Marrying New and Existing Technologies With the Zero Trust Approach
Adopting Zero Trust doesn’t mean throwing away existing technologies.
Adding new technology is easier said than done. When planning new strategies, IT leaders are often faced with the modern-day version of the old idiom, “don’t throw the baby out with the bathwater.” Only the “baby” in this scenario can sometimes be mega-dollar investments that would require weeks (or months) of backend work from IT teams to rip out, along with more long, painful work to train users on yet another new piece of software.
As companies put Zero Trust strategies into place, nearly everyone hits this crossroad: can ‘old’ tools work inside this new framework, and also, will new technologies increase complexity for users even if they improve security? These are tough questions, and the right answer usually lies inside a complex calculus. The most important factor, though, is the simplest one: does the chosen strategy adhere to Zero Trust principles? (check out those pillars here: verify every user, validate every device, and intelligently limit access)
How does an organization go about evaluating its existing technologies to determine what can be used within a Zero Trust framework? Should older, legacy systems be ripped out and replaced now, or can they stay online and be phased out over time? Baby, meet bathwater.
Out with the Old … Or Not?
The most obvious issue with older technologies is figuring out whether their limitations render them incompatible with a Zero Trust framework. The answer isn’t always cut and dry – many existing solutions can be augmented with newer tools to plug security holes and then, over time, retired to make way for newer technology.
For example, an older identity solution might be central to an organization’s security stack – too complex or expensive to get rid of and it might still work for that company – so scrapping it might even be counterproductive. Even though that solution may not fit into the company’s long-term plans, it can still work in the short term by using newer technologies to help it function within a Zero Trust framework.
However, once an organization starts adopting more modern apps and devices (that older identity and access systems don’t usually understand as well) you begin to stretch the capability gap more and develop holes. That becomes the actual nexus of where you make these decisions, rather than the starting point. The advantage of doing it over time – retiring older technologies as you go – is that an organization also gains some efficiencies they didn’t previously have when running those solutions.
The ABCs of Zero Trust
We talk a lot about how Zero Trust provides a collective lens for companies to evaluate and understand the full scope of their security capabilities. From there, they can figure out where to take the biggest steps forward – be they in security, cost, or burden on IT and users – and start making changes. Those can be focused not only on improving a Zero Trust stance, but also reducing friction for users and driving down costs and complexity for IT.
Security is, of course, the most urgent concern. Where are there biggest gaps in the company’s armor? Are they using an adaptive MFA solution that’s more intelligent than simple two-factor authentication? Are users automatically provisioned to be productive from day one and deprovisioned when they leave the company? Is every resource, network, system, person, and device in the company secured? Security everywhere is often where the real work actually begins.
Finally, working to remove friction and inefficiencies both for IT and end users is an incredibly important final piece of the puzzle. When the friction around identity is reduced for end users, and they can log in faster, more easily, and more securely, there’s more buy-in from everyone across an organization. A groundswell of demand for these improvements by employees can accelerate the transition to a new architecture or approach, but it doesn’t need to happen overnight. Any step towards Zero Trust is a step in the right direction, and even incremental adjustments greatly improve security posture and reduce the attack surface.
Protecting against breaches is the key focus of today’s technologies, but in the future, identity and access management will become more about the user experience. Once protection against security vulnerabilities become table stakes, the future of identity will be about delivering the best of new digital experiences that are both seamless and secure. That’s the end goal.
In our next blog, we’ll talk about the advantages of Zero Trust and how to supercharge this strategy by using Next-Gen Access technology.
Corey Williams
Corey Williams is the Vice President of Marketing & Strategy and lead evangelist for Idaptive, leading all marketing functions, as well as market development and strategy. Corey served as the Senior Director of Products and Marketing for more than a decade at Centrify where he was the visionary behind, and the first product manager of, the set of products that were ultimately spun out of Centrify to become Idaptive, including leading SaaS services for Single Sign-on (SSO), Adaptive Multi-factor Authentication (MFA), endpoint and mobile context, and User Behavior and Risk Analytics (UBA).
While at Centrify, Corey defined and brought to market seven net-new product offerings directly contributing to the growth of the existing customer base from less than 400 customers to over 5000 customers. He also led efforts with major industry analysts that directly resulted in Centrify being named as a leader in all of the major analyst reports including the Gartner Magic Quadrant and Critical Capabilities reports for Access Management, Worldwide; Forrester IDaaS Wave; KuppingerCole Cloud MFA Leadership Compass; and Network World Clear Choice Winner for Single Sign-on Solutions.
Corey is a frequent speaker and commentator on IT Security and IT Management. He has authored several publications, including “Zero Trust Security for Dummies”, a leading guide for enterprise managers.
Prior to Centrify, Corey led products and marketing for SpikeSource (acquired by Black Duck Software), Syndera (acquired by Tibco), and Journee Software (acquired by Initiate Systems). Earlier in his career, he managed pre- and post-sales consulting for Active Software (acquired by webMethods).
Corey holds degrees in Mathematics (BS) and Computer Science (BS) from New Mexico State University, as well as an MS in Engineering and an MBA from San Jose State University.
CHAMELEON-LIKE SUPERPOWER
If Corey could have any chameleon-like superpower, it would be the chameleon's tongue, which is ridiculously fast. Some of the world's smallest chameleons have the world's fastest tongues. In automotive terms, the tongue could go from 0 to 60 miles per hour in a hundredth of a second! “I would be able to complete webinars in 4.5 seconds instead of 45 minutes!”