If Zero Trust is so critical

Why are you ignoring NIST, NSA and the NCSC?

Between August 2020 and February 2021, “the agencies”, National Institute of Standards and Technology (NIST), National Security Agency (NSA) and National Cyber Security Centre (NCSC) have all published final or preliminary (beta) guidance for Zero Trust (ZT) that is applicable to all sizes of organisations. I would suggest to you that the agencies are experts in the field of cybersecurity. So why are vendors and influencers ignoring the agencies’ guidance when proposing to be an advocate of ZT?

Desk research of 26 security vendors (products & services) that I undertook shows that the majority are exploiting ZT positioning in the belief that they have a unique product or service recognised by alternative research group reports but only three (11%) vendors referenced one or more of the agencies. Rather than sticking to [the agencies’] ZT guiding principles and design concepts, it appears there is a belief that deriving new terminology for ZT (I found five) and simply aligning to what the agencies have provided will reap greater vendor ZT acceptance, rather than [possibly] being seen as just another outlier.

SynergySix Suggests

Security Leaders

Acknowledge that ZT is a journey of competency from basic to advanced capability and that you will be evolving your identity, access and authentication policies and processes every year.

• Immediately recognise that the security product(s) you have or will implement are there to support your businesses ZT guiding principles and design concepts.
• Resist approaching this from a product or lack of alignment to the agencies’ recommendations mind-set may hinder your guiding principles and design concepts.

So, ensure that you lead with a secure IT strategy mindset and then ensure your product(s) of choice can ride the journey to advanced capability with you.

Security Vendors

Whatever your belief, ZT has been developed as philosophy and a strategy that when evolved helps your clients’ IT strategy embrace a ‘security-first’ mentality.

• Lead your engagement by acknowledging that ZT is advisory led (service/consultancy) not a product led engagement.
• Identify how your offering advances successful processes, policies and the availability of data for the benefit of the client. 
• Immediately relate to the agencies’ guiding principles and design concepts so they will trigger the recognition of terminology/workflow/process/policy by the security leader, rather than having them having to find alternative definitions and material from across the industry.
• Trust in the use of the agencies’ guidance of ZT as it clearly articulates all the use cases subsequently deemed of valued differentiation in other vendor/research group adaptations (ZTS, ZTNA, ZTXEP, ZTVDC, ZTDP). 

Only once the advisory engagement is underway should you suggest that the client revert to challenging the security product(s) installed. 

Establish a Baseline 

A Zero Trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows - (NIST). Zero trust migration is a journey, and we think you can start yours by knowing your architecture, including users, devices, and services - (NCSC). Embracing a Zero Trust security model and the mindset necessary to deploy and operate a system engineered according to Zero Trust principles can better position them [organisations] to secure sensitive data, systems, and services - (NSA).

Nowhere in the statements above do the agencies infer that organisations’ existing security products are inadequate or that ZT requires you to implement new products in order to adopt, embrace or migrate to ZT principles.

Everything evolves

I totally understand that architectures and frameworks evolve over time. Since John Kindervag first coined the phrase “Zero Trust” and published his first articles on the subject in 2010, it didn’t take long for those who believe they should be heard to throw in their opinions. The issue with the vast majority of these opinions over the last 5 years is that they have been taking the original essence of ZT out of context. Communicators of ZT believe it to be the next headline grabbing market positioning sensation, instilling doubt of functionality and capability of security leader’s previous product decisions.

Zero Trust yes or no?

Anyone that follows my blogs, posts or comments probably knows that I have never liked the term ‘Zero Trust’. In an industry full of fear, uncertainty and doubt, I feel it only adds fuel to the [existing] fire, as the term could imply that everyone and every ZT engagement is out to bring destruction and negativity. But this doesn’t mean I don’t wholeheartedly believe in the premise behind the term. If you have read my papers on User Isolation Protection, I continually encourage businesses to challenge and review their existing access, authentication and identity products and policies. I don’t know why John didn’t simply call it ‘Always Verify’ from the outset, or others change its name? Maybe it wasn’t catchy enough, impactful or marketable?

