I spoke at a conference some time ago and used one of my favourite analogies, which compares zero trust to a Tesla EV and legacy networking to gas-powered cars. It’s a new way of thinking about things, I emphasized.
I had just finished presenting how great zero trust is as a framework – how it reduces complexity and cost while promising better security and more agile operations – when a hand shot up.
“If zero trust is so great,” the audience member asked, “why isn’t everyone already doing it?”
It’s a good question. I once asked it myself. Zscaler research suggests that more organizations (90%) have begun some type of zero trust initiative, but only 22 percent are confident that they are leveraging the cloud to its full potential. What’s the holdup?
Nevertheless, I replied with what I thought was a satisfying answer: “Inertia, basically.”
Some see the network as a security blanket. Box huggers feel better protected by extensive solution sets. The spell of, this is how we’ve always done it, is hard to break.
In the time since that day, though, I’ve realized there’s another factor at play: money. Cloud-first security solutions mean legacy vendors miss out on selling rows and rows of boxes. Legacy vendors are finding corner cases, like old telephony systems, to justify holding onto the legacy approach and new boxes. But even one instance of legacy technology preserves the associated operational, maintenance, and management costs. Again, someone continues to profit from complexity.
Better to embrace the transformation wholesale.
An even scarier proposition for entrenched players is losing recurring revenue streams from support, maintenance, upgrades, and add-ons. With complexity comes the promise of profit, so legacy vendors aren’t obliged to innovate in ways that may mean fewer solutions to sell and maintain. When the cash keeps flowing in, there’s little need to push the envelope.
Take telcos, for example
Telcos know they’ll generate more revenue selling multi-protocol label switching (MPLS) WAN services enabled by their proprietary software than through software defined-wide area networks (SD-WANs), so they prioritize selling the former over the latter. Security and efficiency never factor into the conversation. The old way pays.
Traditional networks focus on castle-and-moat security and all of the associated appliances that lock down that perimeter. The need for firewalls, proxies, load balances, etc., has created an entrenched vendor class threatened with irrelevance or significant transformation by abolishing perimeter-focused security.
But complexity and the stack of appliances often introduce latency due to additional traffic processing to reach its destination. More complex systems also have more potential points of failure. In addition to threatening reliability, this can also complicate root cause analysis. This, in turn, can lead to finger-pointing and an inability to address the true source of an incident. If a simple model achieves the same end as a complicated one, it's best to opt for simplicity, all else being equal.
Established interests simply have no motivation to innovate. On the contrary, stymying “revolutionary” change is in their best interests. Fossil fuel producers for a long time sought to undermine the push for renewables. Traditional car companies stalled advances in the electric vehicle market. Smartphones sent entire categories of single-use devices into obsolescence.
The creators of pocket calculators, camcorders, and small digital cameras probably weren’t happy to see their product categories go extinct. We shouldn’t expect the creators of legacy castle-and-moat security appliances or hub-and-spoke networking solutions either.
Don’t retrofit the engine. Trade in the car
Today, many point product vendors also see the writing on the wall regarding zero trust and their futures. Of the 90 percent of organizations with zero trust transitions in progress, the number one priority was implementing zero trust network architecture.
But as my colleagues have argued, zero trust means different things to different people. Absent a true zero trust approach – one based on the principles of verifying identity and context, controlling content and access, and finally enforcing policy – vendors have resorted to adding additional functionality to existing solutions and calling them “zero trust.”
Buying more routable firewalls simply because they are cloud-based does not qualify as a zero trust transformation. This is like trying to have it both ways by investing in a hybrid car. Ongoing upkeep, fuel costs, and repairs are still required to maintain an overly complex engine. You have one foot in the future with one stuck in obsolescence. True zero trust architecture, on the other hand, is like the cleaner and simpler future promised by electric vehicles; complexity and maintenance costs are reduced.
Still, inertia is a powerful force. Each petrol station is a reminder of the way we cling to sunk costs. It’s much the same in networking and security. Even in the face of benefits like a reduced attack surface, no opportunity for lateral movement, and vastly simplified architecture, some stubbornly stick to old concepts they’ve always known.
But there is a way that is simpler, reduces overall cost, and is more secure in the end. You just need to embrace it.
What to read next
Stop trying to make firewalls happen: What IT can learn from Tesla about disrupting the status quo