A roadmap to zero-trust maturity: 6 key insights from Forrester

Why a detailed zero-trust roadmap now?

Senior research analyst David Holmes, one of the report’s authors, writes in the blog post All Aboard: Chart Your Course to Zero Trust Intermediate that “we chose an intermediate rather than the advanced target of maturity for this report because the majority of Forrester clients and other organizations that we talk to are at the beginning stage of zero trust.”

>>Don’t miss our special issue: The quest for Nirvana: Applying AI at scale.<<

The report, Holmes writes, “is a foundational piece of research from the zero trust analyst team at Forrester, representing a year of collation, collaboration, creation, and review. It builds on one of our most widely read reports, A Practical Guide to a Zero Trust Implementation [client access required] but goes much deeper into what needs to be done. The ‘Chart Your Course’ report centers around 37 tasks, grouped into five phases.”

Forrester organized the roadmap by assigning four parameters to each task: difficulty, impact, priority, and dependency resolution.

Leading zero-trust experts and risk professionals peer-reviewed the report.

Key insights CISOs need to know 

Forrester divides its roadmap into domains that provide context for specific zero-trust initiatives. The domains start with Discovery, and progress through Users, Devices, Workloads, Visibility, Automation and Networks.

Getting data categorized and classified sets a solid foundation for future phases and for taking on the challenge of identifying critical applications. Also core to the Discovery phase is initiating service discovery via microsegmentation.

The following two images lay out Forrester’s Zero Trust Intermediate Roadmap.

CISOs tell VentureBeat that 2023 is turning into a more challenging year than expected because of increased pressure to consolidate tech stacks to reduce costs and improve visibility. The roadmap’s Visibility domain is seeing significant vendor consolidation in the market as more cybersecurity platform providers expand the breadth and depth of network traffic analytics.

Organizations close to achieving an intermediate level of zero-trust maturity need to keep the following six insights in mind as they continue pursuing their initiatives:

1) Focus on getting data discovery right

“Data discovery and classification is hard, but your organization can’t afford to wait until this project is completed to start making progress in the phases,” writes Forrester’s zero-trust team. Data discovery and classification will quickly identify the most critical applications that need multifactor authentication (MFA) and single sign-on (SSO). 

Focusing on this phase first will make simplifying the data classification program easier. It will also create more support for discovering and inventorying devices.

Apply the same intensity to automating discovery so as to find data continuously. According to the report: “You may have Varonis deployed for managing entitlements, or tools like Broadcom, Forcepoint or Proofpoint deployed for DLP, and these may know the location and classification of your data. You may elect to deploy ZTNA and microsegmentation solutions early in this phase to take advantage of their extensive application discovery technology.” 

2) Focus on identities, because SSO and MFA are quick wins 

Forrester has often advised its enterprise clients to pursue single SSO and MFA as they are quick, easily quantified wins. “Both capabilities have a high probability of success and are highly visible. They will boost confidence in your ZT program early and unlock further budget,” says the report. 

3) Go all-in on endpoint security smart and resilient enough to support zero trust

CISOs tell VentureBeat that endpoint security platforms (EPP) and identity and access management (IAM) platforms are converging, with cloud-based integrations becoming more commonplace thanks in part to a greater variety of APIs and integration points.

Endpoints and identities converge faster than many CISOs realize because every endpoint takes on an increasingly diverse number of identities assigned by apps, platforms and internal systems. There’s also the exponential rise in machine identities, making identity and access management converge with endpoint security faster than many enterprises expect.

“The access solutions can pull signals like device health and patch status from Microsoft and SentinelOne, but you must ensure that your endpoint security software will integrate with your zero trust access solution. Superior integrations like Appgate and CrowdStrike support both pushing and pulling signals and configurations (e.g., quarantining the endpoint remotely),” advises the report. 

Self-healing endpoints are, by definition, resilient. ITSM leaders tell VentureBeat that self-healing endpoints are worth it because they no longer have to waste valuable IT specialists’ time rebuilding endpoints remotely.

Absolute Software, Akamai, Cisco, CrowdStrike, ESET, Cybereason Defense Platform, Ivanti, Malwarebytes, Microsoft, SentinelOne, Tanium, TrendMicro and many other vendors have autonomously self-healing endpoints.

Absolute’s approach — being embedded in the firmware of every PC endpoint — enables the Absolute Resilience platform to automatically repair or reinstall mission-critical applications, remote query, and remediate devices at scale. The platform can also discover sensitive data on endpoints and investigate and recover stolen devices.