Pretty spectacularly lax

A strong example where the agencies’ ZT principles would have helped mitigate the effect of a cyber-incident was the [well publicised] SolarWinds incident. [Unfortunately] a great example where the principles behind ZT should have been a no brainer. Amongst all the commentary about the incident’s effects, it is now being blamed on a company intern by current and former execs for a critical lapse in password policy that apparently went undiagnosed for years. As Robin Oldham remarked in his weekly infosec newsletter “If true — and, hey, we have no reason to doubt [Kevin] Thompson’s testimony — then the company’s culture, practices, technical solutions, or assure activities must also have therefore been pretty spectacularly lax: because nothing says ‘good corporate governance’ like getting the intern to set up the build process for a ~$1Bn software company, and then not checking what or how they did it". Keep in mind this wasn’t about the product being used, but the processes and policies.

Security leader first

In the first instance, if I was a security leader I would always listen and be guided by the clear ZT guiding principles and design concepts developed by the agencies above all others. Why? They are independent, have no commercial interest, use diverse panels of cybersecurity experts to formulate their deliverables and are trusted in their opinions by peer security leaders. As a security leader and following initial research into ZT, I would then look at my existing security processes, policies and solutions for alignment to the guiding principles and design concepts, reaching out to my [ZT aligned] product supplier for further capability knowledge. Only after this would I then seek alternative offerings that align to the agencies’ guidance.

Delving into my research

Embracing the agencies

As part of my work, I engage (talk) regularly with security leaders to understand their concerns, issues and challenges. So, I decided to spend some time reviewing how the vendors align their ZT positioning with the agencies to benefit security and IT leaders.

So, I approached this in the manner that I understand a security leader  would and allocated [a rare] 30 minutes to search for the agencies key phrase ‘Zero Trust’. 

An IT strategy done securely

The agencies didn’t show up in the 4 pages of 49 results that I managed to review. But as these organisations do not have the volume of search traffic as commercial vendors or invest in paid advertising this was not a surprise.

From the 49 results presented to me, 22 were from security vendors, 2 research groups and 2 consultancies. Although there was a lack of coverage from the agencies, this was a strong result for this key ‘phrase’. 

Diving into the results, I came across two security vendors that nailed the basis of ZT as it aligns to the agencies’ principles.

• “Zero trust isn’t something you can buy or implement. It’s a philosophy and a strategy. And to be frank, at [redacted], we wouldn’t even characterize zero trust as a security strategy. It’s an IT strategy done securely.” In-house CISO
• "There are no Zero Trust products. There are products that work well in Zero Trust environments and those that don't." Vendor blog (Zero Trust Architecture overview)

In addition, I managed to find two security vendors that directly referenced NIST ZT and another that promoted the NSA ZT model. These three vendors were not those that provided the quotes above.

These mildly encouraging statements from five of the 26 security related providers was the high point of the research.

We know best

Very quickly it became clear that the majority of organisations presented in the search results believe that to highlight their expertise and leadership in ZT they needed to spin the guiding principles and design concepts and create new frameworks and terminology to sell their products and services. 

I was confronted with new terms; Zero Trust Network Access, Zero Trust eXtended Ecosystem Platform, Zero Trust Security, Zero Trust Virtual Data Center, Zero Trust Data Protection. What was wrong with maintaining a common baseline by just using ZT? The alternatives didn’t provide anything new and failed to explain how their product, service or framework aligned to those already provided by the agencies.

We know how to say ZT

The agencies provide a comprehensive overview of the guiding principles and design concepts behind “Never Trust, Always Verify” (ZT). The security providers were obviously hampered by collateral or webpage constraints and the need to get quickly to what they believe is important (the sell). I found only four examples that aligned to at least one of the agencies’ baselines. The remainder provided no real detailed understanding apart from the notional use of “Never trust, always verify”. 

