What is Zero Trust?

Terms You Might Also Hear

• Microsegmentation

• Zero Trust Security

• Zero Trust Architecture

• Zero Trust Network

• Zero Trust Network Access

• Zero Trust Principles

• Zero Trust Execution

• Secure Access Service Edge (SASE pronounced “sassy”)

• Application Perimeter

• Cloud Workload Protection

Problem Statement

• Traditional company networks are built like an M&M - hard shell on the outside, smooth on the inside. Networks have a firewall perimeter for security to keep bad guys out, but fewer security controls inside the network.

• Everyone inside is “trusted” by default. If an attacker breaches the network in this model, they can easily exploit other systems and steal data because of fewer restrictions.

• With companies doing more with mobile and cloud services via Digital Transformation, the concept of a perimeter you can protect yourself disappears, and trust becomes even more important.

Market Solution

Enter Zero Trust.

• “Zero trust” means that no one “entity” is trusted by default from inside or outside the network.

• It’s an alternative network and application design with a security model that isolates computer networks, systems, and users from one another.

• Zero trust is a collection of security processes, technologies, and approaches. No one vendor can solve this for you.

• No users, no systems, no applications, and no workloads are to be trusted, internally or externally, to the business environment.

• Isolation stops bad guys who get at one system or one piece of sensitive data from getting at others because all systems and resources are locked down by default.

Players in the Space

• Banyan Security

• Odo

• Palo Alto

• Cisco

• Illumio

• Symantec / Broadcom

Product Space Predictions

• Cybersecurity professionals will continue to push for zero-trust principles. This will, in turn, drive demand up for professionals with experience in this space. Where there is a demand for professionals in a specific discipline, product companies will follow quickly behind to either enhance or subvert the talent needed.

• Digital Transformation initiatives at companies are changing cybersecurity landscapes and associated threats and are creating more desire for zero-trust solutions.

• High-tech companies like Google, Netflix, etc., will implement versions of zero trust principles that the product industry will mimic.

• The cybersecurity product industry will set zero trust as a base expectation - experts and vendors alike will cite that future breaches can be avoided by implementing zero trust principles.

• Regulators will catch on to zero trust and start asking questions. Soon they will cite deficiencies for not having zero trust principles implemented. Internal Audit teams will do the same.

• Cybersecurity budgets at large companies will continue to surge, and this will be a significant portion of spending.

• Differentiation among product players will become more of a challenge.

Challenges for Products Buyers

• Zero Trust is Not Important Yet - Cybersecurity spending is dominated by regulatory and compliance drivers. Zero trust isn’t important to regulators yet.

• Zero Trust is Really Hard - Zero trust is a high effort for very little visible reward. Implementations take a really long time and require deep knowledge of how applications and infrastructure integrate into upstream and downstream systems. Technical Debt only makes this worse.

• Zero Trust Requires Homework - Zero trust requires a company to know much more about its IT applications than most companies ever do.

How Players Will Be Successful in this Market

• Make zero trust implementation less complex.

• Products that create an easy path to implementing “zero trust principles” onto existing technology stacks with limited management overhead will win.

• Enable the zero trust way of operating. Offer complementary products that enable the zero trust principles or that ease the path into zero trust.

How Will Product Buyers Get What They Need?

• Scale. Corporate buyers rarely have the financial latitude to buy the “best of” anything, so scale and interoperability matter. Use your limited capital to buy products in this space with the most integrations for your environment.

• Plan for Now. Buy what can work now on-premises and in cloud-hosted environments.

References

• Why Zero Trust is an Unrealistic Security Model - why zero trust is really hard to do

• Forrester’s Five Steps to a Zero Trust Network - a simple framework that is all but simple to execute. Most companies never get those five steps completed, but it’s good to have something to shoot for.

• Microsegmentation - a core component of zero-trust architecture

• Technical Debt - the coding you must do tomorrow because you took a shortcut in order to deliver the software today.

• NIST SP 800-207 Zero Trust Architecture - want to get really, really deep? Start here. For the hardcore techies only.

Thanks for reading this far!

This post is not meant to be a particular endorsement for any one player or company in this product category but is instead intended to be an industry-level primer. At the time of writing this post, I have no active investments in any of the companies mentioned above.

If I missed something (or am just wrong), let me know!

If your company is looking to get in front of a highly curated, hard-to-reach, and sought-after audience, consider sponsoring Return on Security.