Zero Trust: the Proof is in the Demo
Richard Stiennon
Research Analyst, Author of Security Yearbook 2024 stiennon.substack.com
There are 2,615 vendors tracked and categorized in Security Yearbook 2021. Not one is in a Zero Trust category because ZT is a philosophy, not a product. Just as Defense in Depth, or the Identity Perimeter are overarching concepts that help us design our security architectures—same for Zero Trust. Read to the bottom for a special incentive to get educated.
There are over 40 demos of ZT solutions available now at the ZT Demo Forum. I am learning so much from watching each vendor’s expert walk me through their product. I love having them all in one place, instead of asking each one to schedule a briefing and demo with me.
Zero Trust, put simply, is the idea that you should seek to eliminate the trust interstices between your bubbles of security. Here are examples:
Employees: you lock down your database server by hardening it and putting it behind a firewall. But DBAs log in with a common set of credentials. You trust them because they are your employees and their contracts stipulate that they will not misbehave or steal your data.
IT suppliers: You use a SaaS platform for backup that is protected by military grade encryption. Yet, all of your data is encrypted with the same keys as everybody else on the platform. The first time I ever heard the term “zero trust” was for this use case—encrypt your data with your keys so the SaaS platform (and its employees) cannot steal your data. Think Gmail vs. Proton.
Credentials. You put all of your trust in username password pairs or even 2FA. You trust that the person logging in is not malicious because they have some data or a token you provided. Trusted users, even customers, abuse their access rights all the time.
Under the Zero Trust umbrella are three major use cases. Here are the vendors whose demos are available in the ZT Demo Forum, separated into their categories.
Micro-segmentation. These solutions enroll every device into a private network. Communications are encrypted and devices, apps, and servers, are stealthed. If you are not enrolled, you cannot even see the asset. A great use case for this is IoT. Think ships, manufacturing, security cameras.
ZTNA. Zero Trust Network Access. This is the replacement for VPNs we hear so much about. Instead of a gateway VPN concentrator in your datacenter, users, endpoints, even VPCs, are accessed directly. Credentials, device fingerprints, user behavior are all used to grant access on a granular level. Policy management is simple and managed from the cloud. Policies are not based on IP addresses.
Application Access is the biggest category of ZT solutions. It is a natural evolution for what used to be called Web Single Signon. A user authenticates once and can only access the applications they are authorized to use. The application, wether it sits on a cloud platform or in the datacenter, can only be seen by authorized users. Attackers cannot even find the application.
SASE. Secure Access Service Edge is the replacement for the datacenter security stack. It obviates the need for a secure web gateway, firewall, IPS, rate limiting even DLP. Users are protected by a globally distributed Service Edge (custom servers in colocation sites) that filters their access to online resources. In my mind it is like a a virtual ISP that provides “clean pipes.”
Watching all of these should earn you a Masters degree in Zero Trust. But in the meantime, we will send a free copy of security Yearbook 2020 to anybody who watches ten demos!
Move fast or get left behind. Model - Measure - Act - Repeat. Then automate.
3 年Trust No One.
Strategy | Corporate Marketing | Product Marketing | Marketing Management | Director | Communication | Cybersecurity
3 年Great demos. Beyond slide decks