How ZT value helps

The four providers that could explain ‘What is ZT?’, were joined by another two [additional] providers that were able to convey a narrative about the true value of ZT to a business (security leader). The remaining providers diverted away from any alignment to the agencies and immediately hit the sales cycle and started on the feeds and speeds and why “they are a leader in ZT”. Emphasis was more about how they could replace what may already be in situ to resolve their [target organisation] establishment of a ZT environment, rather than approaching this from a ‘customer-first’ purpose and providing advisory recommendations that the security leader would find helpful. 

The power of a report

It appears everyone loves a report. Four providers afforded me links to reports I could access - one authored by the vendor and the other three to industry analyst content that would enlighten me about their [assumed] better proposition and terminology on ZT. Unfortunately, all required me to register my details, sign up for a contract or pay up to $3,000. Everyone is entitled to an opinion but whilst I was acting as a security leader whose time is limited and budgets tight, this is very unhelpful to convince me of your value. If your report is compelling enough, just let me read it and then I will contact you. Being hammered with continuous unwanted emails and phone calls or paying for a report that ends up being of no use, means that you [author] missed the point, not the reader.

But it appears that the mere mention of alignment or inclusion within an ZT industry report (not authored by the agencies) that ranks one provider against others (assuming you meet the inclusion criteria) has a greater value than clearly articulating how you align to the guiding principles and design concepts from the agencies. I conducted a recent qualitative CISO research study for a client, and the CISO's clearly value peer insights and solutions directly aligned to threats over [presumed] leaders referenced in reports when considering security offerings.

What interests me about these industry reports, especially when you consider the earlier comment “Zero trust isn’t something you can buy or implement. It’s a philosophy and a strategy”, is at least 60% of the scoring criteria is on product functionality, not the vendors ability to be considered a valued advisor for ZT. At what point does a mature security product (already measured in another report) turn into a ZT product? Does that mean that these [newly classed] ZT products will no longer be measured in prior industry reports? I’m also concerned that no where in these [leadership] reports do the authoring analysts score the vendor against their alignment to the agencies’ guidelines and design principles. Wouldn’t this help promote a more services or consultancy approach and negate the promotion of a product-first attitude?

Tilt the advantage to the business

When it gets down to the detail of why vendors, analysts and consultancies are referencing ZT, it’s clear. For commercial value. There is nothing wrong in this as the products and services being offered all assist in establishing the appropriate end game, a ZT architecture model that the agencies are encouraging for each unique business.

What is misplaced is the approach that is being taken. A ZT architecture model as defined by the agencies is to help tilt the advantage of security authorisation, access and policy protection in favour of the business rather than the cyber adversary. Wouldn’t it be helpful for the security leaders that consume this information to be presented with content that explicitly emphasises the vendor, analyst or influencers capability to meet these challenges, front and centre?

Recognise real value

Finally, it appears that the emotional commercial attitudes are overruling the agencies’ ZT principles. Product, marketing and sales leaders in the business believe that they need to be vocal in the [ZT] game as an alternative sales and marketing play, allowing them to stand out in the crowd. Ask yourself, how many times did the security leader accept your invitation for a Zoom/Teams/Skype call and open by saying “So tell me all about your Zero Trust products”, rather than the security leader reaching out to you so they could learn how you can assist with their objective of aligning to the Zero Trust guiding principles and design concepts.

Every security vendor or services provider should always believe that their offerings have a value. The litmus paper test to determine ZT value is to present clear and tangible value that drives the ZT principles as outlined by the agencies. As referenced previously “There are products that work well in Zero Trust environments and those that don't”. You don’t need to use speculative beliefs, alternative frameworks or perceptions to be appreciated as adding value in ZT. 

Raising awareness and helping security leaders protect access, authentication and privacy of their business is a challenge, but NIST, NSA and the NCSC have provided the guidelines and design principles to evolve every size of business to achieve this aim. Don’t ignore them.