Between August 2020 and February 2021, “the agencies”, National Institute of Standards and Technology (NIST), National Security Agency (NSA) and National Cyber Security Centre (NCSC) have all published final or preliminary (beta) guidance for Zero Trust (ZT) that is applicable to all sizes of organisations. I would suggest to you that the agencies are experts in the field of cybersecurity. So, why are vendors and influencers ignoring the agencies’ guidance when proposing to be an advocate of ZT?
Desk research of 26 security vendors (products & services) that I undertook shows that the majority are exploiting ZT positioning in the belief that they have a unique product or service recognised by alternative research group reports, but only three (11%) vendors referenced one or more of the agencies. Rather than sticking to [the agencies’] ZT guiding principles and design concepts, it appears there is a belief that deriving new terminology for ZT (I found five) and simply aligning to what the agencies have provided will reap greater vendor ZT acceptance rather than [possibly] being seen as just another outlier.
Acknowledge that ZT is a journey of competency from basic to advanced capability and that you will be evolving your identity, access and authentication policies and processes every year.
- Immediately recognise that the security product(s) you have or will implement are there to support your businesses ZT guiding principles and design concepts.
- Resist approaching this from a product or lack of alignment to the agencies’ recommendations mindset may hinder your guiding principles and design concepts.
So, ensure that you lead with a secure IT strategy mindset and then ensure your product(s) of choice can ride the journey to advanced capability with you.
Whatever your belief, ZT has been developed as a philosophy and a strategy that, when evolved, helps your clients’ IT strategy embrace a ‘security-first’ mentality.
- Lead your engagement by acknowledging that ZT is advisory led (service/consultancy), not a product-led engagement.
- Identify how your offering advances successful processes, policies, and data availability for the client’s benefit.
- Immediately relate to the agencies’ guiding principles and design concepts to trigger the recognition of terminology/workflow/process/policy by the security leader, rather than having them have to find alternative definitions and material from across the industry.
- Trust in using the agencies’ guidance of ZT as it clearly articulates all the use cases subsequently deemed of valued differentiation in other vendor/research group adaptations (ZTS, ZTNA, ZTXEP, ZTVDC, ZTDP).
Only once the advisory engagement is underway, should you suggest that the client revert to challenging the installed security product(s).
Establish a Baseline
A Zero Trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows – (NIST). Zero trust migration is a journey, and we think you can start yours by knowing your architecture, including users, devices, and services – (NCSC). According to Zero Trust principles, embracing a Zero Trust security model and the mindset necessary to deploy and operate a system engineered can better position them [organisations] to secure sensitive data, systems, and services – (NSA).
Nowhere in the statements above do the agencies infer that organisations’ existing security products are inadequate or that ZT requires you to implement new products to adopt, embrace or migrate to ZT principles.
I totally understand that architectures and frameworks evolve over time. Since John Kindervag first coined the phrase “Zero Trust” and published his first articles on the subject in 2010, it didn’t take long for those who believe they should be heard to throw in their opinions. The issue with the vast majority of these opinions over the last 5 years is that they have been taking ZT’s original essence out of context. Communicators of ZT believe it to be the next headline-grabbing market positioning sensation, instilling doubt of functionality and capability of security leader’s previous product decisions.
Zero Trust yes or no?
Anyone that follows my blogs, posts or comments probably knows that I have never liked the term ‘Zero Trust’. In an industry full of fear, uncertainty and doubt, I feel it only adds fuel to the [existing] fire. The term could imply that everyone and every ZT engagement is out to bring destruction and negativity. But this doesn’t mean I don’t wholeheartedly believe in the premise behind the term. If you have read my papers on User Isolation Protection, I continually encourage businesses to challenge and review their existing access, authentication and identity products and policies. I don’t know why John didn’t simply call it ‘Always Verify’ from the outset, or others change its name? Maybe it wasn’t catchy enough, impactful or marketable?
Pretty spectacularly lax
A strong example where the agencies’ ZT principles would have helped mitigate a cyber-incident effect was the [well publicised] SolarWinds incident. [Unfortunately] a great example where the principles behind ZT should have been a no brainer. Amongst all the commentary about the incident’s effects, it is now being blamed on a company intern by current and former execs for a critical lapse in password policy that apparently went undiagnosed for years. As Robin Oldham remarked in his weekly infosec newsletter, “If true — and, hey, we have no reason to doubt [Kevin] Thompson’s testimony — then the company’s culture, practices, technical solutions, or assure activities must also have therefore been pretty spectacularly lax: because nothing says ‘good corporate governance’ like getting the intern to set up the build process for a ~$1Bn software company, and then not checking what or how they did it”. Keep in mind this wasn’t about the product being used, but the processes and policies.
Security leader first
In the first instance, if I were a security leader, I would always listen and be guided by the clear ZT guiding principles and design concepts developed by the agencies above all others. Why? They are independent, have no commercial interest, use diverse panels of cybersecurity experts to formulate their deliverables and are trusted in their opinions by peer security leaders. As a security leader and following initial research into ZT, I would then look at my existing security processes, policies, and solutions to align with the guiding principles and design concepts, reaching out to my [ZT aligned] product supplier for further capability knowledge. Only after this would I then seek alternative offerings that align with the agencies’ guidance.
Delving into my research
Embracing the agencies
As part of my work, I engage (talk) regularly with security leaders to understand their concerns, issues and challenges. So, I decided to review how the vendors align their ZT positioning with the agencies to benefit security and IT leaders.
So, I approached this in the manner that I understand a security leader would and allocated [a rare] 30 minutes to search for the agencies key phrase ‘Zero Trust’.
An IT strategy done securely
The agencies didn’t show up in the 4 pages of 49 results that I managed to review. But as these organisations do not have the volume of search traffic as commercial vendors or invest in paid advertising, this was not a surprise.
