How cybersecurity vendors are misrepresenting zero trust
The zero-trust vision that cybersecurity vendors are selling isn’t the reality enterprises are experiencing. The disconnect begins during initial sales cycles, where the promises of ease of use, streamlined API integration and responsive service lead to enterprises buying solutions that don’t work. Unfortunately, enterprises are getting more challenges than the vision vendors sold.
Vendors have a well-meaning, but bad habit, of trying to frame whatever they’ve been selling for years as ‘zero trust, we’ve seen this time and again. There are precious few ZT-specific technologies: zero-trust network access (ZTNA), micro segmentation and PIM/PAM [privileged identity management/privileged access management]. Many other techs, like identity and access management [IAM], network automation and endpoint encryption can be used in support of zero trust, but they aren’t ZT, by themselves. A good rule of thumb is that if the vendor didn’t design the product to be ZT, it isn’t.” David Holmes, senior analyst at Forrester.
CISOs’ zero-trust priorities
To keep funding in place and convince senior management to invest more in zero trust, CISOs like to go after quick, visible wins that show value. IAM and PAM are often the first major zero-trust projects undertaken. CISOs also want zero trust across their apps, tech stacks and transaction paths. They’re after more efficient approaches to hardening their tech stacks as part of a ZTNA framework. Many find that integration and securing tech stacks is far more complex and costly than expected.
Also, high on CISOs’ priority lists are how they can leverage current tools to protect off-network assets using zero trust. Given the SolarWinds breach, there are concerns over integrating zero trust into devops cycles. Enabling more secured, efficient collaboration across zero trust-enabled networks is also a priority.
Another CISO frustration is vendors’ claims that their solutions can provide complete zero-trust coverage for tech stacks and infrastructures. Zero trust-in-a-box claims must be met with skepticism and due diligence to see what’s being delivered.
Everyone is trying to solve the same problem, which is how do you help the customer defend against breaches.”
To be fair, every vendor is trying to do that, the misrepresentation, if you will, is that zero trust is a set of capabilities, especially the maturity and the technology stack. You realistically really can’t go to a vendor and say, ‘Sell me a zero trust, a product, a SKU.’ I’m not going to Walmart and saying, ‘Hey, give me a zero-trust box and I’m ready to go.” Kapil Raina, VP of zero trust, identity, and data security marketing at CrowdStrike.
High market-growth rates are a hype magnet
Zero trust is one of the fastest-growing cybersecurity sectors today, and its soaring double-digit growth rates and market valuation are a magnet attracting vendor hype. Vendors need to eradicate implicit trust from all solutions they sell if they’re going to assist enterprises in achieving their zero-trust initiatives.
While eradicating implicit trust from a tech stack is very difficult, vendors need to be committed to modifying their systems and platforms to reflect zero-trust principles. “Implicit trust is rampant throughout IT infrastructure. So, where are you going to start? How are you going to do this? That’s what they’re asking. And so ultimately, you’re going to translate that into your set of initiatives as an organization,” Neil MacDonald, a Gartner VP analyst, during a recent webinar, Cut Through Zero Trust Hype and Get Real Security Strategy Advice.
Zero-trust market estimates all show solid, multiyear growth. Gartner’s latest forecast [subscription required] predicts end-user spending on zero trust will soar from $891.9 million this year to over $2 billion by 2026. Gartner’s latest market estimates also predict that end-user spending for the information security and risk management market will grow to $172.5 billion this year, with a constant currency growth of 12.2%. The market is predicted to reach $267.3 billion in 2026, with a CAGR of 11% between 2022 and 2026
Benchmarking zero-trust vendors
Enterprise IT and security teams realize that zero trust will evolve as their IT infrastructure adapts to changing risk requirements. Proliferating machine identities, new off-network endpoints and consolidating IT systems make ZTNA initiatives a continual work in progress. Removing implicit trust from tech stacks, getting least-privileged access adopted across users, and replacing VPNs is a slow process, defying one-and-done claims of vendors misrepresenting zero trust.
One wishes that zero-trust misrepresentation were limited to just a handful of technologies, but sadly the practice is quite ubiquitous, and it seems that no vendor is immune from the temptation of ZT-washing all the products on their truck.”
Therefore, benchmarks are needed to evaluate vendors’ claims of zero trust from a customer perspective. A series of them are provided here:
Benchmark 1: Are human and machine IAM and PAM core to the vendor’s platform?
IAM and PAM are table stakes for enabling ZTNA in any organization. Organizations who start their ZTNA frameworks with IAM and PAM often have the highest probability of success because it’s a quick, visible win across the organization. Identifying which vendors have customers running IAM and PAM for machine and human identities is a good truth test.
The best ZTNA platforms protect machine, human and identity stores (Active Directory) from cyberattackers looking to breach IAM and PAM systems and take control of infrastructure and servers. “This is what happened with SolarWinds. They [cyberattackers] attack the identity systems, and it’s hard to find the bad guy’s minting credentials.”
