Key metrics for monitoring and improving ZTNA implementations

In this Help Net Security interview, Dean Hamilton, CTO at Wilson Perumal & Company, discusses the complexities of zero trust network access (ZTNA) implementation, focusing on balancing security with operational efficiency.

Hamilton highlights strategic planning, collaboration between IT and business leaders, adapting to emerging challenges, continuous improvement, and using metrics to assess ZTNA success and manage risks.

ZTNA implementation is associated with increased IT spending and operational complexity. How can businesses strike a balance between security and maintaining operational efficiency?

First, let’s zero in on why achieving this balance is hard. ZTNA implementation is indeed associated with increased operational complexity that then requires significant increases in IT budgets. While some of that spending is associated with licenses for enablement technologies that provide granular network segmentation, policy management, policy enforcement, device assessment, etc., the majority of the increased cost comes from the operational overhead required to define and maintain granular network and application access policies that are calibrated to the specific needs of each business.

The more granular the zero trust policies, the more protected your networked assets and resources. However, the more granular those policies are, the more likely they are to create unwelcome friction for business users—necessitating constant refinement and adaptation as the needs of the business evolves and increasing the need for IT interactions with business users.

Finding the right balance can only be done through iterative evolution. Careful up-front investment in three key areas is critical to finding balance for IT and avoiding adverse impacts on the business:

Enterprise Architecture (EA) management is the practice of documenting and understanding how IT resources (infrastructure, services, applications, and data) align with business objectives, organizational elements, and business processes. This understanding is crucial to accurately assess both cybersecurity risk and the risks associated with increased business process friction. These risk assessments must be done to appropriately calibrate ZTNA policies. Many organizations fail to make the investment needed to understand how their IT resources map to the realities of business execution and pay a heavy price in terms of IT and business process inefficiency.

Business process reengineering (BPR)—Often, modest changes to business processes enable the implementation of more robust ZTNA policies and improved efficiency for the IT organization. But IT organizations are usually not empowered to negotiate with other business functions to drive optimizations of business processes. This is unfortunate because optimizing processes is not a zero-sum effort. When BPR is done correctly, with ZTNA in mind, both the IT organization and business functions can experience significant efficiency gains.

Operating Model design to support both strategic business and cybersecurity objectives. A company’s Operating Model defines how parts of the organization work together to deliver value to the market. It is common for the operating model to focus just on value creation aspects and omit the key organizational design principles, processes, and tools which are needed to achieve the cybersecurity goals. When the operating model is designed to achieve both business operations and cybersecurity objectives, the overall organizational alignment leads to more rapid, efficient, and effective ZTNA implementation.

How does ZTNA address human error, and what role does human performance play in the success or failure of ZTNA implementations?

In any complex, socio-technical system (like IT ecosystems), human error is going to occur. Even the most diligent and well-trained employees have bad days and make occasional mistakes. ZTNA, as an implementation of zero trust security, implicitly acknowledges this reality. The underlying concepts of network micro-segmentation, IP address obfuscation, and least-privilege access are all designed to limit the impact of a cybersecurity intrusion that may result from human error. But ZTNA, as a network security model, is not self-realizing. It requires careful and continuous attention to managing complex and potentially conflicting policies.

This adds significant complexity to IT operations and increases the potential for human error in a manner that has the potential to, paradoxically, increase cybersecurity risk. This increased operational complexity, and the load it places on IT organizations is one of the key reasons that so many ZTNA implementations fail or are abandoned. In these cases, cybersecurity risk can be much higher after the failed ZTNA implementation attempt than if no implementation was ever attempted.

The key to avoiding this is careful up-front planning in all three areas previously mentioned. It is also important to ensure that ZTNA policy administration processes are designed to use the practices and principles of High Reliability Organizations (HRO). HROs are organizations the operate in complex, high-risk, high consequence of failure environments, but experience far fewer adverse incidents than their peers. They apply a set of principles and practices that make organizations very resilient to human errors, process breakdowns, and direct attacks.

Successful ZTNA implementation requires close collaboration between IT and business leaders. Can you share some best practices for fostering this collaboration, especially in environments where cybersecurity is often viewed as solely an IT concern?

The close collaboration needed for ZTNA to be successful can only be enabled by a culture that is driven from the very top of the business. The Board of Directors and the executive leadership team develops the business strategy and measures progress in its execution, and cybersecurity objectives must be wholly integrated into the business strategy. Failure to do this will drastically limit the potential for success of ZTNA implementations.
Boards and leadership teams also need a shift in mindset, so they do not see cybersecurity as just an ever-growing cost and burden on the business.

When done well, cybersecurity investments like ZTNA are strategic business enablers that provide a meaningful competitive advantage. This is especially true in highly regulated industries and industries where the adverse reputational impact of a cybersecurity breach can destroy customer trust and shareholder value. In such businesses, well executed cybersecurity strategies (like ZTNA and IT HROs) can allow an organization to operate and innovate with confidence.

What metrics should organizations use to assess the success of their ZTNA implementations? How can these metrics help in continuous improvement and risk management?

Having the right metrics is essential to know if your ZTNA implementation is making the progress you think it is.

Given the complexity involved with ZTNA, it is very possible to make little meaningful progress despite your team doing a lot of work and your organization spending a lot of money. To understand how the implementation is going, the metrics should show:

• Level of visibility into IT assets (systems, applications, and related data and business processes) that need to be protected
• Progress against required ZTNA policy updates and the time required to define and approve a new policy (in support of business evolution)
• Level of policy specificity associated with protected assets (the more specific/granular, the better from a security perspective)
• Rate of valid business user trouble tickets requiring policy modification
• Time to resolve business user policy-related tickets
• Time to detect policy misconfiguration
• Time to resolve policy misconfiguration
• Engagement of non-IT end-users in policy updates
• Cybersecurity literacy of executives and business leaders

What new challenges and opportunities should organizations anticipate as they refine their ZTNA strategies?

The biggest new challenge that cybersecurity executives will face is the rapid evolution of artificial intelligence (AI) employed by cyber criminals. AI makes it more likely that endpoint device security posture and the cybersecurity threat environment will become increasingly difficult to characterize—which will make static ZTNA policies ever-less effective at preventing intrusions. However, the architectural benefits of ZTNA (that limit lateral movement after intrusion) combined with cybersecurity teams that are able to react to new, novel attacks should together prove more durable in the face of AI attacks.

Another major risk is the rise of software supply chain attacks and breaches against the major cybersecurity enablement technology vendors themselves. Organizations should implement a formal Cybersecurity Supply Chain Risk Management (C-SCRM) strategy and require cybersecurity vendors to attest to the implementation of the same.