Navigating the Great Zero Trust DebateWith Dozens of Vendors Offering Zero Trust, Which Bandwagon Should You Jump On?
There's no greater testimony to zero trust's grip on the cybersecurity industry than a stroll through last month's RSA Conference, where nearly 400 vendors hawked their wares. Nearly every company had its own brand of zero trust. Among them: "Zero Trust Accelerator," "Just in Time Zero Trust" and "ZTNA 2.0," to name just a few.
Introduced in 2010, the "never trust, always verify" approach has grown from concept to top strategic priority for the public and private sectors. A wide range of network, firewall, identity management, cloud services and endpoint firms are jockeying for position. Not to mention consultants and systems integrators. Ironically, not too many years ago, zero trust was regarded by many as good theory, but lacking in practical examples.
How times have changed. "Zero trust has become a buzzword and, I would say, an abused word," says Upendra Singh, head of global IT security at HCL. "Every vendor's claiming that they have a zero trust product."
A major accelerator for zero trust was President Joe Biden's 2021 executive order for U.S. federal government agencies to meet 19 zero trust architecture requirements by 2024. Today, the debate is not about whether to do zero trust but rather how to implement it. Experts advise following a multistep implementation plan, starting with smaller projects and workflows, and call for caution about big claims from big vendors.
"If you have a vendor saying 'Zero trust is X because that's the product I sell,' then you want to run away," says John Kindervag, the former Forrester analyst who first wrote about zero trust in his 2010 paper, "No More Chewy Centers: Introducing the Zero Trust Model of Information Security."
Disrupting the Cybersecurity Software Market
Traditional perimeter firewall and VPN controls belong to the old "trust model" that allowed threat actors to move laterally through systems once they had broken through network authentication. In contrast, zero trust emphasizes multifactor authentication, least privilege and the need for each user, device, application and transaction to be continually verified.
"Unfortunately, every firewall and every VPN company is calling themselves Zero Trust, and some of them call themselves Zero Trust 2.0 and Zero Trust 3.0."
– Jay Chaudhry, founder, chairman and CEO, Zscaler
Paul Martini, CEO of iboss, which offers a SaaS cloud platform that provides access to both public and private resources, says zero trust isn't more of the same.
"There are some vendors that are misinterpreting zero trust, and what they're doing is authorizing users to connect to network ports, and that's a network concept," Martini says.
"The worst-case scenario is connecting to a network, which is better than allowing someone to connect to a server. Even better might be connecting to a port, but they're all actually bad concepts because they're all network constructs. There might be five applications running on the same port number. You should think of it as connected to applications or resources," he says.
One company going all-in on zero trust is Palo Alto Networks, the $4.3 billion industry heavyweight that repositioned its product suite under the brand Zero Trust Network Access 2.0.
Introduced at RSA Conference, ZTNA 2.0 is a "fine-grained, least-privileged access with continuous trust verification and deep, ongoing security inspection to protect all users, devices, apps and data everywhere." The company contends the first-generation ZTNA software sold throughout the industry included too many exceptions to zero trust principles.
"We've made it our business to make sure we deliver the best of-breed solutions as part of the entire zero trust stack," says Nikesh Arora, chairman and CEO of Palo Alto Networks. "People would call us legacy in the past. Now it's our turn to call them legacy because we've built it."
Rivals such as Zscaler, which offers a SaaS-based security service edge platform in the cloud, are quick to point out the incongruity of "next-gen" marketing for a brand-new technology.
"Every firewall and every VPN company is calling themselves zero trust, and some of them call themselves zero trust 2.0 and 3.0," says Jay Chaudhry, founder, chairman and CEO at Zscaler.
"In zero trust architecture, you don't connect users to the network, but to applications. If you connect to applications, not the network, there's no lateral threat movement. That means bad guys can't get on the network and find all kinds of stuff."
He describes zero trust as a "fairly straightforward architecture" that "has to be built from a clean slate."
"It starts with identity: Who are you?" Chaudhry says. "So the identity vendor plays a big role. You also often need to check the posture of the device. Are you coming from a compromised device? The endpoint vendors play a role, and the third piece is the switchboard, which actually connects the right party to right party, almost like a smart switchboard."
How Many Vendors in the Stack?
The great debate over zero trust comes at a time when CISOs and CIOs are looking to consolidate and converge IT, creating opportunities for IT system integrators and managed services companies to implement enterprise security as part of broader IT modernization initiatives.
"I personally believe it's impossible to deliver zero trust with multiple vendors and the network security stack. You need a consistent approach. You need to know what the left hand is saying and the right hand is doing."
