Jason GarbisDecember 14, 2022
Q&A with Webinar Guest Forrester: Zero Trust Maturity and the Role of ZTNA
What are the logical phases of achieving Zero Trust maturity and the role of Zero Trust Network Access (ZTNA) throughout the journey? Guest speaker David Holmes, Senior Analyst of Forrester, and I recently tackled the topic on a live webinar. In this deep dive follow-up Q&A, David gives additional guidance for those who have started or are thinking about starting their Zero Trust security journey.
Just like Neapolitan ice cream, the webinar had a little something for everyone interested in Zero Trust regardless of where you are on your journey. Vanilla for those thinking about starting, chocolate for those who have already started, and strawberry for anyone who is well down the path of implementing Zero Trust security and wants to reach a deeper level of maturity. David and I discussed:
- Being prepared with discovery, classification and inventory
- Controlling identity for users and devices
- Providing Zero Trust access to applications
- Improving visibility, automation and orchestration
- Applying Zero Trust security to the network
Follow-up Q&A with David Holmes
Q: What are key characteristics of a mature Zero Trust security program?
A: If your organization is going to get serious-serious about Zero Trust you’ll be investing time into processes that help you gather and maintain information and then automation to respond to threats in an automated fashion. The information that you’ll need to gather, review and maintain include tracking down your company’s data and maintaining a data classification program. Similarly, you’ll build and maintain a device inventory that includes not just user desktops, laptops and mobiles, but also network infrastructure appliances and IOT and OT devices. None of the above is easy.
A mature Zero Trust security program will include collecting and maintaining leading, lagging and coincident metrics. These metrics will include how many data sources and applications have achieved isolation out of the total, and how many of the ones that aren’t isolated are under a disciplined vulnerability management program. The program will also collect and maintain metrics associated to user privileges and how they change as personnel’s roles change.
Automating threat response is the holy grail of cybersecurity but most organizations struggle with even the most rudimentary automation, which is unfortunate because the cybersecurity skills shortage is not letting up, and the shaky world economy will only create more attackers.
Q: Why is Zero Trust access critical to maturing an overall Zero Trust security architecture?
A: Zero Trust access is the first and most effective way that organizations can really start to sink their teeth into building a mature Zero Trust security strategy. Zero Trust access solutions provide both security benefits (better security, replace user VPN) and business benefits (better remote work solutions). They can also be deployed app-by-app so organizations can bite off only what they can chew. Ultimately, a comprehensive Zero Trust access solution will reduce attack surfaces by replacing open ports; enforce the principle of least privilege by only granting access to microsegmented resources; simplify access with a unified policy engine and offer API-driven integrations that work with existing enterprise architectures.
Q: What are the most common misconceptions when building a Zero Trust strategy?
A: The number one common misconception that well-meaning CIOs often have is that because they entered into an agreement with an 800-pound gorilla vendor, they are now “Zero Trust compliant.” This is a fallacy for a couple of reasons. The first is that there is no sanctioned compliance regime for Zero Trust (yet). And second is that no single vendor, not even the trillion-dollar ones, offer all the technology to do Zero Trust. And even if they did, there is still the main work of collecting information like data sources and classifying and categorizing that data and matching it up to the roles within the organization.
Q: What are the operational benefits of Zero Trust access?
A: While improved cybersecurity is the main value proposition for Zero Trust access, there are secondary operational benefits, too, such as:
- Replacing a VPN for the day-to-day, normal user can result in an improved remote work experience.
- Third parties and contractors can be given Zero Trust access to specific applications that they require (and only those applications) and doesn’t require a software download. During the pandemic, organizations like universities used Zero Trust access in exactly this way. With Zero Trust access, they could give their students (who are third parties) access to the testing apparatus without exposing those applications to the internet or giving the students access to the entire internal network via VPN.
- Zero Trust access has an interesting use case in acquisitions. Instead of merging two networks together and thereby exposing both to the possible APTs and vulnerabilities of the other, the buyer can simply use Zero Trust access policy enforcement points and proxies to get access to the target’s applications. This is a much safer case, and organizations that grow primarily through frequent acquisition would be wise to copy their competitors who already do this.
Q: What tips or suggestions do you have to help enterprises avoid common mistakes in their Zero Trust journey?
A: One gotcha’ to watch for ... many vendor marketing machines overreach and attempt to frame their existing, sometimes ancient tech as Zero Trust. If you know the vendor and they have been selling the well-known tech for decades, you can bet it’s not Zero Trust. Because if it worked in that way, we wouldn’t even have Zero Trust as a concept today because it wouldn’t have been necessary. When it comes to deploying technology to implement Zero Trust directly, you should be looking for tech designed and built after about 2012 at the earliest. Sure, there are many foundational technologies that support Zero Trust security, but for direct Zero Trust itself you’ll be looking for Zero Trust access solutions, microsegmentation and privilege management solutions.
Thanks again, David ... talking with you is always a pleasure!
Additional Zero Trust security resources