Zero Trust

On the way to Zero Trust

The CBA Lab has created a "Zero Trust Guide" that derives recommendations for action, pitfalls and implications for enterprise architecture management from the practical experience of the participating member companies. Thus, this guide serves as an aid for companies that want to introduce Zero Trust in order to get there without stumbling blocks.

Essentially, the following four questions were addressed:

  • 1. should a company introduce Zero Trust?
  • 2. what are the motivations and goals for introducing Zero Trust?
  • 3. what influence does Zero Trust have on architectural work?
  • 4. what hurdles arise when Zero Trust is introduced?

Zero Trust is important to the majority of the companies surveyed; implementation has already begun or will begin in 2023 in more than half of the companies. One of the most common reasons for introducing Zero Trust is to intensify the level of security. In addition, other motives mentioned confirm a generally accepted finding and provide clear indications of how companies have changed in terms of their vulnerability to cyberattacks: adapting to new infrastructures (e.g., introducing new cloud technologies) and working models (e.g., location-independent working).

New infrastructures are being shaped in particular by the adoption of cloud technologies. For example, software-as-a-service applications and the use of public cloud platforms instead of in-house data centers are now established practices in many companies. In the wake of the recent pandemic, alternative forms of workplace design outside of traditional offices have become established and continue to persist as equivalent models today. Meanwhile, these developments favor cyberattacks by expanding the potentially vulnerable space and increasing the diversity of access points.

This is precisely where the principles of Zero Trust come in: The more the areas to be protected are divided up and spread out, the more complex it becomes to build a "protective wall" around one's own terrain. When examining the intended goals, another development becomes apparent that is more concerned with security culture, or at least cybersecurity awareness.

Respondents agreed that the main goal of Zero Trust is to ensure that, in the event of a successful cyberattack, the affected area is kept to a minimum. This represents a shift in mindset from just defending against cyberattacks to mitigating their impact.

In other words, companies now assume that they can fall victim to successful cyberattacks, where previously they had long assumed that they could prevent such attacks altogether.  This illustrated that Zero Trust is seen as a means of isolating "corrupted" components of the IT landscape and preventing the spread of damage. The following are the five most commonly cited goals for Zero Trust adoption.

Infographic "The five most frequently cited goals for Zero Trust adoption": Increase security levels, reduce attack surfaces, adapt to new infrastructures (e.g. cloud) & ways of working (e.g. remote working), comply with data protection rules and regulations, improve user experience.

Enterprise Architecture (EA) serves as the logical organizational unit for Zero Trust implementation. Despite the common association of Zero Trust with security teams, the link between EA and Zero Trust should be highlighted based on this research. A survey revealed advice to strongly integrate Zero Trust into EA work and adapt it into different domains. Several organizations also emphasized that collaboration between security and EA is very important to provide transparency for Zero Trust adoption.

In summary, it was possible to deduce from the data collected that the introduction of Zero Trust has an influence on both the architecture and the collaboration between security and EA.

Furthermore, based on the results of the experiences of the participating CBA Lab member companies, which were collected in various formats,

 concrete best and worst practices could be derived for the areas of governance, stakeholder management, control of the implementation and the implementation itself.

Finally, these were supplemented by further notes covering a colorful mix of topics such as identity and access management, vendor lock-in, networks, capabilities or user experience.