Exploring the Myths of Zero Trust

Zero Trust is not a technology. It’s a state of mind, or perhaps a philosophical stance. So believes Rik Turner, Principal Analyst, Emerging Technologies with consulting firm Omdia: “It’s a mindset, and as such it involves as much of a cultural change in a company as it does any actual technology that you’re going to use to enable it,” he says.

Step one of this culture change, he believes, is to move away from previous security paradigms, such as ‘trust but verify’. “You used to log on at the gate, and they would check who you were, verify you, and once you were in, that’s it,” recalls Turner. “That no longer holds. It’s faulty and extremely vulnerable. The Zero Trust mentality is summed up as ‘never trust, always verify’.”

Zero Trust, he says, means no trust for any employee, partner, partner’s employee or contractor, at any time: “It’s across the board, from your internal employees all the way through to the third parties that you let interact with your system. No more trust for any of them.”

The future of getting on to a network lies in authenticating all parties, their identity and the security posture of their device every time they request access to any individual asset within your infrastructure: “It’s about asking for access to a particular application, to a specific asset, to a particular database, and even then only if they meet all the criteria,” notes Turner. “There may be criteria such as time of day. We don’t want just anybody dialling in at two o’clock in the morning, because that’s a bit strange. Equally we don’t want people who normally log in from the UK to suddenly dial in from China. There will be geographic limits here and there that you yourself can choose and set in order to frame the authentication and authorization of that individual.”

It is also important, says Turner, to continuously monitor what a person does once admitted to a network in case another individual hijacks their account: “Suddenly there’s somebody else who appears to have been authenticated at the entry point. So you have to keep an eye on them effectively throughout a session looking for anomalous behavior. Then you can either block them altogether, kill the session, or if you have some level of confidence that it is still them, you’d like to reaffirm that confidence.”

Turner talks of Zero Trust as sometimes seeming akin to ‘institutionalized paranoia’: “It would certainly be seen as paranoia in your social life,” he notes. “But we are talking about your corporate existence, and the need to defend your corporate assets, your data, your infrastructure, even your people, and sometimes Zero Trust is going to meet resistance. There will be people within your organization who say ‘this is a bit extreme isn’t it?’”

To broaden the conversation, Turner talks to a select panel of security experts from around the tech sector to find out what they are doing to help customers embrace Zero Trust.

“We tell them it’s about trying to give every device, user, anything that enters your network, the absolute lowest level of privilege that you can possibly give to them,” says Jordan LaRose, Director of Consulting and Incident Response, Americas with F-Secure. “But it’s not like you have to throw the baby out with the bathwater. You don’t have to completely strip out everything in terms of privilege. You really need to carefully consider how every single piece of your environment is put together.”

“The first thing we do to help our customers is enable them to do what’s now being called ‘shift left’, in other words build Zero Trust technology into the development and delivery lifecycle, rather than bolting it on later,” explains Galeal Zino, Founder and CEO with NetFoundry. “We’re enabling developers and DevOps and NetOps to do that, which makes life much easier for end users down the line. And then the second thing is what I call ‘journey plus destination’ where we want to give customers the ability to get their organization where they need to go, not just from a security perspective but a business perspective. We need to enable them to take an iterative approach to produce tangible business benefits.”

Chris Kent, Senior Director, Product Marketing with Hashicorp sees companies moving on from an on-prem world where trust was implied to more of a distributed world where there are multiple clouds and hybrid models: “We really believe that Zero Trust is predicated on the idea of authenticating and authorizing everything based on identity, the identity of the person, the identity of the machine, and that every action that is taken, everything has to be verified,” he says.

Gone are those days of the hardened perimeter, points out Vivek Bhandari, Senior Director of Product Marketing, Networking & Security with VMware. “Back then everything inside was good and anybody could access anything. Now there’s the mindset of the unwelcome guest within our environment. At VMware we’ve been talking to a lot of customers and realised that the environment has become very complex, and so what we are focusing on are some key areas where we have an intrinsic advantage with our platforms to help customers simplify and accelerate their journey to Zero Trust.”

