One of the top challenges and misunderstandings that I continue to see is what the definition of Zero Trust actually is. Zero Trust is not one product or platform; it's a security framework built around the concept of "never trust, always verify" and "assuming breach." Attempting to buy Zero Trust as a product sets organizations up for failure.
Vendors would have you believe that the security solution, platform, or widget they are selling is Zero Trust and that you can just purchase their solution to address your needs. This is false. Vendors enable Zero Trust; they are not Zero Trust itself.
Starting down the path of Zero Trust is complicated. It's difficult to figure out where to start, so we've established a handy guide on how to practically enable Zero Trust from an implementation standpoint. Don't buy into vendor hype that you can purchase something and immediately be Zero Trust. That's not the reality of the situation.
Organizations need to build a strategy to get to a Zero Trust architecture that encompasses more than technology and buzzwords. One example is the Zero Trust eXtended (ZTX) ecosystem which, at a bare minimum, requires:
Assessing your existing security program's Zero Trust maturity (people, skills, technology, capabilities, etc.). This includes understanding how people are doing their jobs and how existing business processes are done today, mapping existing technology capabilities, and understanding gaps.
Mapping the output of this maturity assessment to the ZTX framework to understand what pillars you are strong in and which ones are lacking, specifically the capabilities in which you need to improve.
Considering tools and technology to address the areas where you're lacking and integrating Zero Trust implementation into existing business, IT, and security projects.
ZTX is an ecosystem with both technology and non-technology pieces. Protecting the perimeter and other prior security strategies didn't easily adapt to change because they were designed around monolithic point solutions that didn't integrate with each other. Zero Trust, however, is designed to be in a state of continuous review and optimization.
The fluid, integrated nature of Zero Trust is designed to easily adapt to business changes. Organizations need to be cautious about vendor messaging, dive into details about vendor offerings, and call them out when the technology they're pitching seems too good to be true.
Ask the vendor you're considering where the capability they're describing fits in the ZTX ecosystem. If they can't describe it, it's a very clear sign that they don't understand Zero Trust. Security vendors need to update their messaging to reflect the reality that Zero Trust is a journey that's different for every organization and stop advertising Zero Trust as a product that can be bought. By selling their solutions as Zero Trust easy buttons, they continue to set their customers up for failure by perpetuating this false paradigm.
While Zero Trust continues to be marketed as the cool new thing, at the end of the day we need to ground ourselves. Zero Trust is the new normal. COVID-19 has significantly changed the way we work and forced a lot of organizations to accelerate their digital transformation and security strategies. Take a second to see if these security solutions are the real deal by scrutinizing how they fit into the different pillars of the ZTX ecosystem and, most importantly, your organization's overall Zero Trust strategy. They should be helping to enable organizations reach Zero Trust while improving the employee experience and should not be just another security tool that gets in the way of doing business.
To understand the business and technology trends critical to 2021, download Forrester's complimentary 2021 Predictions Guide here.
This post was written by Analyst Steve Turner, and it originally appeared here.