Challenges in zero trust – the philosophy vs. the product

Understanding zero trust

Zero trust is not a new concept, but understanding it can be difficult due to wide variations in the standard definitions. Ambiguity – both from overly aggressive vendors engaging in "zero-trust-washing" and from analysts keen on expanding an addressable market segment – effectively prohibits a single common definition of the term.

Zero trust, the philosophy

The earliest usage of the term posits "zero trust" as a philosophy or framework. It is a set of guiding principles on which an organization should base its security model. This definition of zero trust relies heavily on identity, context and risk as the primary means for evaluating and granting user access, versus the historical perimeter-based model, which is founded on location (e.g., network segments, VLANs or country of residence, for instance).

Zero trust is also oriented around the principle of least privilege (limit access to only what is needed to perform a job or task, and nothing more) and device trust (i.e., verifying a device and determining whether the device can be trusted and if it is secure). To sum it up, zero trust, the philosophy, should be viewed as a way of thinking about security – similar to one's personal health, it is a continual process with no clear end state.

Zero trust network access, the product

Zero Trust Network Access (ZTNA), on the other hand, is the term most closely associated with an actual product. ZTNA applies the principles of zero trust in a very specific manner, and has (so far) mainly been seen as a remote access solution and as an alternative to VPNs (spoiler alert: ZTNA is not limited to remote access). ZTNA has also been used somewhat synonymously with the concept of software-defined perimeter (SDP), and unlike "zero trust," it is something you can buy – albeit with multiple variations in technical capabilities and architecture.

Zero "implicit" trust

Zero trust is actually a bit of a misnomer; perhaps a more accurate descriptor would have been "zero implicit trust," since it is practically impossible to remove all notions of trust in a corporate IT setting. However, every piece of implicit trust that is removed can be considered a win for businesses if it helps further the principle of least privilege and remove potential attack vectors.

It is still early days for zero trust, but adoption is accelerating

Survey data from 451 Research (part of S&P Global Market Intelligence) shows the industry is still in the early stages with respect to understanding and implementing zero trust. The most recent 451 Voice of the Enterprise (VotE) survey data shows that 29% of enterprises have ZTNA currently in use, up from 23% and 13% in our two prior annual surveys, respectively.

Zero trust also tops the list of planned spending on security projects: 34% of survey respondents expect a "significant increase" in spending on ZTNA – higher than any other security category, including cloud security, container security and software composition analysis. 451 Research VotE data also shows that ZTNA is one of the top five security projects for 2022 (with more than 40% of respondents planning to deploy during the year), alongside identity as a service (IDaaS) and extended detection and response (XDR).

Moving ZTNA beyond remote access

ZTNA is not just about remote access; it's about secure access and supporting a variety of access scenarios. The historical work model had most employees either in-office or fully remote. That structure was simpler to manage from a security perspective, since there were few employees who were categorized as both on-premises and remote. Now, many organizations have either contemplated or already implemented a hybrid, flex model, having employees balance their weeks with some days in-office and some remote.

Although this hybrid model is great for employee balance, it's not ideal from a security standpoint. For example, the cloud comes with many benefits, but unless you're a cloud-only organization, you now have to support both legacy and cloud IT environments. The same thing applies with remote access – supporting employees both at home and in the office is a new challenge for many firms that typically had less than 20% of their workforces remote in the past. In fact, supporting remote work from anywhere at any time is now largely expected.

Increasing the number of employees categorized as both remote and on-premises expands the surface area they interact with, subsequently increasing the risks and, in turn, increasing complexity for security staff. ZTNA can be used to extend secure access to all users, devices and workloads as workers return to office. The range of users has expanded greatly as well. Users can be IT administrators, remote workers, contractors, consultants, etc., and even non-human users such as bots, apps, services and devices. So organizations should aim to remove implicit trust from not only users, but also devices – and "devices" can include Internet of Things (IoT) endpoints, VOIP phones, network printers, camera systems, card entry systems and more.

Continue reading thoughts from 451 Research Principal Research Analyst Garrett Bekker in his second blog installment.

• Copyright © 2022 S&P Global Market Intelligence.
• The content of this artifact is for educational purposes only. 451 Research, S&P Global Market Intelligence does not endorse any companies, technologies, products, services, or solutions. Permission to reprint or distribute any content from this artifact requires the prior written approval of S&P Global Market Intelligence