How Cybersecurity Providers Misrepresent the Zero Trust Concept


CISOs and their security teams are designing their endpoint security to meet three core criteria of persistence, resilience, and always-on visibility for improving asset management.

The zero-trust vision that cybersecurity vendors are selling isn’t the reality enterprises are experiencing.

The disconnect first appears during initial sales cycles, when the promises of simplicity, streamlined API integration, and responsive service encourage businesses to purchase ineffective solutions.

Unfortunately, businesses face more difficulties than the vision vendors promised.

Zero-trust network access (ZTNA), micro-segmentation, and PIM/PAM [privileged identity management/privileged access management] are the only ZT-specific technologies widely used. Numerous other technologies, such as identity and access management (IAM), network automation, and endpoint encryption, can be used to support zero trust, but, by themselves, they do not constitute ZT. A good rule of thumb is that it isn’t if the vendor didn’t design the product to be ZT.

Zero-trust priorities for CISOs

CISOs prefer to pursue quick, obvious wins that demonstrate value to maintain funding and persuade senior management to invest more in zero trust. Frequently, the first significant zero-trust projects are IAM and PAM. In their apps, tech stacks, and transaction paths, CISOs also want zero trust. They are looking for more effective ways to fortify their tech stacks as a part of the ZTNA framework. Many people discover that integrating and securing tech stacks is much more complicated – and expensive – than anticipated. CISOs can use current tools to protect off-network assets using zero trust is another top priority. Concerns about incorporating zero trust into DevOps cycles in light of the SolarWinds breach have been raised concerns. Another top priority is to enable safer, more effective collaboration with zero-trust networks.

Vendors’ assertions that their products can completely cover infrastructures and tech stacks in zero-trust are another source of CISO annoyance. Claims of zero trust-in-a-box must be viewed with skepticism to determine what is being delivered. The misconception is that zero trust is a collection of skills, particularly regarding maturity and technology stack.

Also Read: Five Zero Trust Myths CISOs Should Know

High market-growth rates are a hype magnet

Zero trust is one of today’s most rapidly expanding cybersecurity industries, whose sky-high double-digit growth rates and market valuation attract vendor hype. Vendors who want to help businesses implement their zero-trust initiatives must remove implicit trust from every solution they sell.

Although eliminating implicit trust from a tech stack is extremely challenging, vendors must be dedicated to changing their platforms and systems to adhere to zero-trust principles. The IT infrastructure is rife with implicit trust.

Benchmarking zero-trust vendors

As their IT infrastructure changes to meet shifting risk requirements, enterprise IT and security teams know that zero trust will change. ZTNA initiatives are a never-ending work in progress due to the proliferation of machine identities, new off-network endpoints, and the consolidation of IT systems. It takes time to eliminate implicit trust from tech stacks, implement least-privileged access among users, and replace VPNs, which refutes vendor claims that zero trust can be achieved in a one-and-done fashion.

Zero-trust misrepresentation is sadly quite common, and it appears that no vendor is immune from the temptation to ZT-wash all the products on their truck. One might wish that the practice was restricted to a small number of technologies. As a result, benchmarks are required to assess vendors’ assertions of total customer trust.

ZTNA frameworks’ security relies on endpoints

Even though they make up a small portion of a ZTNA framework, endpoints are the most unstable and difficult to manage. Endpoints are constantly changing, and up to 40% of them are not being tracked at any given time, according to CISOs. According to IBM’s 2022 Data Breach Report, breaches where remote work was a factor in causing the breach cost nearly $1 million more than average. The difficulty is securing endpoints to which the company lacks physical access, as well as company laptops, desktops, tablets, mobile devices, and IoT.

Also Read: Why Universal ZTNA is Essential to Zero Trust Strategy

CISOs and their security teams are designing their endpoint security to meet three core criteria of persistence, resilience, and always-on visibility for improving asset management. These enterprise specifications have also been expanded to cover self-healing endpoints that can be monitored even when they are not connected to a corporate network.

For more such updates follow us on Google News ITsecuritywire News