Ian Farquhar is Field CTO (Global), Director, Security Architecture Team with Gigamon which he says has been involved in a lot of Zero Trust pilots: “It’s important to talk about practical, achievable outcomes because lots of people are asking how to make it work in the real world,” he says. “It’s a difficult transition and you need to troubleshoot and to diagnose and to verify the function of all the controls.”

Bhandari of VMware invites the analogy of somebody breaking into your house and then staying for weeks or months, going from room to room and listening in to conversations: “It’s untenable,” says. “We can’t imagine somebody doing that in our homes, but yet that is what is happening within our networks today, and that’s why there is all this need is for Zero Trust,” he says. “That’s why we have built in capabilities, leveraging our Carbon Black endpoint solution that is now integrated into the hypervisor for customers. Then you have an agentless experience where you can ubiquitously deploy best of breed EDR technology for server workloads.”

Kent of Hashicorp believes micro segmentation to be interesting and important: “Because one of the ways that we’re seeing the world change is this idea of stepping outside of the realm of the VPNs, the SD-WANs and going more on to the service level,” he says. “That’s why we have a product called Console, both in an open source and enterprise version, which allows for service networking while securing the access between two services. Database A can talk to application B, and any other request that comes in is just blocked. You’re also encrypting traffic between them.”

Farquhar says that Gigamon has also done a lot of work with micro segmentation, not only in the cloud environment but in the physical environment: “When we are doing Zero Trust, we need to look at the whole network,” he notes. “A lot of people view Zero Trust only through the lens of managed devices. Real networks don’t look like that. I’m sure many people heard the story of the casino in Las Vegas that got hacked through an IoT temperature thermometer in an aquarium in the foyer. The attacker got through and into the casino’s network. So how do we manage this? By looking at the network behavior of every device.”

So how to achieve more widespread Zero Trust adoption in the face of all this complexity and danger? LaRose of F-Secure doesn’t see security as a problem that you can solve but only mitigate: “It’s a problem that you can strategize around, but it’s not something where you’re going to find a silver bullet solution for. It’s something that plays into a wider security strategy that supports a Zero Trust methodology and gives you a chance against these attackers that are coming in through your microwave or through maybe even a microchip in the back of your mainframe.”

Zino of NetFoundry adds that the objective of any company is not Zero Trust, or even security: “It’s delivering an awesome experience to their customers,” he says. “It’s innovating. Those are the actual business goals. Modern companies with modern architectures are multi-cloud. The compute is all over the place it will increasingly be at the edge as well. We are moving to a distributed compute world where it’s all about the application, not the network. Obviously, no network should be trusted. That’s not the job of the network. The job of the network is to deliver packets. When we make it about the application and we identify, authenticate and authorize based on a number of factors that have nothing to do with the network, then we can properly enable application access not just from a security perspective, but also from a business velocity, agility extensibility perspective.”

 

  • Editor’s viewpoint: Many people feel somewhat confused about exactly what is meant by ‘Zero Trust’, writes Guy Matthews, Editor of NetReporter. At NetReporter we call it a security framework that demands that all users of a network, and all devices that wish to attach to that network, be authenticated, authorized, and validated on an ongoing basis before being given access to applications and data. Initially coined in 2010 by an analyst from Forrester Research, it is a model that moves beyond the idea of a traditional network edge, acknowledging that networks can be local, based in the cloud, or a hybrid of the two, with resources and users that might be located anywhere. It is increasingly being seen as the basis for securing infrastructure and data in an era of digital transformation, addressing modern cloud-related challenges such as securing remote workers, managing complex cloud environments, and seeing off ransomware threats.

 

Featured Speakers:

Analyst Chair: Rik Turner, Principal Analyst, Emerging Technologies, Omdia

https://omdia.tech.informa.com/

 

Jordan LaRose, Director of Consulting and Incident Response, Americas, F-Secure

https://www.f-secure.com/gb-en

 

Ian Farquhar, Field CTO (Global), Director, Security Architecture Team, Gigamon

https://www.gigamon.com/

 

Chris Kent, Senior Director, Product Marketing, Hashicorp

https://www.hashicorp.com/

 

Galeal Zino, Founder & CEO, NetFoundry

https://netfoundry.io/

 

Vivek Bhandari, Senior Director of Product Marketing, Networking & Security, VMware

www.vmware.com

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on whatsapp
Share on email

Discussion

Responses

Your email address will not be published.