Cloud, devops, security, infrastructure and operations teams also have unique machine identity management application requirements. Unfortunately, vendors have misrepresented how practical their machine identity management approaches are in a hybrid cloud environment. Two sessions at Black Hat 2022 explained why machine identities are the most vulnerable.
Leading vendors delivering IAM and PAM systems for human and machine identity management include Amazon Web Services (AWS), CrowdStrike, Delinea, Ivanti, Keyfactor, Microsoft, Venafi and others.
Benchmark 2: How well does their zero-trust platform support existing cybersecurity investments?
The more advanced zero-trust platforms can integrate with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms at the API level. Therefore, it’s a valuable benchmark to see which vendors have APIs and pre-integrations to the leading SIEM vendors, including Splunk Phantom and Palo Alto Network’s Demisto.
Another factor to consider is how well a zero-trust platform supports Microsoft ADFS, Azure Active Directory, Okta, Ping Identity and Single Sign-On (SSO). There also needs to be integration available for CASB (cloud access security broker) vendors for SaaS (software-as-a-service) protection, including Netskope and Zscaler.
Benchmark 3: Do they support a risk-based policy approach to zero trust?
The most advanced zero-trust vendors have designed architectures and platforms with dynamic risk models. They only challenge user logins and transactions when risk changes at the user and machine identity level. The goal is to ensure continuous validation without sacrificing users’ experiences.
Best-in-class risk-based vulnerability management systems have integrated threat intelligence, can produce comprehensive risk scores, and rely heavily on artificial intelligence (AI) and machine learning-based automation to streamline risk assessments. For example, Falcon Spotlight, part of the CrowdStrike Falcon platform, is noteworthy as the only platform that integrates threat intelligence data from the company’s threat hunters, researchers, and intelligence experts.
Expert threat hunters connect insights and knowledge they create to specific CVEs, providing enterprises with the data they need to protect their infrastructure from attack. Delinea, IBM, Microsoft, Palo Alto Networks, and others take a risk-based approach to zero trust.
Benchmark 4: Are their architectures and platforms NIST 800 compliant?
Vendors who have successfully developed and deployed zero-trust applications and platforms will be able to show how they comply with the NIST framework. NIST SP 800-207 compliance is a kind of insurance to any organization adopting a zero-trust solution, which means the architecture doesn’t need to change if a CIO or CISO decides to switch vendors. It’s best to ask for customer references from those who migrated on and off their ZTNA platforms to gain further insights.
To your point with NIST being table stakes, that’s right, That’s the foundation for so many other following-on steps. For example, CrowdStrike is a founder of the Cloud Security Alliances’ ZTAC, the Zero-Trust Advancement Center. The idea was to take something like a NIST and then build it into [more of a] practitioners’ guide.”
Benchmark 5: Do they integrate zero trust into devops and SDLC cycles?
Another useful benchmark is how well a vendor claiming to offer zero trust is integrated into devops and systems development lifecycles (SDLCs). Security is often added to the end of a devops project when it needs to be integrated from the start. Zero-trust platforms are essential for securing devops and SDLC at the human and machine identity levels. Vendors claiming to provide zero trust to the SDLC, and CI/CD progress level need to demonstrate how their APIs can scale and adapt to rapidly changing configuration, devops and SDLC requirements. Leading zero-trust vendors in this market include Checkmarx, Qualys, Rapid7, Synopsys and Veracode.
ZTNA frameworks’ security relies on endpoints
Endpoints are only a small part of a ZTNA framework, yet the most volatile and challenging to manage. CISOs know endpoints are in constant flux, and enterprises are not tracking up to 40% of them at any point in time. According to IBM’s 2022 Data Breach Report, breaches where remote work was a factor in causing the breach cost nearly $1 million more than average. The challenge is to secure BYOD devices and company laptops, desktops, tablets, mobile devices and IoT, including endpoints to which the organization doesn’t have physical access.
CISOs and their security teams are designing their endpoint security to meet three core criteria of persistence, resilience, and always-on visibility for improving asset management.
In addition, these enterprise requirements have been extended to include self-healing endpoints that can be tracked even when they’re not on a corporate network. One of the more innovative providers of endpoint solutions is Absolute Software, which recently introduced the industry’s first self-healing Zero Trust Network Access solution. Their Absolute Resilience platform provides endpoint asset management data, real-time visibility, and control if the device is on a corporate network.
In addition, they’re partnering with 28 device manufacturers who have embedded Absolute firmware in their devices, providing an undeletable digital tether to every device to help ensure a high level of resiliency.
Additional endpoint solutions include Microsoft’s Defender Vulnerability Management Preview, now available to the public, providing advanced assessment tools for discovering unmanaged and managed devices, CrowdStrike Falcon, Ivanti Endpoint Manager, Sophos, Trend Micro, ESET and others.
Don’t forget that you can look at Forrester Wave reports. In the last year, we’ve published evaluative, comparative research on 30+ vendors across ZTNA and micro segmentation, and we pick the winners and almost winners. That’s what we’re here for, beyond that, you have to determine if the vendor tech functions like, or depends on, a VPN, or allows one host on a network to attack another; then it’s not zero trust.”