Although the agency created identity at some point and paired it with the appropriate access level, it went through “access because there is no governance, and when people leave the organization, it delays getting people out of the identity management system.”
But to begin addressing the agency’s security posture, Carmichael must first provide stakeholders with a common definition of zero trust, and a persuasive reason to invest in the work required. Only then can she educate the institution on the technical work needed to build zero trust, such as network segmentation, PAM and MFA, and the process changes required to enable it.
Nick Puetz, managing director of the strategic practice of Consultancy Protiviti network, said Carmichael’s journey reflects the journey of most organizations that often have various components of zero trust before formally adopting the approach but not having a concert. Using a zero trust framework can help.
