Ten years on, tech buyers still find zero trust bewildering. Consultants aim to help them get a handle on -- and deploy -- this multifaceted security model.
Organizations are paying more attention to zero trust, but struggle with the basic questions of what it is and how they can adopt it.
That's the view of executives offering zero trust consulting and implementation services to clients looking for guidance in this confusing field. Professional services firms, managed service providers (MSPs) and systems integrators are pursuing the market, which seems a made-to-measure opportunity for organizations providing technology and business advice.
Despite, or because of, the confusion, zero trust opportunities are poised to expand. TechTarget's 2023 IT Priorities Survey pointed to zero trust as the No. 2 area for planned deployment within the identity discipline over the next 12 months. Only multifactor authentication, often part of a zero-trust initiative, emerged higher on the list of agenda items. TechTarget polled more than 800 IT professionals in North America.
Growing interest in zero trust
"The concept of zero trust has been there for nearly a decade, but the interest has gone up in the last two years due to work from anywhere," said Mushtaq Ahmad, senior vice president and CIO at Movate, a digital technology and customer experience company with headquarters in Plano, Texas.
The principles of security have shifted from implicit trust or trust, but verify to never trust and always verify, he said, noting the former concept doesn't work well in securing enterprise networks in the post-pandemic world. Indeed, user identities and devices emerged as the weakest link amid COVID-19, operating outside of the corporate security zone and within traditional security frameworks. With cloud adoption and work from anywhere the only way forward, corporate security architectures began pivoting to zero trust, according to Ahmad.
I think all the previous, very public hacks in the past couple of years have really driven the motivation to adopt zero trust.
David ChouDirector of cloud capabilities, Leidos
David Chou, director of cloud capabilities at Leidos, a technology, engineering, and science solutions and services provider based in Reston, Va., pointed to the continuing rise in cybercrime and government directives as raising zero trust's profile.
"I think all the previous, very public hacks in the past couple of years have really driven the motivation to adopt zero trust," he said.
As for directives, the federal government's zero trust architecture strategy, launched in 2022, and the White House's cybersecurity executive order, which stipulates zero trust, are fueling interest. "Those are the two mandates that are really driving the bulk of our customers to make sure they're compliant with the zero-trust model," Chou said.
Starting with the essentials of zero trust
Misunderstandings of zero trust abound, which means customer engagements frequently begin with a grounding in the essentials.
"There's a lot of confusion still about zero trust," said Jay Martin, security practice lead at GreenPages, an MSP based in Portsmouth, N.H. "When customers say, 'We're doing zero trust,' the question always is, 'What do you mean by that?' If I asked 10 people, I'm going to get 10 different answers."
Introducing customers to a zero-trust model helps establish a baseline for understanding.
GreenPages has put together such a model, based on the U.S. federal government's Cybersecurity and Information Security Agency's zero-trust model. It also aligns with Microsoft's model. Martin identified the core principles: Apply least-privilege access, verify explicitly and assume breach.
Consulting firm PwC, meanwhile, offers a common framework that helps customers reconcile diverse approaches to zero trust. "Everyone has a different understanding," said Prakash Venkata, principal, Cyber, Risk and Regulatory, PwC US. "We bring them to a baseline."
A multi-cloud customer, for example, might want to use Microsoft's zero-trust framework for Azure and BeyondCorp's approach for Google, he said. Such customers tend to build their own custom frameworks. PwC's framework, he added, makes those custom frameworks more holistic and secure, facilitating the task of incorporating disparate cloud-specific approaches to zero trust.
Pointing customers to a model, or framework, also clears up the misconception that zero trust comes from a vendor as a unified product -- "zero trust in a box," as Martin put it. Instead, a zero-trust model serves as a guide as customers create policies and procedures for deploying security controls.
Movate's Ahmad said he considers zero trust a journey, one in which customers incrementally adopt zero-trust principles across people, process and technology. That journey typically starts with a survey of assets, identities, networks, data and workflow -- and a risk assessment of the client's security posture. Design and deployment of a zero-trust architecture follows.
Leidos, meanwhile, offers customers its Zero Trust Readiness Level service to get customers started on a framework. The service assesses a client's existing architecture, identifies priorities and creates a roadmap for adopting zero trust, Chou said.
"Zero trust is definitely a multi-year sort of effort," he said. "It's not set it and forget it."
Ahmad said the length of the journey depends on a customer's security posture and maturity, noting an initiative could take a few months to as long as five or six years.
Including the business in zero trust
Chalk it up as another zero-trust misconception.
Many customers treat zero trust as a security paradigm, which misses the point, according to GreenPage's Martin. "It's a business model," he said.
Zero trust's organizationally invasive nature means it can block legitimate business activities. The cyber and business sides must plan ahead and decide where they can safely make exceptions to tenets such as the least-privilege principle.
"IT and security teams risk blowback and possibly downtime if decisions are made in a vacuum," Martin said. "Business executives, compliance, legal, IT and cybersecurity, at a minimum, should be included in the strategy and policy development."
Deploying incrementally
Customers who have gone through the education phase, selected a framework and set up a roadmap can move on to implementation. This multifaceted stage involves numerous components including identify and access management (IAM), endpoint security and, at the network level, microsegmentation. With microsegmentation, an organization cordons off networks into segments and sets policies for accessing the IT resources within each zone.
Venkata said he advises customers to slowly implement zero trust versus attempting to do everything at once. Most PwC customers select IAM as their first project along the zero-trust path, although some start with network segmentation, he noted.
Zero trust is among the interrelated security initiatives service providers expect to pursue this year.
At this stage, zero-trust consulting providers may suggest specific products. When presenting options to clients, Movate looks for products that are cost effective, involve the least amount of disruption and assure businesses outcomes, Ahmad said.
"A single solution or OEM product cannot provide zero-trust architecture," he said, noting the task involves "multiple products and solutions."
Leidos provides a Zero Trust Proving Ground to let customers test commercial and open source tools and experiment with policies. This virtual, typically cloud-based, environment replicates scenarios government agencies would encounter in their daily operations, Chou said.
"They get a very realistic experience on what zero trust would be for them," he said.
The simulation lets agencies assess the effects of zero trust from the user perspective. "A lot of times, when we do these proving ground experiments with our customers, the end users will say, 'The application seems to be running really slow.' Performance is terrible, or the lag is really bad."
Such feedback is critical when an agency's mission requires immediate response and can't tolerate delays, Chou noted. Leidos can reset the proving ground to help customers find a balance that meets federal cybersecurity requirements but lets agencies pursue their missions unimpeded.
Managing zero trust as an ongoing process
The building, testing and incremental deployment of a zero-trust architecture isn't the final step, however. The environment requires ongoing oversight and maintenance. An organization's threat landscape, security posture and IT resources evolve and so too must its zero-trust approach.
Ahmad cited the need for continuous monitoring, assessment, iteration and improvement. Movate offers ongoing zero-trust operations and management as a service.
Chou suggested a zero-trust initiative is never quite done -- and it must involve customer and partner teams, from cyber to finance.
"Inherently, you have to do a continuous process to be successful," he said. "It requires a lot of access to teams -- get that feedback -- and iterate on what's working and what's not."
