At the beginning of 2022, Zero Trust faces a bizarre dichotomy: It’s on the verge of becoming the de facto cybersecurity approach while simultaneously having many security practitioners decry it as “just a marketing ploy.” How did we, as the security community, arrive at such a precarious perch?
Part of the problem, according to John Kindervag, former Forrester analyst and author of the original Zero Trust research, was that the trilogy of Zero Trust papers remained largely behind the Forrester paywall. For over a decade, only Forrester clients and every security vendor in the world had access. The hype train left the station, with those vendors shaping the Zero Trust narrative from their highly subjective perspective. Nonclients and the greater cybersecurity community only saw Zero Trust through the stained-glass windows of vendor marketing.
Forrester’s research advanced the Zero Trust concept from network-focused to an integrated, dynamic ecosystem of security capabilities and technologies with the introduction of Zero Trust Extended (ZTX). But analysts are not necessarily marketers, and the research lacked a clear, concise, shareable definition our clients and the larger community could use as a stake in the ground.
Today, we correct both of these issues with the release of a report titled, “The Definition Of Modern Zero Trust.” Well, yes, that report is behind the paywall, but we’re including its definition here, on the outside, for everyone.
Zero Trust defined
Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: All entities are untrusted by default, least privilege access is enforced, and comprehensive security monitoring is implemented.
Notice that the last sentence is the three original Zero Trust principles stated together. Here are the salient points in bullet form:
- Default deny
- Access by policy only
- For data, workloads, users, devices
- Least privilege access
- Security monitoring
- Risk-based verification
The good news for everyone is that this definition is not divergent from NIST’s definition in SP 800-207. The two definitions explain the same concept, using the same principles and often the same words.
What about Zero Trust Architecture or Zero Trust Strategy?
The broad theme of Zero Trust is the reduction of implicit trust. As a model for information security, Zero Trust translates to network and security architecture. See NIST SP 800-207, Zero Trust Architectures, as the most relevant example.
Some advocates of Zero Trust say that it should also be a strategy that works as well; consider replacing the phrase “Zero Trust strategy” with “a strategy to reduce implicit trust throughout our enterprise” in your mind.
So, what isn’t Zero Trust?
To better help security leaders and pros communicate the benefits of Zero Trust adoption, our report provides more clarity on what it isn’t. One key point is that it isn’t a security awareness and training strategy. In fact, there’s no need for the vast majority of end users in an organization to have any familiarity with this concept at all. Pushing Zero Trust concepts to end users will likely backfire from an awareness and training perspective as the perception of having “zero trust” implies a lack of trust in employees. Organizations that have adopted the Zero Trust model see trust as fundamental to creating a positive, low-friction work culture for employees and invest in initiatives to empower the firm at all levels to differentiate with trust.
Go Forth And Convert The Deniers
One more time for those in the back: Zero Trust is an information security model, one that can be worked toward but without an ultimate end state.
This post was written by Senior Research Analyst David Holmes and it originally appeared here.