Zero Trust Part 1: Demystifying the Concept

Despite the fact that Zero Trust has been around for a decade, there are still misconceptions about it in the marketplace.

istock 1157378123 blog 4

Zero Trust technologies top the list for “most researched” solutions, according to the most recent IDG Security Priorities study.

That’s likely because CSOs and CISOs are trying to wrap their arms around how best to protect their enterprises, considering how much their environments have changed. Over the past decade, enterprises have seen: migration to cloud; considerable multiplication of endpoints and devices; massive growth in data; and a proliferation of applications.

All of this is difficult to secure. The Cisco 2020 CISO Benchmark Study found:

  • 52% say it’s very or extremely challenging to secure data stored in the public cloud
  • 41% say data centers are very or extremely difficult to defend
  • 39% are struggling to secure applications

“Meanwhile, all the traditional technology hasn’t gone away,” says Wolfgang Goerlich, CISO Advisor with Cisco. “So we’ve had to rethink where we place our security controls to address both the old reality of equipment, and the new reality of this very flexible, very quickly changing service-oriented architecture.”

The Zero Trust model can holistically address these issues. But first, here is what it is not.

Myth #1: “Zero Trust is a product that runs on top of my firewall.”

Zero Trust is not one product or solution. Better to think of it as an approach, says Goerlich.

“Zero Trust is trusting someone to access something from somewhere,” he says. “Is it an employee, an application, a device? What is it accessing? What was can we determine if we trust this request? At the end of the day, Zero Trust means providing a consistent set of controls and policies for strong authentication and contextual access.”

Myth #2. “Zero Trust is the latest marketing hype.”

Technically, the term was coined by Forrester Research in 2010. It was established as an information security concept based on the principle of “never trust, always verify.” Since then, the National Institutes of Standards and Technology (NIST) has produced comprehensive explanations and guidelines toward the implementation of Zero Trust architecture framework.

“NIST has a draft standard that dictates their view of Zero Trust — what the principles are, and what an architecture looks like,” Goerlich says. “The U.K. NCSC has done the same. Zero Trust has matured, and the need for it is now in sharp relief due to changes in the market and the way we use technology.”

Myth #3. “Zero Trust is all or nothing.”

“There’s this misconception that if I don’t do Zero Trust everywhere, then I’m not really getting any benefits from it,” Goerlich says. “The reality is: You can apply the principles to very specific use cases to address very specific risks.”

And the good news: A Zero Trust strategy can achieved by leveraging commonly accepted technologies. More on this in the next blog.

Myth #4. “Zero Trust means starting over with new protocols.”

“Why would you want to adopt a new way of thinking about security that requires you to rip-and-replace your technology stack and adopt a brand new set of protocols,” Goerlich says.  

“One of the beautiful things about Zero Trust,” he continues, “is Zero Trust is a lens through which to organize and get value from a core set of technologies — like multifactor authentication — that we’ve had for a while. We can use these common, standard technologies and protocols to effectively establish a security capability that addresses the trends that have happened in the past decade.”

Next Steps

Keep reading! Check out the NIST framework as well as Cisco’s take on Zero Trust.

Also, watch for Part 2 of this blog series, which examines the technologies that get companies on the Zero Trust journey.


Copyright © 2020 IDG Communications, Inc.