From the 49 results presented to me, 22 were from security vendors, 2 research groups and 2 consultancies. Although there was a lack of coverage from the agencies, this was a strong result for this key ‘phrase’.
Diving into the results, I came across two security vendors that nailed the basis of ZT as it aligns with the agencies’ principles.
- “Zero Trust isn’t something you can buy or implement. It’s a philosophy and a strategy. And to be frank, at [redacted], we wouldn’t even characterize zero trust as a security strategy. It’s an IT strategy done securely.” In-house CISO.
- “There are no Zero Trust products. There are products that work well in Zero Trust environments and those that don’t.” Vendor blog (Zero Trust Architecture overview).
In addition, I managed to find two security vendors that directly referenced NIST ZT and another that promoted the NSA ZT model. These three vendors were not those that provided the quotes above.
These mildly encouraging statements from five of the 26 security-related providers was the high point of the research.
We know best
Very quickly, it became clear that the majority of organisations presented in the search results believe that to highlight their expertise and leadership in ZT, they needed to spin the guiding principles and design concepts and create new frameworks and terminology to sell their products and services.
I was confronted with new terms; Zero Trust Network Access, Zero Trust eXtended Ecosystem Platform, Zero Trust Security, Zero Trust Virtual Data Center, Zero Trust Data Protection. What was wrong with maintaining a common baseline by just using ZT? The alternatives didn’t provide anything new and failed to explain how their product, service or framework aligned to those already provided by the agencies.
We know how to say ZT
The agencies provide a comprehensive overview of the guiding principles and design concepts behind “Never Trust, Always Verify” (ZT). The security providers were obviously hampered by collateral or webpage constraints and the need to quickly get what they believe is important (the sell). I found only four examples that aligned to at least one of the agencies’ baselines. The remainder provided no real detailed understanding apart from the notional use of “Never trust, always verify”.
How ZT value helps
The four providers that could explain ‘What is ZT?’ were joined by another two [additional] providers that were able to convey a narrative about the true value of ZT to a business (security leader). The remaining providers diverted away from any alignment to the agencies and immediately hit the sales cycle and started on the feeds and speeds and why “they are a leader in ZT”. Emphasis was more about how they could replace what may already be in situ to resolve their [target organisation] establishment of a ZT environment, rather than approaching this from a ‘customer-first’ purpose and providing advisory recommendations the security leader would find helpful.
The power of a report
It appears everyone loves a report. Four providers afforded me links to reports I could access – one authored by the vendor and the other three to industry analyst content that would enlighten me about their [assumed] better proposition and terminology on ZT. Unfortunately, all required me to register my details, sign up for a contract or pay up to $3,000. Everyone is entitled to an opinion, but whilst I was acting as a security leader whose time is limited and budgets tight, this is very unhelpful to convince me of your value. If your report is compelling enough, just let me read it and then I will contact you. Being hammered with continuous unwanted emails and phone calls or paying for a report that ends up being of no use means that you [author] missed the point, not the reader.
But it appears that the mere mention of alignment or inclusion within a ZT industry report (not authored by the agencies) that ranks one provider against others (assuming you meet the inclusion criteria) has a greater value than clearly articulating how you align to the guiding principles and design concepts from the agencies. I conducted a recent qualitative CISO research study for a client, and the CISO’s clearly valued peer insights and solutions directly aligned to threats over [presumed] leaders referenced in reports when considering security offerings.
What interests me about these industry reports, especially when you consider the earlier comment “Zero trust isn’t something you can buy or implement. It’s a philosophy and a strategy”, is at least 60% of the scoring criteria is on product functionality, not the vendors ability to be considered a valued advisor for ZT. At what point does a mature security product (already measured in another report) turn into a ZT product? Does that mean that these [newly classed] ZT products will no longer be measured in prior industry reports? I’m also concerned that nowhere in these [leadership] reports do the authoring analysts score the vendor against their alignment to the agencies’ guidelines and design principles. Wouldn’t this help promote a more services or consultancy approach and negate the promotion of a product-first attitude?
Tilt the advantage to the business
When it gets down to the detail of why vendors, analysts and consultancies are referencing ZT, it’s clear. For commercial value. There is nothing wrong with this. The products and services being offered all help establish the appropriate end game, a ZT architecture model that the agencies are encouraging for each unique business.
What is misplaced is the approach that is being taken. As defined by the agencies, a ZT architecture model is to help tilt the advantage of security authorisation, access and policy protection in favour of the business rather than the cyber adversary. Wouldn’t it help the security leaders that consume this information to be presented with content that explicitly emphasises the vendor, analyst or influencers capability to meet these challenges, front and centre?
Recognise real value
Finally, it appears that the emotional commercial attitudes are overruling the agencies’ ZT principles. Product, marketing and sales leaders believe that they need to be vocal in the [ZT] game as an alternative sales and marketing play, allowing them to stand out in the crowd. Ask yourself, how many times did the security leader accept your invitation for a Zoom/Teams/Skype call and open by saying, “So tell me all about your Zero Trust products”, rather than the security leader reaching out to you so they could learn how you can assist with their objective of aligning to the Zero Trust guiding principles and design concepts.
Every security vendor or services provider should always believe that their offerings have value. The litmus paper test to determine ZT value is to present clear and tangible value that drives the ZT principles as outlined by the agencies. As referenced previously, “There are products that work well in Zero Trust environments and those that don’t”. You don’t need to use speculative beliefs, alternative frameworks, or perceptions to be appreciated as adding value in ZT.
Raising awareness and helping security leaders protect access, authentication and privacy of their business is a challenge, but NIST, NSA and the NCSC have provided the guidelines and design principles to evolve every business size to achieve this aim. Please don’t ignore them.