A Look Back At Zero Trust: Never Trust, Always Verify
What exactly is Zero Trust? For those of you who’ve been hiding away in a cave for the past decade, Zero Trust (ZT) is a concept founded by Forrester alum John Kindervag in 2009 that centers on the belief that trust is a vulnerability, and security must be designed with the strategy, “Never trust, always verify.”
Forrester has continued its research and support of this security concept for over 10 years, and it doesn’t look like we will be drifting from the herd anytime soon. Why? Because old-school approaches to security aren’t cutting it. Many organizations feel that ZT is too hard, time-consuming, or costly to implement, but it will save your organization in the long run. The strategy leads to the reduced risk of being the victim of a ransomware attack, paying hefty fines, or suffering loss of customer trust following a breach. Frankly, we’re still not quite sure what else the security industry needs to see to grasp that Zero Trust is both real and a necessity.
In the first half of 2020, the Forrester security and risk (S&R) team wrote reports focusing on how to implement it within your organization. For those who’ve implemented the strategy already and are looking to expand, there’s also new research on how to use ZT to improve your security posture.
Implement ZT
- ZT is rapidly becoming the security model of choice for enterprises and governments alike. However, security leaders often don’t know where to begin to implement it, or they feel daunted by the fundamental shifts in strategy and architecture ZT. However, ZT doesn’t require that you rip out all your current security controls to start fresh, and with the right approach, you can realize benefits right away. Security leaders should read this report to understand the practical building blocks of a successful Zero Trust implementation roadmap: A Practical Guide To A Zero Trust Implementation.
- Large technology companies and the US federal government have adopted ZT as their next-generation security model. 2019 saw Zero Trust enter the European security market. In 2020, European security executives are beginning to craft their strategies for Zero Trust adoption. S&R pros should read this report to understand how to apply the ZT framework to international organizations with European operations: How To Implement Zero Trust Security In Europe.
- S&R pros often struggle to obtain buy-in or support from the many stakeholders that will be affected by ZT implementations. This report shows S&R leaders how to promote ZT in their organization by building a coalition and an internal marketing strategy. It also details how to lead and communicate this significant business and technology change with an ethics, integrity, and business focus: Sell Your Zero Trust Strategy Internally.
- ZT is prone to misconceptions. IT and business leaders often think that ZT is too hard and too expensive or that it requires them to restructure everything they’ve built or deploy next-generation firewalls everywhere. Because “trust everything” is easier to grasp than the ZT principle of “never trust, always verify,” ZT myths abound. S&R leaders should read this report to understand the concerns of their stakeholders and learn how to bust these myths so they can successfully fulfill their Zero Trust aspirations: Bust The Zero Trust Myths.
Use ZT
- Passwords are easy pickings for cybercriminals and the culprit behind many cyberattacks. Administrative costs and user productivity losses add insult to injury. So, why are so many organizations still password-centric? Both business and technical obstacles, such as legacy systems and partner requirements, conspire to keep organizations hooked on passwords. This report compares authentication methods in use in today’s organizations and offers steps to help S&R pros ditch the password for good and adopt a Zero Trust approach to authentication: Using Zero Trust To Kill The Employee Password.
- Organizations across the globe are embracing ZT. This report provides a methodology that S&R pros can use to move beyond merely adopting the idea of ZT and actually make progress toward the end state, Zero Trust infrastructure: Throw DARTS To Hit Your Zero Trust Targets.
- Fundamentally, ZT is about moving away from traditional perimeter-based security approaches and embracing a workload-first, data-driven, and identity-aware security model. While ZT improves security, there’s also a hidden benefit: It’s a critical lever to improve employee experience (EX). Read this report to learn more: Enhance EX With Zero Trust.
- Ransomware and malware continue to plague organizations across the globe. Entire industries have been affected and, in some cases, ground to a halt thanks to the scourge of ransomware attacks. While endpoint-focused security solutions have evolved, ransomware continues to impact enterprises. This report includes post-attack analysis from two potent strains of ransomware, WannaCry and NotPetya. It also demonstrates how the application of ZT strategies combined with ZT technologies would have mitigated the threat from these campaigns: Mitigating Ransomware With Zero Trust.
- S&R pros concerned about 5G security will find that the security narrative was hijacked — rightfully — by geopolitical and national security concerns. For enterprise security leaders, 5G is arriving globally, and with that comes new enterprise use cases that security leaders will need to address sooner rather than later, regardless of the geopolitical tug-of-war’s outcome. Read this report to learn more: Zero Trust Primer For 5G Security Use Cases.
- ZT demands that security teams eliminate the dangerous trust assumptions underpinning perimeter-based security architectures. When you embrace a ZT mindset, you assume that malicious actors have already infiltrated your environment and are stealing your valuable data. ZT metrics answer two questions for business and S&R leaders: 1) Do we have a breach? and 2) What sensitive data have criminals exfiltrated? This report reviews the ZT metrics that help answer these critical questions: Craft Zero Trust Security Metrics That Matter.
- You can use ZT solution providers to eliminate easy targets, take back the initiative, and clarify technology benefits for stakeholders. But to realize these benefits, you’ll first have to select from a diverse set of vendors that vary by size, functionality, geography, and vertical market focus. S&R pros should use this report to understand the value they can expect from a ZT solution provider and to select one based on size and functionality: Now Tech: Zero Trust Solution Providers, Q2 2020.
If you’re looking for more, check out our site. We’ve published over a decade of ZT research. You may also be interested in reviewing our playbook: The Zero Trust Security Playbook For 2020.
We’re also in the middle of a new research stream focused around demos on Zero Trust. Head over to my page on the Forrester website to see new videos when they publish.
(written with Alexis Bouffard, research associate at Forrester)