“The most dangerous phrase in the language is: ‘we’ve always done it this way.’” Grace Hopper, Computer Scientist
Business has changed dramatically over the last several years. To remain agile and competitive, organizations must embrace digital transformation. But, doing so securely means stepping outside of the old ways of establishing a network perimeter, protecting it, and trusting everything inside. Doing things the way they have always been done doesn’t work in the hybrid workplace where the perimeter is everywhere. Business leaders must ensure they have the flexibility and capability to support evolving business needs today and for the foreseeable future.
Ensuring employees can continue to work from anywhere while the business remains agile and secure requires a fundamental shift in networking and security to an architecture based on zero trust. Executive leadership relies upon their networking, security, and infrastructure architects and IT leaders to understand and lead this transformation journey from a technical standpoint. Yet, digital transformation requires more than technical expertise. Transformation touches all aspects of an organization and requires a shift in culture and mindset that can only be driven from the top down.
To nurture the organization on its transformation journey, it is essential that the executive team—from the CEO and CFO to CTOs, CIOs, and CISOs—seek to understand zero trust. Without asking questions and clarifying any confusion that may exist, the journey will be arduous and fraught with challenges.
"Nothing in life is to be feared; it is only to be understood." Marie Curie, Physicist and Chemist
Zero trust has moved from a nebulous idea to a transformation enabler for organizations over the last several years. Yet, its growing popularity has created much confusion around zero trust, what it is (or isn’t), how it works (or doesn’t), and why it's important. Sanjit Ganguli, Nathan Howe, and Daniel Ballmer have sought to help CXOs clarify the confusion around zero trust in their new book, “Seven Questions Every CXO Must Ask About Zero Trust.” Let’s take a peek into what you’ll find in their executive’s guide to secure digital transformation.
What is zero trust and why is it critical for secure digital transformation?
Organizations are turning to zero trust to secure themselves and enable the hybrid workplace. Yet, if you listen to all the marketing hype, you’re likely still confused about exactly what zero trust means and why you need it in the first place.
Zero trust is a strategy—a foundation for your security ecosystem—based upon the principle of least-privileged access combined with the idea that nothing should be inherently trusted. But how does that serve as an enabler of digital transformation? And why do we need to transform in the first place?
You’ll explore how a zero trust architecture differs from the old model of a flat network with defined segments, where everything inside the perimeter is trusted. They will show how the unique zero trust architecture provides the ability to securely connect entities–whether they are users, apps, machines, or IoT devices–to resources in a fast, seamless, and secure manner.
What are the main use cases for zero trust?
What are the drivers for zero trust adoption? In most organizations it is one, or a combination of three main use cases. The book explores the three main zero trust use cases in detail:
- Secure work from anywhere - Ensuring your employees can be productive—whether they work from corporate headquarters, a home office, in a coffee shop, or on the road—requires providing fast and secure access to applications on any device, from any location. Instead of leveraging VPNs to connect users to a corporate network, a true zero trust architecture uses policy to determine what they can access and how they can access it, and then securely provides fast, seamless, direct connectivity to those resources.
- WAN transformation - The old ways of extending the flat, routable, hub-and-spoke network to every branch, home office, and user on the road leaves organizations exposed and vulnerable to attack. A zero trust architecture enables organizations to transform the network from a hub-and-spoke architecture to a direct-to-cloud approach that reduces MPLS and backhauling of traffic to the data center and improves user experience.
- Secure cloud migration - Zero trust not only applies to users and devices, it also ensures that workloads can securely communicate with the internet and other workloads. Implementing a true zero trust architecture also provides secure workload configuration and strong posture control capabilities.
What are the business benefits of moving to zero trust?
Top of any CXO’s mind is understanding the justification of a zero trust transformation and the business benefits it delivers. The book dives into this topic in detail and explores several key business benefits of a zero trust architecture.
Optimizing technology costs - A zero trust architecture securely connects users, devices, workloads, and applications, without connecting to the corporate network. It delivers fast, secure, direct-to-app connectivity that eliminates the need to backhaul traffic and minimizes spending on MPLS. The authors discuss how a cloud-delivered zero trust platform can consolidate point-product hardware and eliminate the need for CapEx investments in firewalls, VPNs, VDI, and more. This ultimately drives network and security product savings and increases ROI.
Operational savings - Organizations not only reduce technology costs through zero trust, they also reduce the time, cost, and complexity of managing a hub-and-spoke network and broad portfolio of point product solutions required to secure it. A true, cloud-delivered zero trust architecture also centralizes security policy management, handles change implementation like patches and updates in its cloud, and automates repeatable tasks. Simplifying operations frees up time for admins to focus on more strategic projects that drive value to the organization.
Risk reduction - Shifting from a perimeter-based model to direct-to-cloud, a zero trust architecture provides greater protection for users, data, and applications. When implemented correctly, a zero trust approach eliminates the attack surface and reduces risk by connecting users directly to apps rather than the corporate network. Sensitive data is protected by preventing passthrough connections and inspecting all traffic. Using the principles of zero trust, organizations can securely connect any entity to any application or service from any location.
