.png){kind=small}
A Zero Trust Architecture ("ZTA") migration or build project is significantly more than simply implementing systems and training users in their usage. For many organizations, it is a major paradigm shift that requires significant culture changes. Migrating to ZTA changes how people interact with information technology and how information technology governance (ITG) manages strategic and Information Technology Environment (ITE) tactical changes which includes not only the technology but IT operations.
With the adoption of proactive IT security frameworks, historically, organizations start strong and then due to the lack of management discipline divert slowly from the proactive strategy to a reactive tactical management. The framework and architectures fragment, ultimately failing to protect the organization from cyberattacks, losing all the gains achieved at the initial implementation. This failure to be "persistent" should be considered a major risk to any ZTA implementation. ZTA is a framework that to succeed requires IT management adopt it as a "persistent" security strategy. This can be difficult as information technology environments are constantly evolving as business process are ever changing as is the supporting technology. Each new request for significate technology change must be assessed to determine how it integrates into the ZTA. If the technology will not integrate, IT management needs the strength to refuse deployment and be sufficiently flexible to find an adequate alternative that is ZTA compatible. IT management simply must have the discipline to adhere to the ZTA framework.
ZTA is an all-encompassing security framework and to reach its ultimate effectiveness should include all technology related business processes, identities, endpoints, networks, infrastructure, applications, and data under the ZTA umbrella. However, reality and experience pretty clearly indicate that without starting from scratch, the direct and indirect costs related to migrating everything to an all-inclusive ZTA environment can outweigh the final benefits. Part of the ZTA migration strategy is to formalize a risk-based decision process to determine what will be within the ZTA environment and what may remain in a non-ZTA environment. Formal processing and data risk assessments are key to the decision-making process.
Core Insights understands the requirements and the activities an organization will need to successfully migrate the current IT environment to Zero Trust and then "persistently" maintain the strategy.
To kick off the migration to a ZTA strategy Core Insights uses a technology agnostic project phased approach derived from a modified Microsoft’s' RaMP (Rapid Modernization Plan) and NIST 800-27 approaches. Where these approaches are mainly centered around the technology requirements, Core Insights enhances the project by adding the culture change requirements to the project to mitigate the risk of failure over time because the strategy did not "mainstream" within the organization.
Core Insights ZTA migration project assistance begins with providing the Readiness Gap Assessment. This document describes the operations and technology that can be directly integrated into a ZTA and what operations and technology need to either be modified, enhanced, or replaced. The RGA feeds directly into the second deliverable which is the critical ZTA project roadmap. The roadmap is the living project plan high-level prioritized list of tasks, the initial timelines, the required resources, and the project risks. The project tasks include (analysis, assessment) of instances where both the organization and technology need to modify and be enhanced. To build this critical document, Core Insights uses the following methodology:
Phase 1: Environment Scoping
The organization completes our environment scoping surveys that gather information to properly size the project and more accurately determine the level of effort/hours to complete the different phases of the project.
Phase 2: Zero Trust Migration Readiness
Zero Trust Readiness is a readiness review of the current IT environment with the objective of providing the two key deliverable documents. The Readiness Gap Assessment which outlines the gap between the current environment and an agreed upon final ZTA strategic environment model and the Project Roadmap. The assessment uses surveys, document reviews, and interviews to gather the required information. The assessment includes:
Zero Trust Migration Readiness
Zero Trust Readiness is a readiness review of the current IT environment with the objective of providing the two key deliverable documents. The Readiness Gap Assessment which outlines the gap between the current environment and an agreed upon final ZTA strategic environment model and the Project Roadmap. The assessment uses surveys, document reviews, and interviews to gather the required information. The assessment includes:
1. Developing and agreeing on a strategic ZTA environment model
2. Review organizational structure
3. Review IT organizational stricture
4. Review the organizational culture and the business and IT operational relationship
5. Reviewing IT policies, standards, and procedures/operations as related to managing IT and organization strategy, identities, endpoints, networks, infrastructure, applications, and data
6. Reviewing the high-level network architecture
7. Review of security policy engine usage
8. Reviewing current authentication, authorization, and provisioning processes (based on the size of the IT environment this maybe either at moderate level or at a granular level review):
a. Identities
b. Endpoints
c. Networks
d. Infrastructures
e. Applications (including cloud environments)
f. Data
g. Security controls
h. Endpoints
i. Cloud environments
9. Network Security Controls
a. Network segmentation (e.g., micro-perimeters with micro-segmentation
b. Threat protection
c. Traffic encryption
10. Application/database security
a. Visibility to activities and data usage
b. Rogue apps / Shadow IT
c. Monitoring for abnormal behavior
d. Controlling user actions
e. Validating secure configure exceptions
11. Data security controls
a. Classification
b. Encryption
c. Access
d. DLP
12. Infrastructure security controls
a. Monitored workloads
b. Blocked unauthorized deployments with alerting
c. User and resource access segmented for each workload
d. Workload access control and visibility
13. Visibility, Response, and Automation Capabilities
a. Ability to detect potential threats (e.g., exisiting vulnerabilities, etc.)
b. Ability to detect in-process attacks
c. Automated investigation and response
d. Integration with entire ZTA
Phase 3 Analysis and Deliverables
Core Insight compiles all the gathered information and compares the current environment security controls against the initial agreed upon ZTA environment model. The comparison results are used to develop the living ZTA operations and technology deployment roadmap. The roadmap uses the project chunking concept to achieve early successes and minimize the chances of project slippage and scope creep. Moving forward Core Insights, as requested can provide project management and product selection assistance to maximize the probability of ZTA project success.