Understanding Zero Trust

ZERO TRUST (ZT) is a concept that sounds remarkably straightforward. By trusting no one, it’s possible to protect everything, right? Not so fast. Like almost everything else in the world of cybersecurity, it’s complicated. For channel pros, sorting through zero trust and putting a zero-trust framework into motion for customers can be daunting. But with the right tools and solutions, it’s possible to turn zero trust from concept to reality for your customers.

Today the term “zero trust” is much hyped, carries a variety of definitions, and comprises a remarkable array of moving parts and pieces that intersect IT systems and departmental lines. “The complexity of zero trust makes it difficult to understand,” states Robert Boles, president of cybersecurity firm BLOKWORX.

For channel pros, a starting point for navigating zero trust is to understand what it is—and what it isn’t. Zero trust is not a product or technology; it’s a framework. It does not revolve around any single vendor or approach. Although many vendors promote their hardware and software as “zero trust”—and their products address key elements of cybersecurity—they are simply a piece of a very large and complex ecosystem.

Zero trust revolves around a key concept: An organization trusts only the people, devices, and data it must trust, and it constantly verifies everything that must be trusted. The framework discards the idea that it’s critical to protect a perimeter, and instead focuses on establishing fine-grained user and data controls. It incorporates continuous risk assessment, the ability to understand network and data in context, and the provision of legitimate access to assets from any place and at any time.

Developing a zero-trust model requires a long-term perspective. “Zero trust is not a destination. It’s a journey that involves constantly reviewing and analyzing an IT framework for appropriate protections and segmentation,” explains Bruce McCully, chief security officer at cybersecurity firm Galactic Advisors. “There are vendors with great tools and technologies for tackling zero trust, but it’s ultimately about people, processes, and continuous monitoring.”

What ZT Looks Like

The origins of zero trust date back to 2009. That’s when former Forrester analyst John Kindervag, now senior vice president at zero-trust managed security provider ON2IT, introduced the idea that all network traffic should fall into the category of “untrusted.” His original model focused on three key components: accessing all resources securely regardless of geography, providing access only as it’s needed, and inspecting and logging all traffic to verify that users are doing what they are supposed to be doing.

Not surprisingly, zero trust has evolved considerably—partly in response to the cloud, mobility, and the Internet of Things. In 2017, Gartner introduced the Continuous Adaptive Risk and Trust Assessment (CARTA) framework, which builds upon the original Forrester zero-trust model. It shifts the focus away from singular security gates to a comprehensive fabric of protection that’s adaptive and depends heavily on context. It relies on analytics to match risks and risk-tolerance to real-world protection and the everyday needs of users.

While ZT is now a mainstream concept, implementation lags. A January 2022 report from Forrester and security firm Illumio, Trusting Zero Trust, found that while more than three-quarters of business leaders recognize the value of ZT, only 6% say their firm’s plan is complete. In fact, only 36% of respondents’ organizations have started to deploy their solutions and 67% face challenges in getting stakeholders to understand and accept ZT.