Understanding the Zero-Trust Landscape
Lots of vendors claim to offer zero-trust solutions. But is that framework even applicable to some product categories??
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Geoff Belknap , CISO, LinkedIn . Joining us is our guest, Richard Stiennon , chief research analyst, IT-Harvest .
Frameworks over buzzwords
Part of the issue with zero-trust is a lack of agreement on terms. As Nathanael Coffing of Servant points out, this can lead to confusion, saying, "Start by defining both what you mean by zero-trust and what the security vendors define it as. Perimeter based solutions don't even register as ZT if we're using a strict definition." Understanding zero-trust as a framework is key to get through all the vendor bluster. "The product industry still tries to work off of buzzwords and checkboxes. Having a framework with discipline to implement around people, processes, and technology is the only way to sustain a true security posture," said David S Jones of DeepSeas .
Zero-trust isn’t just an identity play
Identity and access are pillars of zero-trust, but not the totality of it. Organizations need to implement layers that can support such a trusted service. "The IAM guys think this whole strategy was written for them. The industry needs to apply a strategy and methodology to ZT for workload, identity, access, and transaction. The cloud won't solve the workload issue, it needs to incorporate integrity and trust just as if it were on-prem," said Mark Allers of Cimcor, Inc. . This bears out in the vendor landscape, where we still see key categories not leaning as hard into zero-trust, as Simon Moffatt of The Cyber Hut noted, saying, "The majority of IAM vendors leverage the ‘identity at the centric’ narrative. Certainly authorization and policy based controls are booming too. But we don’t see network providers pivoting as much."
Not everything fits into the zero-trust mold
When anything becomes as buzzy as zero-trust, everyone rushes to fit into the category. But there are some categories that are mutually exclusive. "Either you do VPN/ Firewall or you do Zero Trust. ZT architecture is the opposite of network security. You don’t build a routable network with firewalls. You connect the right entity to another based on identity and context," said Amit C. of Cloudflare . Being a framework, it means it’s part of an ecosystem of solutions, as Elliot V. of Drata said, "If someone says they have a full ZT solution they are selling vaporware. It’s absolutely about architecture and strategy, but not all tools align."
Are partnerships the solution?
If any kind of comprehensive zero-trust vendor solution can ever exist, it won’t be an off-the-shelf solution. Rather this would require a deep commitment from both sides to realize. "Can any of us trust any one vendor to provide a complete zero trust solution that uses their own products? Some vendors are headed in that direction and I’m wondering if that warrants a long-term partnership," said Saul Garcia of Mass Data Defense Corporation .
Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.
Thanks to our other unwitting contributor, Stephen Martin Rajan, CISSP , 德勤 . And SquareX .
Huge thanks to our sponsor, SquareX
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino.?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Sasha Pereira, CISO, WASH. Thanks Vanta.
Thanks to our Cyber Security Headlines?sponsor, Vanta
Capture the CISO, Season 2 Finals
领英推荐
Season 2 of Capture the CISO is not over. We still have the finals!
And it's going to be LIVE on Friday, May 17th, 2024 at 1 PM ET/10 AM PT! This is the normal time we do Super Cyber Friday.
See our finalists Omer Singer, vp of strategy for Anvilogic, Russell Spitler, CEO of Nudge Security, and Attila Szász, founder and CEO of BugProve go head to head to see which company captures our CISO judges attention.
Our judges will be Edward Contreras, CISO for Frost and Alexandra Landegger, CISO for Collins Aerospace. The show will be hosted by Richard Stroffolino.
Jump in on these conversations
"I’m beyond burnt out" (More here)
"What DLP did you choose and why?"?(More here)
"Veterans that work in Tech"?(More here)
Coming up in the weeks ahead?on?Super Cyber Friday?we have:
?Save your spot and register for them all now!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship,?contact me,?David Spark.
Vice President of Business Development at Cimcor with a focus on System Integrity Assurance, Zero Trust, Closed-Loop Change Control, DevSecOps and Compliance
10 个月In the absence of prescriptive controls that can be auditable, everyone is going to interpret ZTA to align with their current technology offerings which can and will discourage/stifle innovation (square pegs and round holes). Everyone at RSA this year seemed to have a solution but when asked where and how they align with ZTA and any one of the seven tenets of 800-207…almost all were deer in the headlights. This is NOT a marketing exercise…we need real products/solutions to solve real-world problems. David…please continue to push the envelope of knowledge and be diligent in highlighting 1) ZT isn’t just about authentication and authorization albeit it is a major component as defined as Tenets 3, 4, and 6, 2) security isn’t a product…it’s a process and requires a workflow to accompany the tenets 3) buyers of ZT solutions can’t be enamored by bright shiny objects or we will continue this vicious cycle of not solving the problem.