Stand down, marketers: Zero Trust is not a product
Zero trust has been hyped out of all rational proportions. All the buzz side-steps a key point: Zero trust is not a product.
Published August 8, 2022Thanks to relentless marketing, Zero Trust is quickly turning into another buzzword. It’s time security professionals claim to the term. Once and for all: Zero Trust is not a product, it’s a security strategy. While a product or service can indeed be part of a Zero Trust security strategy, no single product can satisfy all Zero Trust requirements and transform your organization.
It’s surprising what marketing has been able to do with such an off-putting term. In almost any context outside of security, zero trust has few, if any, positive connotations. “There is zero, I repeat, zero trust between us” is not really something most people want to hear. It’s abrasive, even aggressive.
We don’t trust anyone, and that’s that. And when we start talking about Zero Trust in a workplace context, employees feel targeted, like they’re under observation. Privacy advocates surface as if by magic. Since trust is an integral part of the workplace ecosystem (a botanical term hijacked by corporate speak, by the way) the confusion is understandable.
Why? Most people, including IT leaders, see trust as important. And we like to broadcast where we place that trust — even to the point that American founding fathers declared it on their currency: “In God we trust.” We trust our spouses, partners, family, and close friends. It’s a part of being human that anyone who’s ever tried to persuade money out of your pocket knows well. So small wonder marketers are bending over backward to spin out enough hype to capture non-technical audiences with a term like “Zero Trust.”
All industries have terms and jargon that is unique to a specific area of expertise. These are often hijacked by Big Picture thinkers fresh from the weekend management seminar — think Michael Scott (or David Brent). They talk about bandwidth, pinging contacts, working in silos, crossed lines (telephone wires?), open doors, and running it up the flagpole. Then there’s the person who promises to circle back, even when their path is linear and very much in the opposite direction.
So, next time you get a visit from someone promoting a Zero Trust solution, grill them on what it means and how it fits into your IT infrastructure. If they start with “our Zero Trust product…” they have nothing worth adding to your security strategy. Show them the door. (And by the way, any door will do, as long as it leads to other, more “low-hanging fruit.”) In addition, tell them to think outside the box, consult in the idea shower before descending the thought staircase, and circle or pivot back at a later date, after their thoughts percolate.
As mentioned earlier, Zero Trust is a security term. It’s an approach to protecting digital assets from attack. And it’s not about becoming jaded with literally zero trust for anyone, but about zero assumptions of automatic trust based on factors like: location (inside or outside of the network perimeter), user or device. Zero Implicit Trust didn’t have the same ring, not to mention an unfortunate acronym. So Zero Trust was born. It’s a strategy, a mindset, a belief system — however you wish to classify it as long as you understand that the primary aim is to prevent security threats. It is an evolving strategy to combat evolving threats.
The IT industry is undergoing seismic shifts. The shifts to the cloud, remote work, bring your own device (BYOD) policies and the Internet of Things (IoT) mean it’s no longer effective to simply secure a network perimeter and assume that any activity within is trusted. The Zero Trust mantra of “never trust, always verify” has clear appeal to IT security professionals. Zero Trust can reduce organizational risk from hacking, human error and shadow IT, to name a few.
Since 100% security is a known fallacy, when IT teams implement Zero Trust correctly, they can keep existing security solutions, like ones that enforce least privileged access and role-based access controls. But Zero Trust supplements these “traditional” solutions with a focus on automated solutions that recognize deviations from normal activities, even when users, devices, networks and workloads (in terms of data traffic) are properly verified.
Let’s imagine a verified user connects to the network on a company-owned laptop that has unknowingly been compromised with malware by a third party. The user has no problem with access, but volumes of data are outgoing when they shouldn’t be. The IT system then automatically revokes access, preventing damage from being done, and giving IT the chance to check the device before allowing it back on the network.
Zero Trust can also help prevent insider threats, especially against malicious employees. The dark horse of the cyber world, they’re notoriously difficult to identify and protect against using the old “trust, then verify” approach from perimeter-based security.
To recap, we can’t emphasize enough what Zero Trust is not. So that we can put these questions to bed:
Zero Trust is not a product. It is not a solution that says whether or not users or devices can access a network. But implementing Zero Trust means requiring authorization and authentication of every user session.
Zero Trust is not an off-the-shelf proposition. Implementation will vary by organization, based on IT infrastructure and specific data protection challenges.
Zero Trust is not based on perimeter security. Organizations no longer have an easily-defined security perimeter, given the rise in cloud computing, BYOD and remote work as mentioned above.
Zero Trust is not an underhanded way to spy on employees. Instead, it’s an evolving strategy to prevent hackers and malicious insiders from taking advantage of earlier security strategies that relied on the trust given to devices and users inside the network.
Zero Trust is not just for large enterprises. Organizations of all sizes can benefit from this security strategy.
While Forrester (thank one of their former senior analysts for the term Zero Trust, coined in 2009), Gartner and many tech companies have different visions of what Zero Trust is, that’s not important as long as your organization implements the overall security strategy in a way that complements your IT infrastructure. Data is valuable, and companies must take all available steps to protect it.
So don’t be put off by the cold, heartless term “Zero Trust.” Instead, take it onboard, run it up the flagpole and encourage a new sweet spot for your organization. Imagine your results-driven future as a thought leader, pushing super mission-critical solutions for the next generation of risk-averse solutions and services.
Most of all, and don’t lose this in the weeds, not leveraging Zero Trust can lead to negative growth and significant downsizing from the damage of a data breach. Got all that? Any questions? Our doors, windows, and skylights are always open as we trust our neighbors implicitly. Oops!