Mythbusters: Three Misconceptions About Zero Trust

Written by

Trust no one - it sounds like the start to a box-office action flick, but the meaning is far less sinister. First coined in 2010 by Forrester analyst John Kindervag, “Zero Trust” is based on the premise that the current trust model in security is broken and the only solution is to trust no one, not even your end users.

The Zero Trust approach requires a shift from implicit trust (e.g., “if you’re on the network, you must be trustworthy”) to one where trust is constantly questioned. With Zero Trust, we make no assumptions and verify the claims made by every device, every user and every application.

Over the years this definition of Zero Trust has shifted, with vendors overusing the phrase and muddying the waters. So, what’s the key to achieving perfect Zero Trust? The first step is putting to rest common misconceptions that have come to light over the years.

It’s time to bust some myths and explore three common mix-ups when it comes to Zero Trust:

  1. There’s One Definition of Zero Trust - Gartner uses zero trust as an adjective to classify specific implementations, such as Zero Trust Network Access, or ZTNA, which describes client-to-application transactions without the need for inherently trusted networks. For some, ZTNA is a modern, sophisticated VPN replacement, while to others it's a cloud-friendly modern access control model that includes software-as-a-service (SaaS) and on-premises access capabilities. Given it is referred to as both a noun and an adjective, it’s clear Zero Trust is a spectrum rather than a singular definition. While it's good to establish clear-cut, agreed-upon industry definitions, it's up to each vendor and then end user to further define and build on what Zero Trust is to them. Zero Trust offers a strong blueprint for organizations to look to for guidance, but it’s simply not a "one size fits all" approach.
  2. Zero Trust Isn't Just About Identity - Though it acknowledges the reality that the traditional security perimeter no longer exists, the idea that identity is the new perimeter is a reductionist and insufficient approach to security. Verifying identity is a start, but it’s not enough to simply verify who is accessing data or the network, context is equally important. Identity is just a toe you dip in the Zero Trust waters, but a thorough approach will take into account contextual data - time of day, type of device, posture checks and risk assessments, etc. Bottom line is context cannot be left on the floor when you’re talking about access control. Start with identity, then layer on more advanced contextual markers to ensure secure access. Identity as the new perimeter is a great rallying cry, but technology has advanced, and so too, must we advance our approach to access management.  
  3. You Can Buy a Zero Trust Silver Bullet - In a perfect world, achieving true Zero Trust would be as simple as deploying a single solution to solve all your security woes, but there is no magical wand you can wave for a simple fix. Rather, Zero Trust is only achieved when a number of elements fit together in just the right way. Organizations often fall into a dangerous trap of buying into a security vendor marketing itself as a Zero Trust provider and missing various other key components. Just as you can’t see the full picture without all pieces of a puzzle, you can’t implement a Zero Trust security approach without the right tools and policies in place. Think of it this way - Zero Trust isn’t a destination, but rather a journey to improved access management. 

The world doesn’t live behind a campus firewall anymore and the security perimeter of years past is no longer sufficient. The reality is that zero trust is part of the solution, but not the entire answer. To prepare for tomorrow’s threats, enterprises need to assess what it is they’re trying to protect - identify their assets and figure out what they are and what risk there is if they were exposed. 
Zero Trust is a maturity model that’s meant to provide organizations with a single set of policies for users and applications so you don’t have to worry about where your assets are. If you think a VPN is sufficient - think again. Applications have moved, and organizations must respond in kind, enacting a cohesive Zero Trust strategy and a consistent policy across all their data sets.

What’s hot on Infosecurity Magazine?