A comprehensive framework for migrating to zero trust architecture

Abstract

Migrating to Zero Trust Architecture (ZTA) is a strategic approach to strengthen the security postures within the organization. Moving to Zero Trust (ZT) involves changes across the organization and it can be challenging to achieve. Utilizing effective and reliable frameworks for migrating from the old security architecture to ZTA can help ensure a smooth transition and risk mitigation to the Zero Trust journey. This study aimed (1) to develop a comprehensive framework for migrating to ZTA and (2) to create a guideline that aligns with a proposed framework for supporting the ZT migration plan. This study was conducted by using a meta-analysis by following a PRISMA guideline to analyze and synthesize the published studies relating to ZT migration. Online databases for data extraction included IEEE Xplore, ScienceDirect, ACM Digital Library, Web of Science, JSTOR, SpringerLink, and Google Search Engine. In this research, 635 academic publications and practice-oriented publications, including white papers and reports from ZT vendors, published during 2015-2022 were retrieved. Finally, 28 academic literature and high-quality reports regarding ZT migration were obtained. Using the extracted, categorized, and consolidated ZT migration knowledge from these literatures, a comprehensive framework for ZTA migration was created. Furthermore, the proposed framework was completed by incorporating DevOps concepts that concern the entire migration lifecycle. Ultimately, the proposed framework was evaluated for its usability and effectiveness by assessing with generic and ZTA-specific criteria of the framework evaluation. The results of meta-analysis revealed that ZT migration started with developing strategies, evaluating the current security state and setting the desired security state before deploying ZTA. Later, the organization implemented ZT components and migrated users to ZTA. Finally, the organization monitored and optimized the security performance of ZTA. Thus, based on the meta-analysis results, a comprehensive framework for migrating to ZTA should be composed of six main processes: (1) strategize zero trust, (2) context assessment, (3) architect ZTA, (4) zero trust transformation, (5) monitoring and maintenance, and (6) optimize ZTA security. In addition, the proposed guidelines provided practical checklists that specified important activities for ZT migration and technological requirements to implement ZTA in the organization. IMPLICATION OF THESIS: The results of this study can assist organizations wishing to migrate from the traditional security architecture to ZTA. The proposed framework provides an efficient and consistent model for organizations to establish migration strategies. Moreover, the proposed framework is applicable for IT managers to have practical and effective processes for supporting the ZT migration. Thus, IT managers can use the proposed framework and the guideline of this study to implement the ZT migration projects and continue to optimize ZTA’s security capabilities.