By Jerry Hoff\n\n\n\nGiven the continuing enterprise security landscape changes since early 2020, such as massively increased remote workforces and the ongoing push towards cloud-based services and infrastructure, many enterprise executives are rethinking and rearchitecting their enterprises to meet these challenges. Remote work is now generally accepted as a permanent fixture, therefore, 2022 will require very different cybersecurity defenses to match the nature of new threats and what needs to be protected. That said, many enterprises are asking themselves how to move to the next level of security and how do they prepare their environments for so many major changes? A major part of the answer for many organizations is Zero Trust.\n\nImplementing Zero Trust is no simple task. The best way to start preparing is to decide what capabilities you want\/need to add, what capabilities you need to merely enhance and how to make sure that this data is accessible to everyone with privileges as effortlessly and securely as is practical.\n\nHere are five things to consider as preparatory steps in this journey.\n\n1\u2014Standardize on Zero Trust, define Zero Trust, select Zero Trust\n\nEmbracing Zero Trust is quite popular today, but Zero Trust is closer to a philosophy, or a mindset, more than anything else. Different enterprises will implement a Zero Trust approach differently, given their particular threat landscapes, the nature of their business, geographies, verticals, where they expect to be in 18 months, compliance obligations, customers and dozens of other variables. \n\nBut all enterprise Zero Trust deployments will have very strong authentication as the centerpiece security control. Strong authentication goes very far beyond past security advice such as long passwords, but should be an ongoing process involving behavioral analytics, biometrics, location, more secure MFA and ultimately evolving into a password-less and PIN-less world entirely. It means watching all users all-the-time throughout all sessions, so hello continuous authentication and ultimately Machine Learning to figure out when a new behavior is likely malicious.\n\nOnce that enterprise CISOs figure out the best high-level Zero Trust definition for their enterprise, senior management, LOB management and IT must be on-board, along with a group commitment to implementation. Ideally, all participants must internalize the implications of this new security reality. Zero Trust will change the way systems are budgeted, designed and deployed, and all levels of the business must coordinate to achieve the desired results.\n\nZero Trust is truly a fundamental component with regards to secure by design\u2014key to reducing risk in the area of authentication and access control. Eventually, it will likely reduce the complexity of manual security operations, automating much in the area of authentication and access control, and far better security. And that in turn will make compliance easier, especially if the same approach to Zero Trust is executed consistently across the global enterprise environment. \n\nRealistically, though, let\u2019s not minimize that Zero Trust is going to require big changes in how applications and systems are scoped, architected, built, operated and maintained. This includes on-prem, legacy apps and homegrown apps (including those inherited from a myriad of acquisitions over the life of the enterprise). For some enterprises, it delivers a nice bonus in the form of reduced licensing fees, as redundant apps are discovered and eliminated.\n\nZero Trust will also likely force new strategies for how data is handled by mobile devices, IoT and IIoT, as well as data exchanged with partners and customers globally. \n\n2\u2014Identify and leverage existing Zero Trust capabilities\n\nConsider some good news. There are almost certainly some Zero Trust capabilities already baked into the security and IT infrastructure of most enterprises. The trick is identifying these existing Zero Trust required security capabilities and determining if that accounted for and added to your planned Zero Trust deployment.\n\nZero Trust doesn\u2019t typically require a complete change of security controls, given that you may already have some of the key elements in place. For example, many modern cloud environments, such as Microsoft Azure, were built with Zero Trust in mind. But it will almost certainly need a rebalancing of security controls. Identity\/IAM, for instance, typically takes on a vastly larger importance with a Zero Trust approach. Tasks\/responsibilities may have to be rebalanced between Security and IT.\n\nAlthough a gap assessment is common in these situations, a better approach might be to conduct a reverse gap assessment, meaning that the CISO\u2019s team will identify all existing Zero Trust functionalities. \n\n3\u2014Stop \u201clift and shift\u201d of legacy applications and servers into the cloud\n\nEnterprises have for decades been shifting more to the cloud every year, a pattern that sharply accelerated with the onset of COVID around March 2020. For many companies, a serious move to Zero Trust could accelerate that shift even more.\n\nFact: cloud environments are almost always very different than an enterprise\u2019s on-prem environment, which means the wholesale movement of apps from the traditional data center to a cloud environment\u2013 without a review to see if it can or should be rearchitected to be more \u201ccloud native\u201d\u2013can delay or stymie Zero Trust implementation. Taking data center server images and simply moving them to the cloud, sometimes called \u201clift-and-shift,\u201d misses an opportunity to take advantage of the inherent security controls integrated into the major cloud platforms. This is particularly problematic for legacy apps and homegrown apps, as they were never designed to exist in a different environment.\n\nIf possible, take the time to review systems and determine if they can be reconfigured to take advantage of cloud-native security architecture and security controls. That\u2019s why Zero Trust may require a redesign of the authentication mechanism for existing applications. By simply moving traditional servers to the cloud seeking cost savings, you may be losing out on an opportunity to redesign, reevaluate and perhaps rearchitect for a Zero Trust environment.\n\n4\u2014Evaluate interconnectivity of tools, instead of individual functionality\n\nThis is a key area and it\u2019s an excellent example of how existing security control design needs to be explored in a Zero Trust environment. Individual point solutions that operate independent of one another are usually no longer sufficient. Authentication controls and processes, for example, need to take advantage of device information, anti-malware information, and so on. Authentication may be allowed only in conjunction with this data, and correspondingly may be revoked or limited based on data from these security controls after authentication has originally been granted. \n\nWhen the new goal is to allow secure and effortless\u2013we should emphasize effortless, as in a lack of friction\u2013should flow of all data through all devices, data assets and between all users, partners, consultants, and customers. In short, the strategy needs to protect, track, analyze, store, and watch every dataflow from and to anyone or anything with access privileges.\n\nThe ability for all security tools to communicate with each other becomes essential, as opposed to today when it\u2019s often considered a nice-to-have. Identity and Access Management (IdAM) may need to communicate with SASE, etc. The interconnectivity of tools now needs to become a top-level buying criteria.\n\n If you don\u2019t want security tools lacking recognition and awareness of other tools, communication between them all has to be a priority. If you don\u2019t want a rash of false negatives and false positives as a result of this lack of communication, this needs to be a factor.\n\n5\u2014Don\u2019t try to buy your way to Zero Trust\n\nThere are plenty of vendors that are more than willing to sell all manner of products with the implicit or (sometimes) explicit promise that these purchases will automagically deliver a Zero Trust environment. Sadly, as we all know, it\u2019s simply not that easy. \n\nBuying tools as an initial action without a review of existing controls, infrastructure, needs, and a coherent plan is almost guaranteed to fail, and usually results in shelf-ware and lost time. Focus and understand fully how IdAM is currently used, understand how IdAM is used in a Zero Trust environment and use that as a starting point.\n\nStart by understanding what you already have and move to leverage those resources. Finally, figure out what you don\u2019t have, and what is truly needed. Evaluate various cloud vendors and figure out what they have. Conduct a reverse gap assessment and figure out what\u2019s still missing. Then, and only then, are you ready to talk with those vendors.\n\nEmbracing a true Zero Trust approach is going to deliver a much more secure and efficient enterprise landscape. But it won't happen until the proper preparations are made. The benefits that lie ahead are more than worth the effort.To learn more about NTT Ltd.\u2019s security capabilities, please visit us here.