Founding Corporate Sponsor:

Media & Analyst Partnerships:

Contact

Membership & administration

forum co-founder

International Events Manager

© Copyright 2021. Business Innovation Leaders Forum. All Rights Reserved. | Privacy Policy

SIGN UP TO ACCESS

Please enter your details below to access this content.

  • This field is for validation purposes and should be left unchanged.

THANK YOU FOR YOUR INTEREST IN THE BUSINESS INNOVATION LEADERS FORUM

TAKE ADVANTAGE OF OUR FREE TRIAL MEMBERSHIP THROUGH TO 30th september 2022

We would like to send you more information about membership so please fill in your details below, and we will get in touch shortly. Meanwhile you can click the link below to explore the forum further.

BE INSPIRED TO INNOVATE!

RECEIVE OUR

Book of the Month*

The Serendipity Mindset: The Art and Science of Creating Good Luck

By Dr Christian Busch
Serendipity is an aptitude for making desirable discoveries by accident. To other people it looks like “good luck”, but it is more the ability to recognise and seize an opportunity, rather than have good fortune thrust upon one. Finding a wallet stuffed with money on the conference room floor is good luck, whereas holding it up and asking if anyone has lost their wallet might be the beginning of a valuable friendship – that would be serendipity.

Chance encounters, or strokes of fortune, feature in countless stories of business success. This book looks beneath the surface, reveals and teaches the mindset that can transform pure chance into opportunity. The author is director of the Global Economy Program at New York University’s Center for Global Affairs, and a lecturer at the London School of Economics.

Serendipity is an aptitude for making desirable discoveries by accident. To other people it looks like “good luck”, but it is more the ability to recognise and seize an opportunity, rather than have good fortune thrust upon one. Finding a wallet stuffed with money on the conference room floor is good luck, whereas holding it up and asking if anyone has lost their wallet might be the beginning of a valuable friendship – that would be serendipity.

The author says “This is a book about the interactions of coincidence, human ambition and imagination”. In the above example: finding the wallet is the coincidence; ambition is the desire to make something of the discovery; add imagination and you open up a whole menu of possibilities: from spending spree to earning a reputation for honesty – or even making a wealthy friend.

Business is typically forged on human ambition and imagination, but early success often feeds an appetite for control – and “control freaks” can be blind to the opportunities thrown up by the unexpected. They only see chance events as distractions. If plans go awry, they may blame the failure on “bad luck” rather than admit their own inflexible attitude.

The author himself admits to being “a German who is used to planning” and prone to feel anxious when something unexpected happens. That makes him an ideal teacher, because he has worked hard to discover and analyse the mindset that enables one to “connect the dots” and cultivate serendipity. He presents a goldmine of examples from science, business and life where an apparent mishap or failure lead to a breakthrough.

Indeed, studies suggest that around 50% of major scientific breakthroughs emerge as the result of accidents or coincidences. A well-known example is Alexander Fleming’s discovery of penicillin, launching the whole field of antibiotics. Other examples include X-rays, nylon, microwave ovens, rubber, Velcro, Viagra and Post-it Notes – where would we be without these!

The book goes beyond the ability to recognise and respond to opportunities in chaos, but the subtitle – The Art and Science of Creating Good Luck – is actually a bit misleading. True, he does show ways to develop better fortune, but it would be better to call it “inviting” or “encouraging” good luck. For example, he suggests better ways to start a conversation with a stranger – ways that will make it more likely to lead to chance connections or shared interests.

The publishers may have chosen the word “creating” to make the book appeal to the human desire to control – for control freaks are exactly the readership that would benefit the most from this book’s wisdom and practical advice.

For the rest of us, it offers a great way to rediscover the sense of play that is so important in life – and too often lost in business.

 

“Following the success of The Serendipity Mindset hardback, a paperback edition has also now been launched under the title “Connect the Dots”.

How to upload a file

This website uses cookies to ensure you get the best experience on our website More info.