I am a huge fan of Zero Trust—the simplicity of the concept resonates with clients that read the research authored previously by John Kindervag and more recently myself.
The framework’s intrinsic value to security and business processes is readily evident to those who explore how it benefits their security needs. If we’re honest about Zero Trust, though, then we should admit that, to date, the framework has existed mainly in the realm of research, ideas, and discussions. Most organizations aren’t actually implementing the Zero Trust framework in effective ways, in part, because they’re not sure of the concrete technology purchases and organizational changes needed to do so. Zero Trust needs a refresh to convey the specific steps enterprises must take to realize the framework’s benefits.
This is where Zero Trust eXtended (ZTX) comes in. ZTX is the application of the Zero Trust framework to your enterprise; it is a data-focused version of Zero Trust that more easily enables direct mapping of technology purchases and strategic decisions to the execution of your Zero Trust strategy. The ZTX framework maps technologies and solutions to the framework’s pillars:
- Network – What does the technology do to enable the principles of network isolation, segmentation, and ultimately security?
- Data – What does the technology do that enables data categorization, schemas, isolation, encryption, and control?
- Workforce – How does the solution work to secure the humans that are using the network and business infrastructure, and does the solution reduce the threat that users create?
- Workload – Does the solution or technology secure areas such as cloud networks, apps, and anything else that a business or organization uses to make the business operate technically?
- Automation and Orchestration – How does the technology or solution automate and orchestrate Zero Trust principles and empower the business to have more powerful control of disparate systems?
- Visibility and Analytics – Does the technology or solution provide useful analytics and data points and eliminate dark corners of systems and infrastructure?
A system, tool, or technology must have considerable and specific technical capabilities in at least 3 pillars of this framework AND a powerful API integration capability to be considered a ZTX platform.
If a tool has the technical capability to aid in automation and orchestration and also does micro segmentation, then it meets a few of the criteria, but not enough to be a platform. However, if a tool or technology enables micro-segmentation and encryption, integrates automation and orchestration, AND has a well-built API through which developers can build in additional Zero Trust features, then it would be considered a platform. This first ZTX report is by no means a final determination for vendor technologies—it is a first stake in the ground in what will be an iterative and evolving concept.
Additionally, there are a variety of technologies and capabilities that are part of a Zero Trust network or system that are also considered (though not necessarily overtly in this first report). Technologies and capabilities such as authentication, identity management, asset control, encryption, and a variety of others are all part of the larger Zero Trust and ZTX plan; it would be impossible to include everything explicitly in a single report. Over time, those items will be explored in great depth. In other words, have patience. Anything new and worthwhile takes time.
I look forward to developing this implementation framework over the course of 2018. Eventually a user will be able to reference this architecture and framework to specifically and succinctly determine which technical solutions from which vendors will enable their Zero Trust strategic goals and power their strategic decisions around implementing Zero Trust. Those same users will use ZTX as lens through which to focus their integration efforts as they work towards achieving a Zero Trust business infrastructure.