Demystifying Zero Trust

Zero trust is everyone’s favourite topic at the moment. But underneath its appealing phrasing lies a significant amount of market confusion over exactly what it is. Allow me to bust some myths:

Myth 1: Zero trust is a technology

Zero trust is not a technology that you can buy. Security vendors can’t sell you a zero trust appliance or service. It is a principle that informs security policies and architectures. If zero trust is your principle, Secure Access Service Edge (SASE) is the logical architecture, and Security Service Edge (SSE) is the thing you can buy today to deliver it.

So what is the principle of zero trust? When making data access decisions, you start from an assumption of—literally—zero trust (I like to say “assume breach as a starting point”). Access is granted based on continuous, adaptive and context-aware decisions. This approach started with very basic scopes (identity/device and destination credentials of a private app) and binary “allow/deny” policy options, but with advances in the granular insights that can be derived from security systems, it has been further developed. As standard, it should now use insights into: user behaviour, identity, application risk, data, device, and threat.

Myth 2: Zero-trust network access is the endgame

Zero-trust network access (ZTNA) is an excellent starter project, and an important building block on the way to a secure zero trust architecture. But there are five obvious phases I see in a zero trust strategy. 

• Phase 1: Establish the zero-trust access baseline (i.e. start with zero-trust access)
• Phase 2: Enrich the trust benchmark for authorisation within application activities (i.e. move to “adaptive application access”)
• Phase 3: Apply explicit trust controls to risky destinations (for example, make use of on-demand isolation technologies)
• Phase 4: Continuously investigate and remove excess trust. Adopt and enforce a least-privilege model everywhere (this is continuous data protection)
• Phase 5: Strengthen security and trust posture with a closed-loop refinement of policies (real-time analytics are indispensable here)

To put it simply, network access is just the start of where a zero trust approach can play, but there’s much more benefit to be found when you extend the principle to become data-centric, rather than attempt to align with traditional perimeter security models.

Myth 3: Zero trust is purely a security issue

While it is often initiated by security teams, and the main driver at the beginning may be improving the security posture of an organisation, the principle of zero trust is relevant way beyond the security team, when you acknowledge that security is an enabler to business agility and goals. In practical terms, if architected and implemented correctly, zero trust initiatives aid CIOs with the consolidation of vendors, improved transparency across service integration, and the delivery of operational efficiencies. And since those initiatives span across security, cloud, and networking teams, they can be used as catalysts to foster cross-functional collaboration. 

A robust security posture, informed by zero trust principles, means that:

1. User and data location are no longer limiting factors, so businesses can make geographical adjustments in an agile manner
2. Business teams have the flexibility to onboard new partners, change locations, and explore new business models without their actions increasing the organisation’s risk profile
3. Organisations can pilot new digital solutions and find productivity gains without always wading through time-intensive security authorisations that can take months before an application is allowed to be useful. 

In conclusion, while there *is* a lot of talk about zero trust, it is not just a buzzword. Recent research by TechValidate found that 91% of Netskope customers actively commented on the improvement that Netskope SSE brought to their zero trust posture. A well-executed zero trust approach leads to tangible enhancement of a security posture. Read more about how organisations can embrace zero trust in our whitepaper on the topic.