“Zero Trust” is the cybersecurity industry’s latest buzzword. In his recent piece, “Zero Trust Is an Initial Step on the Roadmap to CARTA,” Gartner analyst Neil MacDonald explains the zero trust approach with amazing clarity about trust itself.
MacDonald explains that neither trust, nor lack of trust, can be absolute or static. In fact, zero trust is just a starting point, as trust is required in order for work to actually take place. But this means that trust should never be implied; it should be established. Once this is done, trust must be assessed continually, with mandatory visibility into interactions to validate expected behavior.
As MacDonald notes, “Zero-Trust Networking” is probably the more accurate way to state what most customers are trying to achieve. A user or a server being on a specific network cannot be a factor in establishing trust. An IP address is not a "label" that can represent trust. Any access elements that use IP address to grant or deny access should be considered antiquated.
I see Neil’s thoughts aligned with many industry leaders who are driving their businesses to adopt a digital world. A digital business is required to run identically regardless of users' location or network connection. As long as they have access to the internet, business must run. Tying trust to a network invariably stops an organization from adopting digitalization. In the worst case, entire VPCs get added to internal "trusted" flat networks and expose the business to way too much lateral risk. As organizations move to software-defined architectures and cloud-based DCs, it is critical that they don’t use legacy controls to connect networks to networks.
MacDonald calls out several key points for organizations creating a more secure environment:
To improve an organization's security posture, MacDonald recommends implementing two zero trust networking initiatives in 2019: microsegmentation and software-defined perimeter (SDP). In the coming weeks, look for more perspectives from me on this and related topics, including continuous trust assessment, the role of identity managers, SOC, inline enforcement engines, and more.
Get your copy of Neil MacDonald’s Gartner report: “Zero Trust Is an Initial Step on the Roadmap to CARTA."
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dr. Manoj Apte is Chief Strategy Officer at Zscaler.