Today, zero trust is the hot new trend everyone wants to be attached to. It is one of the top three “most exciting” trends identified by our State of Application Strategy 2022 report and has consistently scored high in interest per Google Trends over the past twelve months.
The result is that zero trust is one of the most talked about—and misunderstood—approaches to security since “shift left” entered the room. Too often, zero trust is equated with a specific technology, like software-defined perimeter (SDP), or a market segment, like identity and access management (IDAM).
This is not really surprising. We saw the same rush to equate specific technologies or products with the “hot new trend” when cloud computing was introduced. Cloud washing was a thing that happened regularly and was often used as a derogatory observation on the actually “cloudiness” of some new product.
So, it behooves me to start with a definition of zero trust. I’m going to do that by quoting my colleagues, Ken Arora and Mudit Tyagi, who already published a great guide on this topic:
This is an important point, and so I will repeat it again: zero trust security is, at its core, a mindset.
That mindset embraces a set of assumptions, and the uses of technologies are consequences of those assumptions.
That means implementing a technology like SDP or API security does not mean you’ve adopted zero trust. There’s no single product you put in place that suddenly means you’re “zero trust compliant” and therefore immune to attacks, breaches, or exploits.
What is true is that SDP and API security may, in fact, be an appropriate tactical response to adopting a zero trust approach. But to get there you need to start with some core assumptions and then decide what the best tools and technologies are that logically flow from them.
To flesh this out, let’s walk through a few examples that, as the title says, leads us to conclude that bot protection and web and API security are part of the “zero trust” toolbox.
Now, this approach also leads to other tools and technologies, like SDP and identity and access control, network firewalls and CASB, and a host of other solutions that mitigate known risks that flow naturally from those assumptions. But you can’t implement just one of them and call your zero trust initiative done. That’s like taking a Tylenol to treat a broken leg instead of visiting a doctor. Yeah, it helps the pain, but it does nothing to actually address the rest of the problem.
Adopting zero trust as a shift in mindset that leads to mitigation isn’t perfect—no method is—but it will get you further down the road of being more adaptable and able to address new and emerging attacks faster and with greater success.
Be safe out there.
You can learn more about modernizing security with a zero trust approach in Chapter 5 of our book, Enterprise Architecture for Digital Business.