ESG's John Grady and Mark Peters discuss trends around Zero Trust. This excerpt was taken from ESG's 2020 Black Hat Breakfast Event.
Read the related ESG Blog(s):
Mark: Many of the high-level tenets of zero trust intuitively make sense. Don't implicitly trust something just because it's on the network, assume threats, not just already, but will continue to exist on the network, and utilizing a least-privilege approach to ensure that users have access to only those resources required to do their jobs.
Let's start with adoption rates. Perhaps more than just, you know, talk a bit about where we are with adoption, but also, if you could discuss what is either driving or holding people back in terms of adoption?
John: Sure. Yeah, we've done some research recently on this, and I think we've talked about it a few times, but awareness is kind of ubiquitous at this point. We've found somewhere around 90% of IT security, and IT folks generally that have some kind of influence over security, are at least, you know, vaguely aware of zero trust, and have some thoughts on the issue. As we start to kind of ask for, you know, their perspective of zero trust, and kind of what it entails, and then kind of get into the adoption, you know, we get some kind of conflicting data points, so, you know, a third of organizations say that they had rolled out zero trust across their organization, which really does not match with, you know, the anecdotal use cases that we've heard and conversations we've had.
And this is where I think some of the confusion around exactly what it is and what it entails starts to take place. So, you know, we have a lot of products being positioned as zero trust, and as organizations kind of see that and maybe roll that out across the org, maybe they think they're doing zero trust ubiquitously, but they're not necessarily. So as far as the drivers, you know, you mentioned two of the big ones.
I mean, if you step back and think about ZT, it was, it's been around for a while, but in many ways, it was kind of created for a cloud-centric world. So, we've seen this explosion of cloud over the last five years, eight years, so over the last three, zero trust has become much more front and center. And then more recently, and this isn't driving adoption yet, but I think it certainly will, but the surge in remote work due to the pandemic is absolutely going to have an impact on this.
All that said, I think that, you know, the inhibitors really remain complexity and confusion. So, you can do this kind of in stages, and you should. And I think we'll kind of talk about this as we go, but if you think about kind of a full-scale rollout, and fundamentally changing the way, you know, the organization thinks about security, and kind of the tenets that kind of back it up across the enterprise, it can be hard.
And so, you kind of couple that with the confusion around "What is it?" Is it user access? Is it segmentation? Is it limiting permissions on a entity, the entity and machine-to-machine, application-to-application basis? And the waters get muddy. And so that's where kind of on the surface, we can agree on those tenets that you talked about, but as you kind of roll back the layers, it can get confusing.
Mark: How does data security fit with ZT?
John: You know, I think when ZT first rolled out, data security was a central part of it, so kind of mapping flows, understanding, you know, inventory and classifying, you know, all the pieces that go with kind of holistic data security was front and center. I think that's backed off over the last couple of years, and primarily because it's really hard. Which is fine, but I think if you take it to its, ZT to kind of its logical conclusion, I think, you know, data has to be part of the risk assessment and kind of understanding what the sensitivity of the data the user might be accessing.
If we think about all the context that goes into authentication, and even, you know, authorization to some extent, as part of zero trust, you know, not having visibility into, you know, is the data extremely sensitive, mission critical, things like that, I think it's a little bit of a gap. That said, I think it's kind of further down the list, but I think at the end of the day, it is part of the approach.
Mark: How should end users be thinking about actually implementing ZT in their environment?
John: It really comes down to the business drivers in this case. What are the ultimate goals of the project? Is it improving threat prevention and kind of improving SOC efficiency by limiting lateral movement, kind of a pure security point of view? Is it better embracing IoT, proving compliance, things like that? So, having a view of those goals, and then kind of driving cross-functional collaboration within IT, and even outside of IT, into the lines of business, you know, building that up front, you know, makes a big difference.
And then lastly, and I think relevant to the vendor audience, is advising end users to work with vendors that, even if they're only providing a solution that fits into a very specific part of the ZT equation, advising how it does, right, and not positioning it as a silver bullet zero trust solution, but, "Hey, you know, this is a broader view. It think, you know, then this paper can be a reference point for this.
This is how it fits into that architecture," and kind of acting as a trusted advisor.
