April showers bring May flowers … and this year’s RSA Conference. Usually there’s one topic at RSA that everyone is talking about, but this year there will likely be 3: secure access service edge (SASE), eXtended Detection and Response (XDR), and zero trust. In my last blog, I described 8 things security executives want to hear about XDR. This one focuses on zero trust (ZT).
Since my old buddy John Kindervag first came up with the concept, ZT has been bastardized to mean just about anything associated with authentication, access control, network segmentation, and nearly everything else associated with cybersecurity. Given this expected industry confusion, let me start by grounding this blog with a mashup definition of zero trust. According to NIST:
“Zero-trust (ZT) is a term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust grated to assets or user accounts based solely on their physical or network location. A zero trust architecture (ZTA) is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement.
In simple terms, zero trust policies and controls determine who (users, devices, etc.) can access what (applications, data, services), under what circumstances. When you fly, you are asked to provide a valid ID, boarding pass, and have your luggage checked before you are given permission to enter the boarding area. A zero trust airport would go even further, only permitting you access to a specific gate, airplane, and seat. Oh, and only if you kept your jacket on throughout the boarding process. If you removed it for any reason, zero trust would detect an environmental change and reevaluate the whole process from soup to nuts.
Unlike XDR, which is still forming as a market, zero trust has been around for years. In fact, ESG research indicates that 33% of organizations have already implemented some type of zero trust project across the enterprise while 30% are implementing zero trust for a specific use case. What type of use case? Third-party access to particular applications/services, VPN replacement, network segmentation, etc. Additionally, more than one-third (36%) of organizations claim that COVID-19/WFH has accelerated their adoption/expansion of zero trust.