Adopting Zero Trust doesn’t mean throwing away existing technologies.
Adding new technology is easier said than done. When planning new strategies, IT leaders are often faced with the modern-day version of the old idiom, “don’t throw the baby out with the bathwater.” Only the “baby” in this scenario can sometimes be mega-dollar investments that would require weeks (or months) of backend work from IT teams to rip out, along with more long, painful work to train users on yet another new piece of software.
As companies put Zero Trust strategies into place, nearly everyone hits this crossroad: can ‘old’ tools work inside this new framework, and also, will new technologies increase complexity for users even if they improve security? These are tough questions, and the right answer usually lies inside a complex calculus. The most important factor, though, is the simplest one: does the chosen strategy adhere to Zero Trust principles? (check out those pillars here: verify every user, validate every device, and intelligently limit access)
How does an organization go about evaluating its existing technologies to determine what can be used within a Zero Trust framework? Should older, legacy systems be ripped out and replaced now, or can they stay online and be phased out over time? Baby, meet bathwater.
Out with the Old … Or Not?
The most obvious issue with older technologies is figuring out whether their limitations render them incompatible with a Zero Trust framework. The answer isn’t always cut and dry – many existing solutions can be augmented with newer tools to plug security holes and then, over time, retired to make way for newer technology.
For example, an older identity solution might be central to an organization’s security stack – too complex or expensive to get rid of and it might still work for that company – so scrapping it might even be counterproductive. Even though that solution may not fit into the company’s long-term plans, it can still work in the short term by using newer technologies to help it function within a Zero Trust framework.
However, once an organization starts adopting more modern apps and devices (that older identity and access systems don’t usually understand as well) you begin to stretch the capability gap more and develop holes. That becomes the actual nexus of where you make these decisions, rather than the starting point. The advantage of doing it over time – retiring older technologies as you go – is that an organization also gains some efficiencies they didn’t previously have when running those solutions.
The ABCs of Zero Trust
We talk a lot about how Zero Trust provides a collective lens for companies to evaluate and understand the full scope of their security capabilities. From there, they can figure out where to take the biggest steps forward – be they in security, cost, or burden on IT and users – and start making changes. Those can be focused not only on improving a Zero Trust stance, but also reducing friction for users and driving down costs and complexity for IT.
Security is, of course, the most urgent concern. Where are there biggest gaps in the company’s armor? Are they using an adaptive MFA solution that’s more intelligent than simple two-factor authentication? Are users automatically provisioned to be productive from day one and deprovisioned when they leave the company? Is every resource, network, system, person, and device in the company secured? Security everywhere is often where the real work actually begins.
Finally, working to remove friction and inefficiencies both for IT and end users is an incredibly important final piece of the puzzle. When the friction around identity is reduced for end users, and they can log in faster, more easily, and more securely, there’s more buy-in from everyone across an organization. A groundswell of demand for these improvements by employees can accelerate the transition to a new architecture or approach, but it doesn’t need to happen overnight. Any step towards Zero Trust is a step in the right direction, and even incremental adjustments greatly improve security posture and reduce the attack surface.
Protecting against breaches is the key focus of today’s technologies, but in the future, identity and access management will become more about the user experience. Once protection against security vulnerabilities become table stakes, the future of identity will be about delivering the best of new digital experiences that are both seamless and secure. That’s the end goal.
In our next blog, we’ll talk about the advantages of Zero Trust and how to supercharge this strategy by using Next-Gen Access technology.
*** This is a Security Bloggers Network syndicated blog from Articles authored by Corey Williams. Read the original post at: https://www.idaptive.com/blog/Marrying-Technologies-Zero-Trust/