Zero Trust Is Not A Security Solution; It’s A Strategy
One of the top challenges and misunderstandings that I continue to see here at Forrester is about what the definition of Zero Trust actually is. Zero Trust is not one product or platform; it’s a security framework built around the concept of “never trust, always verify” and “assuming breach.” Attempting to buy Zero Trust as a product sets organizations up for failure.
Vendors (especially ones that want to sell you everything, including the kitchen sink, a.k.a. portfolio vendors) would have you believe that the security solution, platform, or widget they are selling is Zero Trust and that you can just purchase their solution to address your needs. This is false. Vendors enable Zero Trust; they are not Zero Trust itself. My colleague Jinan Budge wrote a report that dispels Zero Trust myths like this.
There Is No Easy Button To Zero Trust
Starting down the path of Zero Trust is complicated. It’s difficult to figure out where to start (and if you haven’t, then this section will appeal to you!), so we’ve built a handy guide on how to practically enable Zero Trust from an implementation standpoint. Don’t buy into the vendor hype that you can purchase something and immediately be Zero Trust. That’s not the reality of the situation.
Organizations need to build a strategy to get to a Zero Trust architecture that encompasses more than technology and buzzwords. The Zero Trust eXtended (ZTX) ecosystem can help greatly with this and at a bare minimum requires:
- Assessing your existing security program’s Zero Trust maturity (people, skills, technology, capabilities, etc.). This includes understanding how people are doing their jobs and how existing business processes are done today, mapping existing technology capabilities, and understanding gaps.
- Mapping the output of this maturity assessment to the ZTX framework to understand what pillars you are strong in and which ones are lacking, specifically the capabilities in which you need to improve.
- Considering tools and technology to address the areas where you’re lacking and integrating Zero Trust implementation into existing business, IT, and security projects.
Zero Trust Is A Security Framework, Not An Individual Tool Or Platform
ZTX is an ecosystem with both technology and non-technology pieces. We’ve written an extensive playbook that takes into account both sides of this story and addresses each pillar in detail.
Protecting the perimeter and other prior security strategies didn’t easily adapt to change because they were designed around monolithic point solutions that didn’t integrate with each other. Zero Trust, however, is designed to be in a state of continuous review and optimization.
The fluid, integrated nature of Zero Trust is designed to easily adapt to business changes. Organizations need to be cautious about vendor messaging, dive into the details about vendor offerings, and call them out when the technology they’re pitching seems too good to be true.
Ask the vendor you’re considering where the capability they’re describing fits in the ZTX ecosystem. If they can’t describe it, it’s a very clear sign that they don’t understand Zero Trust. Security vendors need to update their messaging to reflect the reality that Zero Trust is a journey that’s different for every organization and stop advertising Zero Trust as a product that can be bought. By selling their solutions as Zero Trust easy buttons, they continue to set their customers up for failure by perpetuating this false paradigm.
Zero Trust Isn’t A Race; It’s A Continuous Journey
While Zero Trust continues to be marketed as the sexy, cool, hot new thing, at the end of the day we need to ground ourselves. Zero Trust is the new normal. COVID-19 has significantly changed the way we work and forced a lot of organizations to accelerate their digital transformation and security strategies. Take a second to see if these security solutions are the real deal by scrutinizing how they fit into the different pillars of the ZTX ecosystem and, most importantly, your organization’s overall Zero Trust strategy. They should be helping to enable organizations reach Zero Trust while improving the employee experience and should not be just another security tool that gets in the way of doing business.
Look out for my research that will help practitioners navigate the maze that is Zero Trust and finally realize their dreams of a modern, future-ready security posture.