Time to Level-up Your Zero Trust Maturity
- June 30, 2023
In today’s new hybrid normal, employees want the same experience working from anywhere, anytime, on any device while enterprise IT landscapes are becoming more complex with a hybrid mix of multi-cloud environments, SaaS and on-premises infrastructures. Adding to the complexity is the increasing sophistication, frequency and cost of security incidents. These reasons compelled most CISOs to accelerate their transition towards a Zero Trust Architecture driven by the core principle of never trust, always (continuously) verify. Zero Trust is based on a set of guiding principles to enable least-privilege per-request access to all enterprise IT assets. Since this isn’t a one-size-fits-all commoditized solution, a successful Zero Trust implementation won't be the same across enterprises but will be driven by their business and technology needs and ambitions.
Defining the right next level on your Zero Trust journey
It's critical that Chief Information Security Officers (CISOs) and their security teams assess the maturity of their current Zero Trust posture in the context of their IT landscape and business requirements. For example, the mix of legacy infrastructure, custom applications, IaaS/PaaS/SaaS on public/private cloud, private and public APIs, existing ticketing systems, unresolved IT integration from past M&As, automation, data quality and accessibility, and other technology considerations. Business requirements will depend on go-to-market models like B2B, B2C, supplier and logistic networks, regional and industry regulations, government cybersecurity standards, competitive landscape, customer and employee expectations, cost of cyber insurance, and other requirements and constraints.
Of course, the prime focus of a Zero Trust assessment will be to evaluate existing cybersecurity infrastructure and its operations. We recommend that our clients closely align with the Cybersecurity & Infrastructure Security Agency’s (CISA) maturity model that evaluates maturity across these five foundational pillars of Zero Trust:
- Identity
- Devices
- Networks
- Applications and Workloads
- Data
As important as it is to enhance your capabilities in each of these pillars and support it with mature automation, governance and analytics, it’s also important to understand how everything comes together as an integrated Zero Trust architecture to enable least-privilege access and other Zero Trust principles.
As a general approach, enterprises can start with a network or an identity-first approach to Zero Trust. For most of our clients, we have seen an identity-first approach as the preferred path towards a Zero Trust posture. Primarily as everything starts with an identity and hence clients have some level of maturity and expertise in identity-based access management of enterprise assets. Also, it can enable more granular control for the policy engine, which makes it more dependable. No surprise then, that the Everest Group estimates about 65% of clients are opting for identity-based Zero Trust implementations. It’s important to note that we aren’t excluding any of the foundational pillars of Zero Trust, but only discussing how to approach implementation.
As mentioned earlier, Zero Trust isn’t a one-size-fits-all commoditized solution but one that needs to be contextualized to business needs, IT complexities, current maturity level, budgets and timelines. Although it’s good to take inspiration from the Zero Trust maturity frameworks on the market today. We recommend partnering with a cybersecurity services vendor who has the experience and expertise to tailor the journey. This helps enterprises plan for a realistic next level in their Zero Trust maturity journey and create a strong business case for it. I've seen how the key to success is in finding the right balance between compliance and risk management needs with the need to support business enablement and improve the employee experience.
Transition to the next level on your Zero Trust journey
Once you have defined the next level on your Zero Trust journey, we recommend a phased approach to implementation as described below.
1. Actors–Evaluate and create a complete list of actors in the enterprise — employees, clients, suppliers, vendors, etc.
2. IT Assets–Evaluate and create a complete list of IT assets in the enterprise — data, applications, devices, networks, etc.
3. Processes–Evaluate and create a complete list of processes, automation and the associated risks — joiner/leaver/mover process, threat response orchestration process, etc.
4. Policies–Update the policy engine to accommodate least-privilege, per request access to all enterprise IT assets
5. Solutions–Evaluate current solutions and propose new solutions, such as MFA, IGA, PKI/KMS, ITDR, MDR, etc.
6. Deployments–Refresh the architecture, create a phased implementation roadmap and shape the managed services model to reach the next level in your Zero Trust journey.
Ideally, large enterprises with hybrid multi-cloud infrastructures should have a team with expertise in leading security software products and experience in deploying cybersecurity solutions and managing operations in a complex environment. Also, in a fast-changing threat landscape, enterprises need threat intelligence capabilities and the ability to respond in real time to mitigate risks. This is where NTT DATA’s experienced cybersecurity consultants and certified technology experts can deliver our end-to-end cybersecurity services driven by our Zero Trust approach to guide your journey from assessment to implementation and managed services. Our global operations, strategic alliances, local expertise, tools and accelerators and automation make us the trusted global innovator to our clients.
Now is the time for you to level up your Zero Trust maturity and protect your enterprise against evolving threat actors. Contact us or explore our end-to-end cybersecurity services to see how we can help accelerate your Zero Trust journey.