Between August 2020 and February 2021, “the agencies”, National Institute of Standards and Technology (NIST), National Security Agency (NSA) and National Cyber Security Centre (NCSC) had all published final or preliminary (beta) guidance for Zero Trust (ZT) that is applicable to all sizes of organisations. I would suggest to you that the agencies are experts in the field of cybersecurity. So why are these being ignored by vendors, analysts and consultancies to promote products and services?
Nowhere in the agencies’ guidance could I find where they infer that organisations’ existing security products are inadequate or that ZT requires you to implement new products in order to adopt, embrace or migrate to their ZT principles.
John Kindervag first coined the phrase “Zero Trust” and published his first blogs on the subject in 2010. Anyone that follows me, will know that I have never been a fan of the term. I feel it only adds fuel to the [existing] fire of security fear, uncertainty and doubt, implying that ZT promotes negativity. But this doesn’t mean I don’t wholeheartedly believe in the principals behind the term.
If you’ve read my papers on User Isolation Protection, I challenge businesses to review their existing identity and access products and policies. Personally, I don’t know why John didn’t simply call it ‘Always Verify’ from the outset, or others change its name? Maybe it wasn’t catchy enough, impactful or marketable?
ZT has value now
The agencies’ ZT principles should have been a no brainer for SolarWinds. The latest blame is pointed at a company intern for a critical lapse in password policy that apparently went undiagnosed for years. As Robin Oldham remarked in his weekly infosec newsletter “If true —then the company’s culture, practices, technical solutions, or assure activities must also have therefore been pretty spectacularly lax. This wasn’t about the product being used, but the processes and policies.
The Research
Driven to help security leaders and vendors, I wanted to know why vendors and influencers ignore the agencies’ guidance of ZT? Approaching this in the manner of a security leader I allocated [a rare] 30 minutes to search for the agencies key phrase ‘Zero Trust’.
Findings
The mildly encouraging statements from 5 of the 26 security related providers was the high point of the research.
- The agencies didn’t show up in the 4 pages of 49 results that I reviewed, not surprising as they don’t have the volume of search traffic as commercial vendors or invest in paid advertising.
- 22 results were from security vendors, 2 research groups and 2 consultancies.
- I came across a security vendor that nailed the agencies’ basis of ZT principles.
- “Zero trust isn’t something you can buy or implement. It’s a philosophy and a strategy. And to be frank, at [redacted], we wouldn’t even characterize zero trust as a security strategy. It’s an IT strategy done securely.”
- 2 security vendors directly referenced NIST ZT and 1 promoted the NSA ZT model.
Everything was about the how product aligned to an interpretation of ZT, rather than revealing ZT value and acting as an advisor to the security leader.
- All 26 ZT providers exploited ZT positioning for a unique product or service recognised by research group reports.
- Modified terminology (ZTS, ZTNA, ZTXEP, ZTVDC, ZTDP) from the agencies’ principles of ZT is believed to reap greater vendor acceptance. These alternatives didn’t provide anything new and failed to fully explain how their framework.
- All providers immediately hit the sales cycle and started on the feeds and speeds and why “they are a leader in ZT”.
- Emphasis was about how they could replace what may already be in situ to resolve their targets ZT environment, none approached this from an advisory perspective for security leader value.
Everyone loves a report, but not the ones from “the agencies”
- Four providers required something in return – data, money, registration.
- When you consider the earlier comment “Zero trust isn’t something you can buy or implement…”, why was 60%+ of the report scoring against the product and minimal against advisory capability and agencies’ alignment?
SynergySix Guidance
[As a security leader] I would always listen and be guided by the agencies above all others. Why? They are independent, have no commercial interest, use diverse panels of experts and are trusted in their opinions by peer security leaders.
If alternatives reports were compelling enough, let me read them and then I will contact you. If not, it means that you [author] missed the point, not the me. I don’t have time or wish to pay for a report that could be of no use.
Security Leaders
ZT is a journey of competency from basic to advanced capability whose policies and processes will be evolving continuously. Resist approaching this from a product perspective, they are there to support your guiding principles. Any lack of alignment to the agencies’ recommendations may hinder your guiding principles and design concepts. So, ensure that you lead with a secure IT strategy mindset and then ensure your product(s) of choice can ride the journey to advanced capability.
Security Vendors
Whatever your belief, trust in the agencies’ ZT principles and models that have been developed that as evolved help your clients’ IT strategy embrace a ‘security-first’ mentality. Relating to the agencies’ guiding principles and design concepts triggers the recognition of terminology/workflow/process/policy by the security leader. Your engagement is advisory led (service/consultancy) not product led, identifying how your offering advances successful processes, policies and the availability of data for the benefit of the client. Only once the advisory engagement is underway should you suggest that the client revert to challenging the security product(s) installed.
Tilt the advantage to the business
A ZT architecture model as defined by the agencies is to help tilt the advantage of security authorisation, access and policy protection in favour of the business rather than the cyber adversary. Raising awareness and helping security leaders protect access, authentication and privacy of their business is a challenge, but NIST, NSA and the NCSC have provided the guidelines and design principles to evolve every size of business to achieve this aim.
Wouldn’t it be beneficial to have the security leader reaching out to you [vendor] so they could learn how you can assist with their objective of aligning to the Zero Trust guiding principles and design concepts.
Contributed by Kevin Bailey – Director & Founder, Synergy Six Degrees
Kevin Bailey is the Principal Analyst & Director for Synergy Six Degrees, a cybersecurity go-to-market consultancy. A GTM specialist for over 20 years in the research, evaluation and integration of technology and processes across data, cyber security, SaaS and emerging technologies.
Kevin holds a MSc Marketing (Distinction) and Postgraduate Diploma in Marketing (PDipM), is a member of The Chartered Institute of Marketing (MCIM), an active STEM ambassador and contributor to the UK government All Party Parliamentary Groups (APPG) for Blockchain and Artificial Intelligence.
Kevin is a judge for the 2021 GSMA Global Mobile Awards (GloMo’s) for Authentication & Security.
You can follow Kevin on LinkedIn and Twitter at @baileyk62