Zero-trust-washing: Why zero trust architecture is the framework to follow
Have we got to the point where the term “zero trust” is being misused or misrepresented by some vendors as they look to capitalize on its momentum in the market?
It is a tricky one for vendors, as it isn’t possible to label any single product or service as a comprehensive zero trust solution. It is perhaps better to consider the term zero trust architecture (ZTA) – a framework that requires an organization to take steps depending on the priorities of the business and their current security infrastructure.
So, whilst it’s important for organizations to start making the move to zero trust architecture, it is not as simple as adopting a single vendor’s capabilities as a comprehensive solution. But with all the marketing and hype that can quickly muddy the waters when any new technology solution arrives, will we see widespread “zero-trust-washing”? After all, do all legacy products fit the zero trust bill?
We have pointed out that ZTA is a methodology or approach and not a single product or solution that comes off the shelf. In a similar vein, there is no “one-size-fits-all” answer and different organizations will need to prioritize according to their needs.
But can we take steps to describe an “ideal” zero trust model? There are certainly some good definitions out there of what should be included at least. For example, in the US the National Institute of Standards and Technology (NIST) has published a set of seven tenets of what should be included in a ZTA. Very importantly, it does not imply that any existing security protections be excluded.
Furthermore, we recently saw President Biden issue an Executive Order to improve the country’s cybersecurity, which includes the adoption of ZTA. There are lots of references to ZTA within the Order, including this one: “The Federal Government must adopt security best practices; advance toward zero trust architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals”.
As with any other new technology or approaches we await any “official” ZTA certification or practical standards. We have already mentioned NIST who create standards for communications, technology, and cybersecurity practices. NIST has not yet created any standards or certification for zero trust – their Special Publication discusses goals for ZTA. Perhaps the absence of relevant certification or standards is partially to blame for a lack of cohesion when it comes to marketing and selling ZTA? With these in place, vendors would at least have solid guidance and organizations looking to invest in ZTA, better definition and clarity.
Notwithstanding certification or standards, there is certainly confusion in the marketplace when it comes to ZTA – confusion that can provide fertile conditions for some vendors to take advantage of.
It is possible to build ZTA using a combination of legacy systems and new products – businesses needn’t be worried about having to start completely afresh.
Asking your vendor some straightforward questions will usually help to reveal their understanding of ZTA. For example, ask them how their proposed solution fits within your ZTA – if they can’t visualize this then they probably still believe that ZTA is something you buy off the shelf. When vendors can pitch their solutions as part of an overall journey for the customer, and one that is probably very different for every customer, then success is the more likely outcome.
Resellers and managed service providers are in an ideal position to help their customers adopt ZTA – there is a variety of technology from multiple vendors that needs to be adopted, along with the associated integration into existing infrastructure. And on the basis that such journeys are likely to take years and not months, there is an ideal opportunity to adopt a consultative approach to long-term sales. Zero trust is a strategic IT initiative, and most CIOs are certainly switched on to strategy and planning.
Wherever you are in your ZTA journey, you can’t simply pluck products off the shelf to produce instant win security buttons. Your business needs and security requirements will differ from other organizations as will the state of your legacy systems. A partner who understands all of this is ideally placed to help you continue that journey fruitfully.