Absolute also turned its self-healing endpoint expertise into the industry’s first self-healing zero-trust platform. The platform provides real-time asset management, device and application control, endpoint intelligence, incident reporting, resilience and compliance.

4) Automate vulnerability and patch management across your endpoints

“Many organizations already have a vulnerability management and patch management program but need to improve the automation,” advises the Forrester report. “Failing to automate will result in more denied access, poor user experience, and, most vexing of all, service tickets.”

“Automation and self-healing improve employee productivity, simplify device management and improve security posture by providing complete visibility into an organization’s entire asset estate and delivering automation across a broad range of devices,” Srinivas Mukkamala, chief product officer at Ivanti, told VentureBeat in a recent interview.

Leading vendors in automated patch management that are planning to deliver or are currently delivering solutions using AI and machine learning (ML) include Broadcom, CrowdStrike, Cybereason, SentinelOne, McAfee, Sophos, Trend Micro, VMWare Carbon Black and ZENworks Patch Management.

Ivanti has a consistently strong track record at integrating acquired technologies into its platforms and fast-tracking new AI- and ML-based patch management solutions. Ivanti’s Neurons platform relies on AI-based bots to seek out, identify and update all patches across endpoints that need to be updated. 

Ivanti’s Risk-Based Cloud Path Management integrates the company’s vulnerability risk rating (VRR) to help security operations center (SOC) analysts take prioritized action based on risk while integrating service-level agreement (SLA) tracking.

5) Analyze and report all user activity, monitoring every endpoint’s real-time requests and transactions

Forrester urges organizations to go beyond the corporate network, and analyze and report all user activity across the internet. Expanding monitoring beyond the endpoint gathers telemetry data to validate and track every endpoint’s real-time data transactions quickly and identify threats and respond in real time.

Vendors providing continuous monitoring for integration into their customers’ zero-trust initiatives include Cisco, with SecureX, Duo and its Identity Services Engine (ISE); Microsoft, with Azure Active Directory and Microsoft Defender; CrowdStrike, with its Falcon platform; Okta’s Identity Cloud; Palo Alto Networks’ Prisma Access; BitSight; and Totem, which focuses on monitoring to ensure NIST 800-171 and CMMC compliance.

6) Deploy microsegmentation in the data center

“Don’t DIY microsegmentation, and don’t look for infrastructure solutions from your network or virtualization vendors — those projects easily flounder due to analysis paralysis, improper scoping, and enforcement anxiety, leaving you holding the bag,” advises Forrester’s zero-trust team in the report. 

Microsegmentation is a crucial component of zerotrust, as outlined in NIST’s zero-trust framework. 

Look for microsegmentation vendors with a solid track record of delivering results at scale. These include AirGap Networks, Akamai Guardicore, ColorTokens, Illumio, Onclave Networks, PaloAlto Networks, Zero Networks and Zscaler. 

Guardrails for getting started 

Forrester’s zero-trust team “encourages adopters of zero trust to be realistic in their expectations and set their sights on achieving an intermediate level of zero-trust maturity.” The report provides guardrails to help CISOs and their teams manage expectations while overcoming barriers to progress. The three guardrails Forrester prefaces its roadmap with are:

1) One size doesn’t fit all

Forrester’s assessment reflects what CISOs often tell VentureBeat: that getting zero trust right is a business decision first. Protecting identities and automating core security processes, as Pella Corporation does as part of its zero-trust roadmap, is table stakes.

Forrester urges organizations to stay cognizant of the need to course-correct their zero-trust strategies over time. CISOs, too, tell VentureBeat about the value of an adaptive implementation that flexes as their business models shift.

Forrester recommends a time horizon of two years to reach intermediate zero-trust maturity, though CISOs and CVIOs tell VentureBeat the speed of progress depends in part on board-level financial support and enthusiasm.

2) Reaching intermediate maturity is not easy, but you’re already part of the way there

The report notes “that many organizations have previously completed some of the first required phases with initiatives around identity and device security.”

At the same time, it cautions organizations that the difficulty of reaching intermediate maturity will depend on an enterprise’s environment. 

3) This isn’t DIY

Finally, Forrester advises getting help from trained professionals in IAM, MFA, SSO, ZTNA, conditional access, microsegmentation and NAV technologies early. Technologies like SOAR, EDR, behavioral analytics, RBI, process ringfencing, machine identities and machine learning are considered part of advanced maturity.

“Hyperscalers can afford to build everything from the ground up; you can’t,” cautions the report.