Federal agencies implementing zero trust frameworks must grapple with a broad range of factors that can influence plans and initiatives. Your application portfolio is a significant aspect of successfully implementing zero trust, and many agencies are at the starting line for analyzing and rationalizing applications. Application workload is one of the five pillars of zero trust. Applications proliferate so rapidly across organizations that getting a full picture of your application ecosystem is rarely simple. Still, for success with zero trust, it’s essential to do so. 

A quick refresher 

Zero trust provides the foundation for powerful cybersecurity, and any organization with critical assets should consider implementing it. Built on the premise that threats can originate from both outside and within the network, zero trust demands stringent verification measures for every individual and device seeking access to a given asset or resource. 

As its name implies, zero trust is a framework to enhance security by granting the least amount of access possible to critical systems and data. Implemented correctly, it ensures that only authorized individuals or systems have access to specific assets—and only to those they truly need. 

How zero trust and IT modernization intersect 

An IT modernization initiative often provides an opportunity to implement a zero trust framework. Zero trust reinforces many of the goals of modernization, and the necessary business process reengineering and organizational change management that come with modernization can ease the transition to new security practices. 

The goals of IT modernization typically include improving efficiency, agility, scalability, and reducing costs, enhancing security and enabling digital transformation. Zero trust provides a robust security framework that supports these goals.

Application portfolio rationalization 

Identifying and removing duplicative, outdated or unused applications reduces the organization’s potential attack surface while increasing efficiency and reducing software costs. 

Evaluate each application in your ecosystem using qualitative data and metrics. Consider the entire lifecycle of each application, from development to retirement. Where possible, leverage investments in existing technologies such as Application Discovery and Dependency Mapping (ADDM), and Application Portfolio Management (APM) solutions. At the end of the analysis, you should have each application categorized as retain, retire, replace or consolidate.

To begin the rationalization process, consider these steps:

Catalog applications

  • Inventory: Include details such as application name, functionality, users, and associated costs (licensing, maintenance, etc.). 
  • Ownership: Identify and document both the business owner and the technical owner for each application.

Assess usage and performance

  • Metrics analysis: Collect usage metrics to determine which applications are widely used and which are underutilized. 
  • Performance evaluation: Assess the technical performance of each application, including response time, reliability and scalability. 

Categorize applications

  • Platform dependency: Categorize applications based on their platforms, such as legacy systems, cloud-based solutions, or hybrid environments. 
  • Compatibility: Identify applications that are incompatible with the current or future IT environment.

Identify redundancies and duplicates

  • Duplicative applications: Identify applications that perform similar functions and determine whether all are necessary. 
  • Nested applications: Be alert to applications embedded within larger systems that may not be immediately visible.

Evaluate business value 

  • Business impact: Consider each application’s contribution to business outcomes, customer satisfaction and strategic goals. 
  • Total cost of ownership (TCO): Calculate each application’s TCO, including direct and indirect costs. 

Research and plan for modernization

  • Legacy replacement: Research suitable replacements or modernization options for legacy applications
  • Modernization roadmap: Develop a roadmap to modernize the application portfolio, prioritizing high impact applications. 

Identity and access management (IAM) analysis 

  • Current state assessment: Evaluate the IAM capabilities of each application, focusing on legacy systems that may have outdated or insufficient IAM controls.
  • Compliance and security: Ensure IAM practices meet modern security standards and compliance requirements, such as multi-factor authentication, single sign-on and role-based access control. 
  • Integration challenges: Identify legacy applications that lack support for modern security solutions and plan for necessary upgrades or replacements. 

Appreciating the big picture 

Understand there is no defined end state for zero trust—you never truly reach a final destination. It is an information security model that organizations must continuously refine and adapt as new technologies emerge. 

Application rationalization, as a subset of the larger zero trust paradigm, is also an ongoing effort. With every new application introduced, existing applications may become outdated or redundant. Managing application proliferation is an ongoing challenge, but it is essential to ensure your zero trust framework remains effective. 

Zero trust is a critical component of IT modernization efforts, and its creator, John Kindervag, emphasizes that it is intended to be simple. However, as straightforward as it can be, it does require care and attention to detail. 

A well-structured approach to all zero trust pillars will lead to a more successful implementation, allowing you to expand and refine your strategy as your organization evolves. For more insight into zero trust, visit www.cgi.com/zero-trust. 

This article was originally featured in the 2025 spring edition of Professional Services Council's Service Contractor Magazine.