{"id":53404,"date":"2025-05-14T08:37:38","date_gmt":"2025-05-14T12:37:38","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=53404"},"modified":"2025-07-14T01:12:44","modified_gmt":"2025-07-14T05:12:44","slug":"zero-trust-transition-practical-advice","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/zero-trust-transition-practical-advice\/53404\/","title":{"rendered":"Migration to zero trust in practice \u2013 including the pitfalls"},"content":{"rendered":"<p>This year marks the 15<sup>th<\/sup> anniversary of the <a href=\"https:\/\/www.virtualstarmedia.com\/downloads\/Forrester_zero_trust_DNA.pdf\" target=\"_blank\" rel=\"nofollow noopener\">first guide<\/a> to implementing the <a href=\"https:\/\/www.kaspersky.com\/blog\/zero-trust-security\/36423\/\" target=\"_blank\" rel=\"noopener nofollow\">zero trust<\/a> security concept, which, according to a <a href=\"https:\/\/www.gartner.com\/en\/newsroom\/press-releases\/2024-04-22-gartner-survey-reveals-63-percent-of-organizations-worldwide-have-implemented-a-zero-trust-strategy\" target=\"_blank\" rel=\"nofollow noopener\">Gartner survey<\/a>, almost two-thirds of surveyed organizations have adopted to some extent. Admittedly (in the same Gartner survey), for 58% of them this transition is far from complete, with zero trust covering less than half of infrastructure. Most organizations are still at the stage of piloting solutions and building the necessary infrastructure. To join the vanguard, you need to plan the transition to zero trust with eyes wide open to the obstacles that lie ahead, and to understand how to overcome them.<\/p>\n<h2>Zero trust best practices<\/h2>\n<p>Zero trust is a security architecture that views all connections, devices, and applications as untrusted and potentially compromised \u2014 even if they\u2019re part of the organization\u2019s internal infrastructure. Zero trust solutions deliver continuous adaptive protection by re-verifying every connection and transaction based on a potentially changed security context. This way, companies can mold their information security to the real-world conditions of hybrid cloud infrastructures and remote working.<\/p>\n<p>In addition to the oldest and best-known guidelines, such as <a href=\"https:\/\/www.virtualstarmedia.com\/downloads\/Forrester_zero_trust_DNA.pdf\" target=\"_blank\" rel=\"nofollow noopener\">Forrester\u2019s first report<\/a> and <a href=\"https:\/\/research.google\/pubs\/beyondcorp-a-new-approach-to-enterprise-security\/\" target=\"_blank\" rel=\"nofollow noopener\">Google\u2019s BeyondCorp<\/a>, the components of zero trust are detailed in <a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/207\/final\" target=\"_blank\" rel=\"nofollow noopener\">NIST SP 800-207<\/a> (Zero Trust Architecture), while the separate <a href=\"https:\/\/www.nccoe.nist.gov\/publications\/practice-guide\/implementing-zero-trust-architecture-nist-sp-1800-35-practice-guide\" target=\"_blank\" rel=\"nofollow noopener\">NIST SP 1800-35B<\/a> offers implementation recommendations. There are also guidelines that map specific infosec measures and tools to the zero trust methodology, such as <a href=\"https:\/\/www.cisecurity.org\/insights\/blog\/prioritizing-a-zero-trust-journey-using-cis-controls-v8\" target=\"_blank\" rel=\"nofollow noopener\">CIS Controls v8<\/a>. CISA offers a handy <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2023-04\/zero_trust_maturity_model_v2_508.pdf\" target=\"_blank\" rel=\"nofollow noopener\">maturity model<\/a>, though it\u2019s primarily optimized for government agencies.<\/p>\n<p>In practice, zero trust implementation rarely follows the rule book, and many CISOs end up having to mix and match recommendations from these guidance documents with the guidelines of their key IT suppliers (for example, Microsoft), prioritizing and selecting measures based on their specific situation.<\/p>\n<p>What\u2019s more, all these guides are less than forthcoming in describing the complexities of implementation.<\/p>\n<h2>Executive buy-in<\/h2>\n<p>Zero trust migration isn\u2019t purely a technical project, and therefore requires substantial support on the administrative and executive levels. In addition to investing in software, hardware, and user training, it demands significant effort from various departments, including HR. Company leadership needs to understand why the changes are needed and what they\u2019ll bring to the business.<\/p>\n<p>To get across the value and importance of a project, the \u201cincident cost\u201d or \u201cvalue at risk\u201d needs to be clearly communicated on the one hand, as do the new business opportunities on the other. For example, zero trust protection can enable broader use of SaaS services, employee-owned devices, and cost-effective network organization solutions.<\/p>\n<p>Alongside on-topic meetings, this idea should be reinforced through specialized cybersecurity training for executives. Not only does such training instill specific infosec skills, it also allows your company to run through crisis management and other scenarios in a cyberattack situation \u2014 often using specially designed business games.<\/p>\n<h2>Defining priorities<\/h2>\n<p>To understand where and what zero trust measures to apply in your infrastructure, you\u2019ll need a detailed analysis of the network, applications, accounts, identities, and workloads. It\u2019s also crucial to identify critical IT assets. Typically making up just a tiny part of the overall IT fleet, these \u201ccrown jewels\u201d either contain sensitive and highly valuable information, or support critical business processes. Consolidating information about IT assets and their value will make it easier to decide which components are most in need of zero trust migration, and which infosec measures will facilitate it. This inventory will also unearth outdated segments of the infrastructure for which migration to zero trust would be impractical or technically infeasible.<\/p>\n<p>You need to plan in advance for the interaction of diverse infrastructure elements, and the coexistence of different infosec measures to protect them. A typical problem goes as follows: a company has already implemented some zero trust components (for example, MFA and network segmentation), but these operate completely independently, and no processes and technologies are planned to enable these components to work together within a unified security scenario.