In the debut post of our series on how to simplify the adoption of a Zero Trust security model, we presented the planning steps needed before the implementation begins.
One of the most complex steps listed in that article is the Zero Trust journey, which consists of four phases (preparation, planning, access control, and implementation) and encompasses several processes.
Similarly to the other parts of this process, the Zero Trust journey can be simplified at many points, starting with the preparation phase, which will be covered in this blog post.
What Is the Preparation Phase in the Zero Trust Journey?
Complete, accurate, and timely visibility is the foundation of the Zero Trust architecture, and it all starts with preparation. The preparation phase consists of creating missions that include tasks to establish objectives and involve stakeholders in the process.
The preparation phase is divided into four stages: strategy, infrastructure, budget, and roadmap. Let’s take a closer look at each one of them.
The strategy stage defines the objectives, actions, and plans that together provide a complete view of how the implementation of Zero Trust should be conducted within the company. In addition to making the journey transparent for those involved, the strategy elaboration brings to light perceptions that can create opportunities to reduce costs and prevent possible bottlenecks.
According to Forrester, assessing the maturity of the company’s current Zero Trust status is one of the best practices in developing a strategy. This allows the company to:
- understand current business projects and security initiatives;
- document where current IT capabilities can be reused;
- establish goals for the desired state of maturity and the time needed to reach it.
As we will see, the strategy will pave the way for the construction of a roadmap that will guide all those involved.
The organization’s entire IT infrastructure needs to be documented for the Zero Trust principles to be effectively applied. This includes the architecture of systems and assets and their characteristics, such as the environment in which they run (cloud, on-premise, or hybrid, for example), and whether the technology is operational or integrated into the business.
In the previous topic, we mentioned the reuse of IT capabilities. Infrastructure documentation offers the possibility of discovering how an ongoing process or one that was already in the company’s plans, such as migrating to an edge computing platform, can contribute to accelerate the Zero Trust journey and make it more efficient.
Adopting a Zero Trust model means transforming the organization’s culture and posture towards security. Therefore, it’s not just a question of the set of solutions to be used, but of all human resources and efforts in the global application of the Zero Trust security policy.
Ideally, the budget for Zero Trust implementation should be based on a macro view of the journey, taking into consideration the processes and requirements of each stage. For instance, the implementation of efficient micro-segmentation requires various components, such as an architecture that facilitates working with multiple infrastructures and API gateway, which adds other requirements.
Once all the necessary information and definitions have been gathered, the next step is to make them visible by creating a roadmap. The roadmap is a highly detailed plan that includes the mission, activities, areas, technology suppliers, and other key elements necessary to achieve the Zero Trust architecture.
From the visibility brought by the roadmap, the dependencies and requirements for the Zero Trust journey can be analyzed by the stakeholders in order to identify gaps and unlock key actions and initiatives, promote necessary improvements, and deal with the financial aspects of the project, as well as with how to set the roles that each stakeholder will play.
Who are the stakeholders?
Some common examples of stakeholders in implementing Zero Trust are: Chief Executive Officer, Chief Information Officer, Chief Data Officer, Chief Human Resource Officer, Mission Owner, and leaders in the area of IT operations.
In addition to C-level executives and leaders of different departments within the company, clients and consumers are also critical stakeholders in the Zero Trust journey, as a significant amount of data covered by the Zero Trust architecture belongs to them. The management of these stakeholders is related to the principle of Customer Relationship Management.
Regardless of the organizational structure of your company, people are the most important elements of the process. The main reason for this is that, as we’ll see in the following section, stakeholders provide all the necessary support for the journey’s success.
The Importance of Taking Security Maturity into Account
After reviewing each stage of the preparation phase in the Zero Trust journey, it is important to highlight what is emphasized by Forrester: this is a marathon, not a sprint. The implementation is a gradual process that may take longer to complete, depending on the company’s level of security maturity.
Soon, we’ll be publishing the next post of the series, in which we’ll present tips and best practices for the next phase of the journey: planning. So stay tuned for the upcoming posts on the Blog or subscribe to our newsletter to stay updated.