April showers bring May flowers, and this year’s RSA Conference. Usually there’s one topic at RSA that everyone is talking about but this year there will likely be 3: secure access service edge (SASE), eXtended detection and response (XDR), and zero trust. In my last blog, I described 8 things security executives want to hear about XDR. This one focuses on zero trust.
Since my old buddy John Kindervag first came up with the concept, it’s been bastardized to mean just about anything associated with authentication, access control, network segmentation, and just about everything else associated with cybersecurity. Given this expected industry confusion, let me start by grounding this blog with a mashup definition of zero trust. According to NIST:
“Zero-trust (ZT) is a term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location. A zero trust architecture (ZTA) is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement.
In simple terms, zero trust policies and controls determine who (users, devices, etc.) can access what (applications, data, services), under what circumstances. When you fly, you are asked to provide a valid ID, boarding pass, and have your luggage checked before given permission to enter the boarding area. A zero trust airport would go even further, only permitting you access to a specific gate, airplane, and seat. Oh, and only if you kept your jacket on throughout the boarding process. If you removed it for any reason, zero trust would detect an environmental change and reevaluate the whole process from soup to nuts.
Unlike XDR, which is still forming as a market, zero trust has been around for years. In fact, ESG research indicates that 33% of organizations have already implemented some type of zero trust project across the enterprise while 30% are implementing zero trust for a specific use case. What type of use case? Third-party access to particular applications/services, VPN replacement, network segmentation, etc. Additionally, more than one-third (36%) of organizations claim that COVID-19/WFH has accelerated their adoption/expansion of zero trust.
As an architecture, zero trust strategies can include a multitude of different technologies – security controls, networking devices, IAM software, and so on. This makes ZT a bit of a yin to the RSA conference’s yang, where vendors tend to trumpet discrete security tools. Given this dichotomy, security managers won’t want to hear much about individual security product feature/functionality. Based on some recent conversations, CISOs will be looking for zero trust discussions centering on:
- Zero trust strategy evolution. Despite security technology industry enthusiasm, zero trust is really a strategy that should support security, IT, and most importantly, business objectives. That said, ESG research indicates that 88% of organizations have a zero trust strategy but more than half (57%) tend to start the journey with a specific use case like giving business partners secure access to a single application, or securing cloud adoption. CISOs need help crafting the roadmap from tactical IT/security project to something embedded into the organizational mission, and it will take more than security widgets to get there. CISOs want to hear details about how they should proceed with multi-phased zero trust projects, how to engage cross-functional stakeholders throughout the project, and how to measure success at each stop along the way.
- Technology integration. As previously mentioned, zero trust demands participation from a potpourri of IT and security technologies including endpoint security software, VPNs, network encryption, micro-segmentation, CASB, etc. And since many organizations have already started zero trust projects, any new initiatives will have to interoperate with existing technologies. These are treacherous waters that will be difficult to navigate, so CISOs want to understand all possible options. Security vendors at RSA should be ready to describe their multi-product zero trust platforms and integration support while doing so in the context of tactical use cases and longer-term business strategies.
- Risk assessment criteria and capabilities. Theoretically, zero trust access decisions are constantly reassessed based on changing risk factors such as device health, user location, software vulnerabilities, emerging cyber-threats, etc. Okay, but how are these changing conditions evaluated, measured, and acted upon? Sounds like a complex decision support system to me. Since zero trust ultimately enforces business policies, CISOs won’t settle for "black box" solutions. Rather, they will push vendors for the underlying details around how zero trust technologies can measure and act upon changing risk factors – in real time of course.
- The security/IT operations conundrum. The RSA conference may be a security event, but zero trust strategies depend upon strong cooperative efforts between security and IT operations professionals. CISOs must work with CIOs to ensure strong relationships, common goals, and collaborative processes, but they will also need their ZT technologies to interoperate with IT devices, networking equipment, cloud infrastructure, and operations tools. Zero trust vendors need a similar collective strategy with integration kits, broad support, and partners in areas across the IT spectrum. The more use cases and customer references, the better.
- Industry knowledge and experience. I’ve been saying for years that cybersecurity is transitioning from a horizontal service to a vertical application, and this is especially true in business-driven initiatives like zero trust. For example, healthcare CISOs will want to work with zero trust vendors that understand clinical care devices, physician work habits, state/federal regulations, and electronic health record (EHR) systems. To bridge this gap, pure-play security technology vendors may want to partner with system integrators with stables of consultants and industry expertise.
Security sage Bruce Schneier once said, “security is a process, not a product,” and this is especially true with zero trust. CISOs see zero trust as a means for embedding security into business processes, so product feature/functionality and vendor tchotchkes won’t get much attention at the RSA Conference. Rather CISOs want to start zero trust conversations with business process details and then delve into a realistic implementation strategy and project phases. In essence, zero trust discussions should really focus on the “why,” not the “how.”
My colleague and zero trust guru John Grady and I will be looking to elbow our way into these dialogues at RSA. Business conversations, rather than technical “speeds and feeds” briefings, will be a refreshing change at RSA – that is if security vendors can pull this off.