– Nikesh Arora, chairman and CEO, Palo Alto Networks
Many organizations have resources sitting in multi-cloud environments, and others operate hybrid environments with on-premises data centers. This has left many large enterprises with a combination of security tools from multiple vendors.
"In my opinion, you need to take a hybrid approach," says HCL's Singh. "Identity is important. The network piece is also important. So you should have a balanced approach when you are building a zero trust architecture, and the main challenge I see is building up a quality decision engine for continuous monitoring in real time."
John Maddison, CMO and EVP at Fortinet, says that in the operational technology space, companies must secure IoT devices, clouds and traditional IT systems. Doing so with multiple vendors makes it "very hard to link the threat intelligence together to make sure that the policies are the same across everything."
"I'm not saying it's one vendor, but it can't be eight or 10 vendors trying to work together," Maddison says. "Cybersecurity companies are not very good at working together."
Palo Alto Networks' Arora plugs a streamlined approach. The problem with the multi-vendor approach, he says, is too many of vendors have products with exceptions and won't work together to ensure zero trust.
"I personally believe it's impossible to deliver zero trust with multiple vendors and the network security stack," Arora says. "You need a consistent approach. You need to know what the left hand is saying and the right hand is doing."
"The majority of buyers don't want one ring to rule them all."
– Chase Cunningham, CSO, Ericom Software, and zero trust expert
Chase Cunningham, CSO at Ericom Software and a former colleague of Kindervag in Forrester's zero trust practice, predicts CISOs will continue to look for best of breed components to meet certain strategic needs. "The majority of buyers don't want one ring to rule them all," he says.
While a number of vendors are pitching zero trust platforms, in reality they’re offering portfolios of products integrated by APIs and middleware, he says. What most zero trust products lack, he adds, is a good data security solution.
"We need more investment or partnerships in the data security sector," he says. "Buyers are becoming aware that there is a gap in these offerings."
Avoiding an 'Incomplete Experiment’
The private sector can learn a lot from an approach to zero trust implementation recommended by the National Security Telecommunications Advisory Committee. Both Kindervag and Cunningham served on the committee and worked with the U.S. Cybersecurity and Infrastructure Security Agency to transfer zero trust principles into the NSTAC document, which was presented in February to the White House.
The implementation strategy, designed to be "flexible, repeatable and technology-agnostic," consists of five steps:
- Define your attack surfaces.
- Map the transaction flows.
- Build a zero trust architecture.
- Create a zero trust policy.
- Monitor and maintain the network.
"You define the protect surface. What do you need to protect?" Kindervag says. "Map the transaction flows. How does that work as a system? Then you architect the environment based upon the thing you're protecting. Then you create the policy. Then you monitor and maintain very simple building blocks. It's the Lego blocks of cybersecurity."
The NSTAC report warned that zero trust requires long-term dedication and unless implemented in a thoughtful manner, it could turn out to be an "incomplete experiment - a collection of disjointed technical security projects measured in years rather than the foundation of an enduring, coherent and transformative strategy measured in decades."
Following Kindervag's principles, the National Institute of Standards and Technology was the first to define a zero trust strategy for the government in 2020. NIST identified three major strategies for building a zero trust architecture focused on identity governance, micro-segmentation and network infrastructure and software-defined perimeters. Key components include:
- Continuous diagnostics and mitigation system;
- Industry compliance system;
- Threat intelligence feeds;
- Network and system activity logs;
- Data access policies;
- Enterprise public key infrastructure;
- Identity management (assurance) system, and;
- Security information and event management system.
NIST described zero trust implementation as a journey, not a wholesale replacement. Most organizations implement it incrementally as part of the regular tempo of tech upgrades. That means the typical cybersecurity shop should expect to operate in a hybrid of zero trust and traditional perimeter cybersecurity for "an indefinite period," NIST says.
"You just need to do it. Start small. Start anywhere. It just doesn't matter. You just take the first step."
– John Kindervag, creator of zero trust
Kindervag cautions against overemphasizing tooling. Focus on planning, he says.
"Our friend, former Forrester analyst Rick Holland, always talks about 'expense in depth,'" Kindervag says. "Defense in depth is really 'expense in depth.' You spend money you don't have on things you don't need because you don't know what you're supposed to protect in the first place. So if you have one of those 'no vendor left behind' approaches to cybersecurity, you're going to fail."
The key, he says, is to get started. Organizations can easily spend more time arguing over how to implement zero trust than to actually build it.
"You just need to do it. Start small. Start anywhere," Kindervag says. "It just doesn't matter. You just take the first step."