functions, infrastructure maintenance, and upgrades. Just the configuration and underlying network connectivity to the security cloud is required by the organization.
While moving to zero trust architecture can greatly simplify the many manual tasks that IT personnel have to manage, it does require that such personnel have a different skill set from traditional network and security engineers, architects, etc. Essentially, network and security personnel are being asked to convert to a zero trust way of thinking, which will upend many of the skills they may have spent years or decades mastering.
The number of required vendor-specific skills diminishes as tasks are consolidated on a zero trust platform. Network and security personnel will need to refocus their training on the operational skills needed for a smaller set of ecosystem vendors.
As a result, some of the certifications championed by hardware-based vendors become less meaningful. In their place, professionals can pursue zero trust certifications offered by industry organizations, like the Cloud Security Alliance (CSA), or security vendors, like Zscaler’s Zero Trust Certified Architect program.
What to read next
Secure transformation requires cultural change: Lessons from Microsoft’s journey
Herding cats: How to lead a digital transformation in a federated organization