<\/p>\n<h2>Phased implementation<\/h2>\n<p>Although planning for zero trust architecture is done holistically, its practical implementation should begin with small, specific steps. To win managerial support and to test processes and technologies in a controlled environment, start with measures and processes that are easier to implement and monitor. For example, introduce multi-factor authentication and conditional access just for office computers and the office Wi-Fi. Roll out tools starting with specific departments and their unique IT systems, testing both user scenarios and the performance of infosec tools, all while adjusting settings and policies accordingly.<\/p>\n<p>Which zero trust architecture components are easier to implement, and what will help you achieve the first quick wins depends on your specific organization. But each of these quick wins should be scalable to new departments and infrastructure segments; and where zero trust has already been implemented, additional elements of the zero trust architecture can be piloted.<\/p>\n<p>While a phased implementation may seem to increase the risk of getting stuck at the migration stage and never completing the transition, experience shows that a \u201cbig bang\u201d approach \u2014 a simultaneous shift of the entire infrastructure and all processes to zero trust \u2014 fails in most cases. It creates too many points of failure in IT processes, snowballs the load on IT, alienates users, and makes it impossible to correct any planning and implementation errors in a timely and minimally disruptive manner.<\/p>\n<p>Phased implementation isn\u2019t limited to first steps and pilots. Many companies align the transition to zero trust with adopting new IT projects and opening new offices; they divide the migration of infrastructure into stages \u2014 essentially implementing zero trust in short sprints while constantly monitoring performance and process complexity.<\/p>\n<h2>Managing identities\u2026 and personnel<\/h2>\n<p>The cornerstone of zero trust is a mature <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-benefit-from-identity-security\/48399\/\" target=\"_blank\" rel=\"noopener nofollow\">Identity Access Management (IAM)<\/a> system, which needs to be not only technically sound but also supported administratively at all times. Data on employees, their positions, roles, and resources available to them must be kept constantly up-to-date, requiring significant support from HR, IT, and the leadership of other key departments. It\u2019s imperative to involve them in building formal processes around identity management, taking care to ensure that they feel personally responsible for these processes. It must be stressed that this isn\u2019t a one-off job \u2014 the data needs to be checked and updated frequently to prevent situations such as access creep (when permissions issued to an employee for a one-time project are never revoked).<\/p>\n<p>To improve information security and make zero trust implementation a truly team effort, sometimes it\u2019s even necessary to change the organizational structure and areas of responsibility of employees \u2014 breaking down silos that confine people within narrow job descriptions. For example, one large construction company shifted from job titles such as \u201cNetwork Engineer\u201d and \u201cServer Administrator\u201d to the more generic \u201cProcess Engineer\u201d to underscore the interconnectivity of the roles.<\/p>\n<h2>Training and feedback<\/h2>\n<p>Zero trust migration doesn\u2019t pass unnoticed by employees. They have to adapt to new authentication procedures and MFA tools, learn how to request access to systems that don\u2019t grant it by default be aware that they might occasionally need to re-authenticate to a system they logged in to just an hour ago, and that previously unseen tools like ZTNA, MDM, or <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/endpoint-detection-response-edr?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener nofollow\">EDR <\/a> (often bundled in a single agent, but sometimes separate), may suddenly appear on their computers. All this requires training and practice.<\/p>\n<p>For each phase of implementation, it\u2019s worth forming a \u201cfocus group\u201d of business users. These users will be the first to undergo training and can help refine training materials in terms of language and content, as well as provide feedback on how the new processes and tools are working. Communication with users should be a two-way street: it\u2019s important to convey the value of the new approach, while actively listening to complaints and recommendations to adjust policies (both technical and administrative), address shortcomings, and improve the user experience.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"mdr\" value=\"37723\">\n","protected":false},"excerpt":{"rendered":"<p>How organizations implement zero-trust principles, and what CISOs advise for project success.<\/p>\n","protected":false},"author":2722,"featured_media":53405,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051],"tags":[2672,359,2141,2431,2967,2857,4471,187,4246,4228,131,709,3884],"class_list":{"0":"post-53404","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-accounts","10":"tag-authentication","11":"tag-business","12":"tag-ciso","13":"tag-economics","14":"tag-identity","15":"tag-identity-security","16":"tag-passwords","17":"tag-sase","18":"tag-strategy","19":"tag-tips","20":"tag-vpn","21":"tag-zero-trust"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/zero-trust-transition-practical-advice\/53404\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/zero-trust-transition-practical-advice\/28844\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/zero-trust-transition-practical-advice\/24071\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/zero-trust-transition-practical-advice\/28950\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/zero-trust-transition-practical-advice\/39484\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/zero-trust-transition-practical-advice\/29101\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/zero-trust-transition-practical-advice\/34892\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/zero-trust-transition-practical-advice\/34525\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/zero-trust\/","name":"Zero Trust"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=53404"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53404\/revisions"}],"predecessor-version":[{"id":53818,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53404\/revisions\/53818"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/53405"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=53404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=53404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=53404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}