Request a demo

Whether or not you’ve been following our blog series, by now you’ve probably heard of the Zero Trust Architecture (ZTA). And while most security practitioners have already embraced the notion of continuous user and device validation, Executive Order 14028 made ZTA a mandate for the federal government’s civilian agencies and their IT vendors.

Previously, we outlined an organizational approach to Zero Trust implementation and testing that’s geared toward validating compliance and ensuring continuity of critical services. In this issue, we’ll show you how to create a “soft landing” for your Zero Trust solution so you can keep business operations running smoothly, maintain an optimal customer experience and limit friction between security and business leaders.

Preparing stakeholders (end users, business managers and executives)

Change is hard, especially when you’re the one implementing it. When it comes to new security deployments, enterprise stakeholders often feel blindsided by new looks and processes, unfamiliar prompts and altered credentials. And even with extensive preparation, getting everyone on board and up to speed is no small task.

The best strategy to guide your ZTA rollout is to engage with each stakeholder group well before the transition begins to address their fundamental concerns, ask for feedback and keep communication channels open. It’s important to build a compelling business case for why Zero Trust is important to the organization. Don’t leave stakeholders with the impression that ZTA is just another compliance box to check, or the latest security fad. Some common concerns for different stakeholder groups are provided below to help you start a dialogue.

Common end-user concerns:Confidence_in_Cybersecurity_Blogs_ZTA

  • Changes to the look, feel or process for accessing the network, applications or data
  • Changes to the look, feel or process for customer/public access to data and services 
  • Compatibility or requirement changes for company-owned, personal and public endpoint devices  
  • Processes for new or changed endpoint devices including seamless migration 

Common business manager concerns:

  • Affect on critical IT services following transition, including availability, reliability and latency
  • Continued flexibility to support new applications, modifications and upgrades
  • Ability to handle planned and unplanned surges in customer and/or employee usage
  • Impact on employee retention or customer satisfaction scoring

Common executive concerns:

  • New or increased resource requirements
  • Compatibility with cost-saving initiatives, such as the use of public cloud or third-party shared resources/infrastructure
  • Scaling for employee and customer growth
  • IT infrastructure considerations associated with merger and acquisition plans
  • Evidence of effective loss prevention for specific threats of highest board-level concern 
  • Facilitation of compliance auditing or certification

Structure transitions using phased installation and passive implementation

In our previous blog, we recommended validating your Zero Trust solution in a virtual environment to help build a sense of confidence that the full solution is viable—without affecting production systems. But to ensure a soft landing, there should still be a deliberate and phased approach to production installation. Throughout the transition, be attentive to any new or unaccounted-for workflows as well as incompatibilities with legacy applications or assets. In every instance possible, additional Zero Trust enforcement mechanisms should be implemented with passive controls until business routines are well exercised. The best way to phase the process varies by organization, but the outline below can provide some guidelines to apply to your own program.

Phase 1 – Establish governance:

  • Identity federations
  • Multi-factor methods
  • Endpoint management/certificates
  • Server and application identities
  • Management of virtual/container environments

Phase 2 – Risk-adaptive access controls (RAdAC):

  • Remote and SaaS applications
  • Device posture controls
  • Federated identity integration

Phase 3 – Front-end network access management:

  • User-application segmentation
    • Employees
    • Third parties
  • VPN transition
  • DMZ app/server transition

Phase 4 – Back-end network access management:

  • Workflow (identity-based) segmentation
    • High-level segmentation of physical and server networks
    • Expanding to greater fidelity subdomains
  • Virtual, cloud, container and blended workflows
  • Complex workflows requiring network or API-based orchestration

Finding corporate resolve

Embarking on a fundamental paradigm shift like implementing a ZTA requires a great deal of resolve within an organization. Time and resource commitments, overcoming the inertia of “the way we’ve always done it” and persisting through unforeseen hurdles can only be successful when supported by broad consensus and strong advocacy. 

We began this blog series by pointing out that the world of IT has already changed: 

  • Increase in the number of remote connections
  • Expanded use of virtual, cloud and containerized storage and processing resources
  • Automation of processes
  • Reliance on partners, third parties and contractors
  • Value of large data ingestion and analysis  

If your company is thriving, it’s because you are already taking advantage of these innovations. But has your security stack and strategy been adjusted to keep pace? If your approach to security hasn’t changed with your business processes, your company has likely assumed unknown risks. Ideally, your enterprise risk management (ERM) team has already identified any gaps, but If not, they may need prompting. An ERM team that is committed to the cause can help build a business case to gain buy-in from executive leadership and instill a risk-aware culture among end users.

Partnering on your journey

You will almost certainly need external partners to help you along your Zero Trust journey. While there is no single solution, there are cybersecurity vendors and technology integrators who can help you define your Zero Trust architecture. Having access to a robust virtual simulation of your networks provides an essential proving ground to explore and validate architectures and implementations that suit your unique situation. 

At SimSpace, we’re happy to discuss how such a testing environment can be built and deployed as part of your Zero Trust journey—or any other security transitions you may be undergoing.

Did you know that SimSpace can help you validate your ZTA implementation and compliance posture? To find out more and request a demo of our ZTA validation capabilities, contact us at

Blog byBud Whiteman
Bud Whiteman
Bud Whiteman
Bud Whiteman serves as Lead Cyber Analyst at SimSpace, applying over 20 years of experience in risk management, cybersecurity risk assessment, business analysis and workforce development. Prior to his civilian career, Bud spent 20 years as a US Navy officer, attached to nuclear submarine operations and US Strategic Command. He holds a MS in Operations Research from the Naval Postgraduate School, and is a Certified FAIR™ practitioner for quantifying cyber risk.