Zero Trust was a key theme during RSA Conference 2019. There were at least 10 sessions on the subject and it seemed you couldn’t walk an aisle in the expo hall without seeing "Zero Trust” in a vendor tagline.
In a sure sign that the “buzz” around Zero Trust security is getting louder, I also noted a couple of social media posts and videos that highlight the hype. For example, Forrester’s Chase Cunningham recounted an encounter with an RSAC attendee who dared to call Zero Trust a buzzword to his face. MobileIron released a video where attendees were asked to define Zero Trust, resulting in a couple of very cheeky descriptions.
I attended several RSA sessions on Zero Trust to get a better sense of the industry’s understanding of the concept (beyond the buzz) and the ways end users are executing their Zero Trust strategy. Here are my key takeaways:
End-user organizations are in the early stages of executing their Zero Trust strategy. A representative from MITRE/NIST facilitated a well-attended birds-of-a-feather (BOAF) session to discuss how organizations are implementing Zero Trust. A couple of things stood out:
- Approximately 90 percent of the attendees were from the three-letter agencies of the federal government.
- The federal government has an ongoing Zero Trust initiative. There are several Zero Trust pilots underway and the first phase will address end-user and device access to cloud applications. These pilots are part of the planned updates to the Trusted Internet Connections (TIC) initiative.
Public cloud and cloud native technology adoption underpins customers' interest in Zero Trust. In customer meetings and at Forrester’s Zero Trust networking reception, the message from end-user organizations was very clear. As they migrate on-premise applications to the public cloud, adopt cloud-first strategies, and deploy cloud native technologies, they are cognizant of the need to have Zero Trust baked into their applications and workloads. These organizations have also expressed their desire to avoid “death by virtual firewalls.”
Vendors are repositioning products for Zero Trust, but remain focused on the edge. Vendors are pushing the mobile- and identity-centric view of Zero Trust at the expense of the network. Several are repositioning their current products to align with the Zero Trust framework, but remain focused on the edge—the endpoints and mobile access to data center and cloud applications. For example:
- Microsoft named its sold-out session, "No More Firewalls! How Zero-Trust Networks Are Reshaping Cybersecurity." According to the vendor, Zero Trust is comprised of identity context, device context, a policy evaluation service, access proxy, and anomaly detection and machine learning.
- Symantec’s point of view was more closely aligned with Google’s BeyondCorp-centric approach. During its session, “How to Apply a Zero-Trust Model to Cloud, Data and Identity”, the vendor showcased its portfolio of endpoint, CASB and SDP (via newly acquired Luminate), and mirror proxy capabilities.
- MobileIron offered a mobile-centric framework focusing on the intersection of user identity, authentication, device posture, mobile threat detection, and policy analysis and enforcement in "Security for a Zero Trust World." Access to the organization’s cloud applications is based on attributes beyond user and device identity.
"Your perimeter is gone! So, focus your Zero Trust strategy on the user" – this was the key message from the identity- and mobile-centric POV that dominated the expo hall and Zero Trust sessions. However, users can be socially engineered and eventually your organization will get breached.
What are you doing to constrain your adversary from reaching your crown jewel applications once they breaches your protections at the edge?
What can you do to filter out all the noise and get started on Zero Trust?
- Evaluate if your organization’s security program is ready for Zero Trust. Do you have policies and processes along the five domains of the Zero Trust eXtended Ecosystem? Read the Forrester Wave™: Zero Trust eXtended Ecosystem Providers report to learn more.
- Enable real-time visibility into your applications and its dependencies.
- Understand your vulnerabilities and security controls.
- Gain understanding of your potential adversaries' profiles, your attack vectors, and the assets most likely to be targeted. This will help you prioritize the Zero Trust eXtended Ecosystem domain that would enable you to optimize your risk management efforts.
- Use visibility to design your Zero Trust strategy and create your microperimeters. Micro-segmentation is a key enabler of your Zero Trust strategy, and it needs to be as granular as needed based on business need and your organization’s threat model.
- Evaluate your current and future data center against the various micro-segmentation architectures to select the optimal model for your environment. For example, if you know that your future data center will have a cloud-first strategy, will require secure connections between legacy applications and containerized applications, and also use VDI terminals, you will want to ensure that your Zero Trust technology solution is able to support these use cases.