And while the agency at one point had created identities and paired them with appropriate levels of access, it had experienced “access creep, because there was no governance and, when people left organization, there was a delay in getting people out of the identity management system,” Carmichael explains.
But to begin tackling the agency’s security posture, Carmichael first had to provide stakeholders a shared definition of zero trust and a persuasive reason for investing in the required work. Only then could she educate the agency on the technological pieces necessary to create zero trust, such as network segmentation, PAM, and MFA, and the process changes that would be needed to enable it.
Nick Puetz, managing director in charge of the cyber strategy practice at consultancy Protiviti, says Carmichael’s journey mirrors that of most organizations, which often have various components of zero trust in place before they formally adopt the approach but not working in concert. Using a zero-trust framework can help.