The Tao Of Zero Trust
I get asked two questions at least weekly, in some cases almost daily:
- Where do we start for Zero Trust? — Fix your IAM and user side of the equation.
- What is the difference between other frameworks and Zero Trust? — OK, now we can get down to the nuts and bolts on this one.
Zero Trust turned 10 years old this year. John Kindervag’s research and analysis of enterprises uncovered that dangerous assumptions of “trust” had become an essential part of the network. He realized that the human emotion, trust, was more than a simple flaw; it represented a major liability for enterprises’ networks that would lead to failure over and over again in the years to come.
Since 2010, attackers have breached thousands of companies, stealing billions of records. Some companies went out of business, some governments suffered geopolitical setbacks that would take years to unravel, and many citizens have lost faith in the integrity of their countries’ electoral procedures. And none of those exploits or breaches ever required attackers to use their most sophisticated skills or techniques. Most of them began with the failure of a few basic security controls and the inevitable lateral movement of attackers.
Zero Trust wasn’t born out of a need to sell another security control or solution. It was born from a desire to solve a real enterprise issue. And just as the threat landscape and the challenges have evolved over the last 10 years, Forrester has worked to build out the original concept into a simple framework we call ZTX, or Zero Trust eXtended.
Our framework solves the architectural and operational issues with Zero Trust — namely, how to get started and how to sustain a Zero Trust approach. ZTX covers how to “build” Zero Trust into the technology stack of your enterprise. It helps organizations understand how they can choose solutions that deliver on Zero Trust principles that enable their strategy over time. Forrester also rolled out a series (two so far) of virtual infrastructures to showcase what Zero Trust implementations look like — we ate our own dog food.
Zero Trust works, but that doesn’t make it easy. Forrester has clients engaged in rolling out ZTX technologies and approaches, and we continue to revise and update our research as we work with more enterprises. Our virtual architectures further cement the validity of our approach.
You might have noticed an explosion of Zero Trust recently. We think this adoption is based on two factors:
- First, the cybersecurity industry has hit an inflection point wherein the massive spend to prove the negative of “good security” is drying up.
- Second, CEOs and board leadership for enterprises are tired of the technical talk and miscommunication around cybersecurity operations. Zero Trust is simple in name, comprehensive in its approach, and realistic in the acceptance of the inherent failures that plague enterprises from the second they start sending electrons.
Now for the other frameworks question.
There are a multitude of other methods, frameworks, builds, and approaches that can be part of a security strategy. If you really do the deep dive on these other approaches, you will understand that, in truth, they are in some way different sides of similar coins. Every framework looks at endpoint security, every framework pushes for user controls and optimal firewall rules, and every method is aimed at discerning where vendor technologies can be employed to solve those problems. Each has their own flavor of approach, and in all honesty, any of them could be employed as part of a long-term strategy.
OK — but wait a minute.
Sitting in the analyst chair and talking to Fortune 50 organizations daily that can’t even deal with things as simple as enabling MFA, using bad passwords, struggling with failed firewall configurations, and failing to patch decade-old servers speaks to a bigger issue of complex frameworks and complicated strategies focused on chasing compliance checklists. If most enterprises can’t even do those basic things (read our research and note the numbers on how prolific, basic security controls are abject failures if you doubt this), then it stands to reason that employing something as difficult as continuous adaptation, or 15,000-word checklist documents, would be something that is light years away. Add to that the difficulty of detailing some frameworks with five-letter-long acronyms, mile-long checklists, and variable inputs, and the complexity increases further.
Zero Trust is focused on simplicity and the reality of how things are now. We push organizations to start from Zero Trust and work from that position, continually, programmatically, outwardly. And we tell them this is a process, possibly a multiyear-long one, and that this process never ends — ever.
The reality in cybersecurity is that everyone must stop sucking at the basics before we can ever even consider moving to something as advanced as continually basing security controls and decisions on analytic contextual inputs. That type of advanced capability is a nuclear-reactor level of complexity, when most organizations are lucky if they can even plug a light bulb in.
Couple simplicity and clarity with a decade of research, real-world use cases, an industry lining up to be evaluated for inclusion, and actual functional deployments of the strategy, and suddenly one of these approaches seems a bit more pragmatic.