The Current and Future State of Zero Trust With Forrester’s David Holmes
Catch this episode on?YouTube ,?Apple ,?Spotify ,?Amazon , or?Google .?You can read the show notes here .
Zero Trust is a concept, a strategy, a philosophy, and, for some poor souls, a solution you can buy (it’s not ). Through our three seasons, we have heard about MVPs , learned from the godfather of Zero Trust , been aided by Dr Zero Trust , and even heard from current and former federal officials about their stance on the concept. However, we have yet to touch on the current an future state of Zero Trust, and for that, we look to Forrester Principal Research Analyst on Zero Trust, David Holmes .
Prior to joining Forrester, David spent a decade researching, writing, and speaking about cybersecurity topics for network and application security vendors. Before entering the cybersecurity space, he was a C/C++ software developer specializing in authentication and authorization, network protocols, and cryptography. So you could say he knows a thing or two about the subject at hand.
TL;DR
Editor’s Note
Headed to RSA? So am I. I’ll be floating around with a camera or hanging out at the Drata booth (or antagonizing past guests). If you track me down, I have a few AZT hats to give out and some Zero Trust stickers. Also, Chase Cunningham has a charitable effort in motion for the conference , so let’s give the guy some love (it’ll be worth it).
Will I be doing interviews for the show? Maybe in a light format, but that is mostly because Neal was able to avoid going this year. Lastly, and we really don’t like sharing numbers because this series is about you and the stories being shared, we hit a new milestone. Across all channels, we now have 10K subscribers, which is frankly crazy. And no, we are still not going to offer paid subscriptions and limit information. This is still way cheaper than our ultra marathon and my Ironman habits.
As an aside, we can now confidently say after having chatted with three flavors of Forrester analysts on Zero Trust, that if there was a mapping of analyst organizations, they are the most chill group around. Meanwhile, a certain other group is still nearly impossible to get in front of a camera. And this comes from someone who has handled analyst relations in the past.
Current State of Zero Trust
The concept of Zero Trust has been around for more than a decade. During that time, it has passed through John Kindervag to Chase Cunningham, and found itself in the hands of federal agencies, non-profits, and countless vendors. When asked how David saw Zero Trust evolving in that time, he astutely mentioned that at its core it has not and won’t change. In fact, that is one of the beautiful parts of the concept because it is designed to be broad, flexible, and philosophical.
领英推荐
Those three core elements are:
Holmes stated that these elements remain constant, but how organizations operationalize and implement them into different domains, like the network, access, controls, people, etc., has seen the most significant changes.
“One of the biggest developments was Covid and forcing everyone to go work remotely. So I mentioned I had a network security background, right? So who do you think was the analyst that every company in the world who's a Forrester client called when their VPN stopped working? That was me. All day for months, people would call and say, Hey, man, look, all of our VPNs land in the same zone, and there's an IPS there, and now it's totally overloaded. ‘Should we rezone or get more IPS or what?’ And so I would tell them, ‘No, no, no, no, no, no.’ The way out of this is not more VPN. The way out of this Zero Trust. Zero trust is the way out.”
Looking Towards the Future of Zero Trust
Over the past few years, there has been a significant focus on solutions that help solve for two crucial aspects of a Zero Trust strategy: microsegmentation and access. However, according to Holmes, these two don’t play well together; the technology available is provided via disparate vendors/platforms and doesn’t have strong integration points.
“They're not the same vendors. They're different teams that deploy them. They come out of different budgets. They're they very, very little. Working together. I think in the short term, I would like to see these two things become much more integrated because then it can actually start to build these quote micro parameters that Kindervag about talked about earlier on,” said Holmes.
But here’s the sticking point: David has not seen evidence of these two elements moving closer together. While he would like to see a point of intersection, if a Forrester analyst hasn’t seen it, that doesn’t seem promising in the near term.
The next element David sees coming up, and there is strong support behind this, is including Zero Trust principles earlier on in development cycles and the networks that support them. Namely, the move to CI/CD pipelines and a DevOps or DevSecOps mentality. Organizations that David supports have mentioned using DevOps templates with specific guardrails in place has been a successful approach through solutions like Terraform, but acknowledges there are some vendors who try to solve for this as well.
Even if you architect everything perfectly and put out a good policy that's very zero trust, there will be changes to the network configuration over time that just always are. Let's say it's once a month. That's 12 opportunities in the year for something to go wrong and permissions to fall off,” said Holmes. “Now, if permissions got too tight, you would know because things would stop working. But if they get too loose, you won't know because Thing, everything will still keep working. You just won't know is the hacker could walk into the back. So I think there's a gap there where people will need to have something or have some kind of process or tool or whatever to go figure out is what I, is what is my zero trust environment still zero trust.”
Next episode drops tomorrow where we dig into Cyber Insurance!