Improved agility and productivity - Zero trust serves as an invisible enabler for your business to enhance collaboration, improve agility and productivity, and deliver a great user experience. Zero trust allows employees to securely work from anywhere on any device. And because users are connected directly to applications (based on identity, context, and business policy), latency is reduced, frustrations are lessened, and users can be more productive. And it’s not just end users who benefit. M&A integrations can be streamlined. Through a zero trust approach, organizations can simplify operational complexities, reduce risk, and reduce one-time and recurring costs to ultimately accelerate time-to-value.
How does zero trust drive success for an organization?
It may be tempting to adopt the mantra, “If it ain’t broke, don’t fix it,” or the phrase that opened this blog, “We’ve always done it this way.” But, supporting the status quo is often the position taken by individuals and teams who either have a vested interest in protecting the current infrastructure, or perhaps more likely, are simply unsure of how to proceed without having the whole system come crashing down. Examining the pain points faced by organizations like yours on their zero trust journey, how they overcame them, and the benefits they attained, makes it possible to illuminate a path to navigating your journey as well.
How is zero trust deployed and adopted? What are some common obstacles?
You’re onboard with the idea of implementing a zero trust architecture, but how can your organization actually deliver upon that commitment? Like any significant journey, it is helpful to break your endeavor into smaller, more tangible pieces. The authors divide zero trust transformation in four phases and provide guidance to help the entire journey go more smoothly:
- Empowering the secure workforce - Many organizations find that starting here can deliver immediate benefits to the organization and serve as a catalyst to fuel the remainder of the journey. By replacing legacy networking and security technology with a cloud native zero trust architecture, organizations can enable employees to seamlessly and securely access the internet, SaaS, and private applications from anywhere–without connecting to the corporate network. This prevents lateral movement and protects against advanced threats and data loss. By monitoring end user digital experiences, IT teams can optimize performance and enhance productivity for the organization.
- Protect data in the cloud - Given the volume of data residing in SaaS applications, like M365, Salesforce, or ServiceNow, and private applications, it makes sense that the next phase would be ensuring data in the cloud is protected. This includes securing internet and SaaS access for workloads, ensuring secure workload-to-workload communications in the cloud, plus enabling posture control for home-grown and cloud native workloads running in any cloud–ultimately simplifying cloud workload security and making it easier to manage.
- Enable customers and suppliers - Much like your employees, third-party partners and contractors need seamless and secure access to authorized enterprise applications. Decoupling application access from the network and applying zero trust principles enables organizations to tightly control partner access–connecting users to private applications from any device, any location, and at any time–without ever providing access to the network. Partners no longer need to jump through hoops to connect to applications, and the organization increases security posture and reduces the risks posed by VPNs and other traditional third-party access approaches.
- Modernize IoT and OT security - The last phase is to provide zero trust connectivity for IoT devices and secure remote access to OT systems. Providing fast, secure, and seamless access to equipment–without a VPN–enables quick and secure maintenance operations. And because OT networks and systems are no longer visible to the internet, attackers can no longer leverage cyberattacks to disrupt production. The result is increased uptime and improved safety for employees and plant operations.
What are the non-technology considerations for successful adoption of zero trust?
Zero trust is not simply a technology swap-out handled by IT. Zero trust transformation is a foundational shift that touches all aspects of the business. The authors examine how successful implementation requires reshaping organizational culture and mindset. It requires communication and collaboration across teams, developing new skills, simplifying and realigning processes, and adjusting organizational structure to support implementation and operation. To produce the desired outcomes, zero trust transformation must be led from the top-down and must include everyone from the most senior leaders, to IT practitioners, to your internal end users and beyond.
What do I look for (and not look for) in a zero trust solution?
Most business leaders will tell you that digital transformation is a journey, not a destination. A single project or product cannot get you there. But, knowing what to look for in a solution makes a world of difference and helps organizations avoid potential pitfalls. The authors discuss seven key areas solutions should address for digital transformation success.
- Proven track record and fully addresses the specific needs of your enterprise
- Built on core zero trust tenets
- Cloud-native infrastructure that inspects all traffic, including SSL/TLS, at scale
- Flexible, diverse, and scalable to every user, app, and resource, regardless of location
- Delivers an optimal end-user experience
- Strong ecosystem integrations
- Easy to pilot and deploy, giving you confidence in ability to deliver in production
"If you attack the problem right, you'll get the answer." Katherine Johnson, Mathematician
Digital transformation makes business more agile and productive. But to succeed in your transformation, you must begin by establishing a solid foundation based on zero trust. The brief introduction provided above barely scratches the surface of the essentials every CXO must understand to successfully guide their organization’s zero trust journey.
Tackle transformation challenges head-on with Sanjit, Nathan, and Daniel by examining zero trust, its benefits, implementation, and obstacles. Gain insight into best practices learned from CXOs on their zero trust journeys. Download the complimentary ebook, “Seven Questions Every CXO Must Ask About Zero Trust” today. To discover how Zscaler can help your business along your zero trust transformation, read our white paper, “Accelerate Secure Digital Transformation with Zero Trust Exchange: The One True Zero Trust Platform.''