Even though the concept of zero-trust security was first defined more than 10 years ago, it is still shrouded with confusion as enterprise decision-makers continue to ask what it is, where to buy it, and how to implement and manage it.
The good news, however, is that many organizations have already implemented one or more components of zero trust, according to Forrester analyst Steve Turner, and may be further along in their zero-trust journey than they realize.
Why zero trust now?
Former Forrester analyst John Kindervag coined the theoretical term in 2010 with the tagline "never trust, always verify." Yet, it has taken until recently for the idea to gain traction.
"John was ahead of his time," Turner said, adding that, when the idea was conceived, it wasn't easy to implement. At its inception, network-centric security was still the norm. Most employees worked in offices with networks protected by traditional tools, such as firewalls and antimalware.
Today's heightened interest in deploying zero trust can be attributed to the growing prevalence of cloud combined with more employees working on the go from multiple devices, said Doug Cahill, analyst at Enterprise Strategy Group, a division of TechTarget.
Partially driven by the pandemic, enterprises' realization of the importance of remote employees is also creating more interest in zero trust. To obtain and retain the best talent, more companies are enabling remote work.
"People want to work the way they want to," Turner said. "Old security models don't match up to that. They don't protect and align with the business objectives many organizations have."
Zero trust's promise of securing an enterprise perimeter composed of cloud and remote work locations puts a spotlight on the concept, but the decade-old question remains: What exactly is it?
What does zero trust really mean?
"Zero trust is eliminating the mindset that says, 'Inside equals trusted,'" said Johna Till Johnson, CEO and founder of Nemertes Research. Enterprise networks were traditionally set up to assume that, once someone was inside the confines of office walls, they were trusted. Remote work and the cloud have eliminated that construct.
In zero trust's case, "never trust" means not letting users in without authenticating and authorizing them. Taking a default-deny approach, zero trust only grants access once trust is established through attributes such as username and password, location, device profile and time of day.
Zero trust's nomenclature likely adds to its confusion, Cahill said. "It's a rather draconian term. If you don't trust anybody or anything, how can any of us ever get our jobs done?" The real catch of zero trust is where the "always verify" component comes in. "I'm going to verify that you're trustworthy, but then I'm going to continue to assume that you're potentially malicious," Cahill explained.
Zero trust is all about protecting the data and controlling how people access it, Turner said. "It's verifying every step of the way how people access data, whether it's through an application or device."
How do you zero trust?
Zero trust is super-simplistic at its core, Turner said. Add one part segmentation and one part verification and, voila, zero trust.
But it's a little more complex than that, he explained. Zero trust has two main components: an identity component and a network component. The identity piece includes identity and access management, along with other identity technologies, such as multifactor authentication (MFA) and identity governance. Provisioning is tied in, for example, by using automated processes to change employees' access rights when their roles change within an organization. The network component includes network segmentation and microsegmentation, which help restrict access based on what employees need for their specific roles.
Despite this simple explanation, zero trust has seen resistance because many organizations think they have to rip and replace their security tools with new zero-trust tools.
Steve TurnerAnalyst, Forrester
"I want to put a line in the sand. Zero trust is not a product. It's not one particular vendor. It's not something you can buy," Turner said. Rather, it is a strategy to be followed.
It's a fallacy that companies need to buy all new technologies to get to a zero-trust state, Turner added. Instead, they can use a variety of technologies in a variety of ways and may have deployed many of them already.
"You do not need to rip and replace to get there," Turner said. "A lot of the vendor ecosystem that understands this has built up a robust integration framework within their products to plug and play with each other because they know that's going to be their competitive advantage."
Many of the tools enterprises already have in place can be used to start down their zero-trust journeys, Turner added. These include MFA, identity governance, endpoint detection and response (EDR), orchestration, encryption and analytics.
Much of the confusion, Turner said, comes from vendors, explaining that many slap the zero trust phrase on their products without any explanation of how exactly they enable for zero trust.
Nemertes' Johnson said the vendor confusion is exacerbated by the fact that zero trust can be achieved in so many different ways -- there's not one clear path to it. "Lots of combinations of products give you zero trust," she said. "It's just a matter of which combinations you've picked and how long they work."
The current state of zero-trust journeys
The pandemic inadvertently fueled zero-trust adoption. During shutdowns, many companies were forced into a remote work mode. VPN failures drove many organizations into adopting software-defined perimeters, software-defined WAN and Secure Access Service Edge, which put them on the path to zero trust without many even knowing it.
Multiple clients asked Turner's advice on how to start zero trust, and after investigating which technologies they had in place, he was able to tell them they had already started.
"Many companies thought they were starting from zero, but they were actually starting from 30%," Turner said.
He recalled talking to one client who was bullish about the possibility of achieving zero trust. After asking questions, Turner found the company had already implemented MFA and deployed EDR, as well as integrated its identity system with its security systems.
"You just hit on two principles in the zero-trust ecosystem," Turner told the client. "You could see his head explode." The proof was showing the client how the technologies already in place mapped to zero trust -- and that he didn't have to buy something brand-new to make it happen.
Yet, this isn't always the case. While the interest is there, zero trust has a long way to go before becoming mainstream.
"Out of 100 different inquiries, I'd say probably five to 10 of them are organizations that understand what they're doing," Turner said.
To help clients understand zero trust, Forrester defined its seven pillars: workforce security, device security, workload security, network security, data security, visibility and analytics, and automation and orchestration. The last one, Turner said, is one that can definitely not be ignored because it is key to connecting and benefiting from all the other pillars and their associated technologies.
Turner noted that many zero-trust failures are due to companies focusing on the technologies and not the business or human changes that must be addressed for zero trust to be successful.
"Some companies try to slam in the technology like security has always done," he said. "They just want to check the box and say, 'We're zero trust now.' But that's not how zero trust works."
On a promising note, Turner said many companies are eager to learn how zero trust can help them.
"We're seeing an explosion of organizations finally getting that they need to modernize what they've been doing," Turner said. "And zero trust is the avenue they can take to get there."