Zero-trust-washing: why zero-trust architecture is the framework to follow

Have we gotten to the point where the term “zero trust” is being misused or misrepresented by some vendors as they seek to capitalize on its market momentum?

This is a tricky question for vendors because it’s not possible to label a single product or service as a complete zero-trust solution. It is perhaps best to consider the term Zero Trust Architecture (ZTA) – a framework that compels an organization to take action based on business priorities and its current security infrastructure.

So while it’s important for organizations to start moving to Zero Trust architecture, it’s not as simple as adopting the capabilities of a single vendor as a complete solution. But with all the marketing and hype that can quickly muddy the waters with any new tech solution, will we see widespread zero-trust-washing? After all, do all legacy products fit the zero-trust bill?

We have emphasized that ZTA is a methodology or approach and not a single, off-the-shelf product or solution. Similarly, there is no “one size fits all” answer and different organizations will need to prioritize based on their needs.

But can we take steps to describe an “ideal” zero trust model? There are certainly good definitions of what should at least be included. For example, in the United States, the National Institute of Standards and Technology (NIST) has published a set of seven principles of what should be included in a ZTA. More importantly, it does not imply that existing security protections are excluded.

Additionally, we recently saw President Biden post a Executive Decree to improve the country’s cybersecurity, which includes the adoption of ZTA. There are many references to ZTA in The Order, including this one: “The federal government must adopt security best practices; moving towards a zero-trust architecture; accelerating the movement towards secure cloud services, including software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS); centralize and streamline access to cybersecurity data to generate analytics to identify and manage cybersecurity risks; and invest in technology and personnel to achieve these modernization goals”.

As with any other new technology or approach, we await any “official” ZTA practical certification or standard. We have already mentioned NIST which creates standards for cybersecurity communications, technology and practices. NIST has not yet created standards or certification for zero trust – their special publication discusses the goals of ZTA. Perhaps the lack of relevant certification or standards is partly responsible for a lack of cohesion in marketing and selling ZTA? With these in place, vendors would at least have solid guidance, and organizations looking to invest in ZTA, better definition and clarity.

Certification or standards notwithstanding, there is certainly confusion in the marketplace regarding ZTA – confusion that can provide fertile ground that some vendors can take advantage of.

It is possible to build ZTA using a combination of legacy systems and new products – companies don’t have to worry about having to start from scratch.

Asking your supplier a few simple questions will usually help reveal their understanding of ZTA. For example, ask them how their proposed solution fits into your ZTA – if they can’t visualize that, they probably still believe the ZTA is something you buy off the shelf. When vendors can present their solutions as part of an overall customer journey, which is likely very different for each customer, success is the most likely outcome.

Resellers and managed service providers are in an ideal position to help their customers adopt ZTA – there are a variety of technologies from multiple vendors that need to be adopted, along with the associated integration into existing infrastructure. And on the basis that such journeys are likely to take years, not months, there is an ideal opportunity to take a consultative approach to long-term sales. Zero trust is a strategic IT initiative, and most CIOs have certainly moved on to strategy and planning.

Wherever you are in your ZTA journey, you can’t just pull products off the shelf to produce instant security buttons. Your business needs and security requirements will differ from those of other organizations, as will the state of your legacy systems. A partner who understands all of this is ideally placed to help you continue this successful journey.

Comments are closed.