7 keys to evaluating zero trust security frameworks

Zero trust as a framework for securing modern enterprises has been around for years, but is drawing renewed attention with the increase in cyberattacks. The United States government is pushing for zero trust implementations across all its agencies, and more vendors are jumping on board the already rolling zero trust product bandwagon.

The mix of user need and vendor hype makes zero trust frameworks especially difficult to evaluate. Can a given zero trust solution stand up to close scrutiny? Buyers need to define and test an impartial, balanced set of complex criteria before making their purchase decisions.

Factors to consider include scalability, advanced patch management, and least-privileged access, and that is just the beginning. As automated AI-based network and application discovery gains traction, buyers must be prepared to assess the effectiveness of AI software, which is no small task.

Zero trust meets mega hype

According to a recent ThycoticCentrify survey, 77% of organizations already use a zero trust approach in their cybersecurity strategy. For 42% of respondents, “reducing cyber threats” was the top motivator for adoption, followed by better compliance (30%), reducing privileged access abuse (14%), and inspecting and logging traffic/access requests (also 14%).

Interest in zero trust grew more than 230% in 2020 over 2019, according to Gartner. Twenty to thirty new vendors claim to have zero trust-native products or services every quarter, with at least a dozen or more entirely new solutions announced at the RSA Conference. In fact, over 160 vendors are offering zero trust solutions today. But, as organizations ramp up their spending on zero trust, it’s important to separate hype from results.

On May 12, President Biden released the Executive Order on Improving the Nation’s Cybersecurity. The Order defines zero trust as the architectural standard for the federal government, calling on the Cybersecurity and Infrastructure Security Agency (CISA) to modernize its current and future cloud computing-based cybersecurity capabilities, programs, and services to support the zero trust architecture.

Adopting multi-factor authentication (MFA), employing micro-segmentation, and enforcing least privileged access are table stakes for zero trust architectures. The techniques will see greater adoption in enterprises because they’re mentioned in that Executive Order.

Zero trust is not just about an architecture, and not just about a platform and technology implementation, according to Nayaki Nayyar, chief product officer and president of Ivanti’s Service Management Solutions business.

“It’s really a mindset and a culture that every organization needs not only to start but accelerate given some of the recent challenges that everyone has experienced,” she said recently during a presentation on zero trust at Ivanti Solutions Summit 2021.

Clearly, an in-depth framework evaluation is an essential part of the mindset users must assume as they build their cybersecurity strategies and architectures. The following seven factors help to isolate those cybersecurity vendors capable of providing a solid zero trust architecture today.

Factor 1: Scalability

How well a given zero trust solution can scale from protecting small and medium businesses (SMBs) to large-scale enterprises defines how well its architecture is designed to adapt and flex to an organizations’ changing needs. Track-tested zero trust solutions can just as quickly protect a remote office, regional center of offices, or an entire organization. However, securing SMBs that often act as independent partners to larger enterprises is often overlooked.

Interested in learning more about how SMBs and midsize enterprises can implement a zero trust architecture, I spoke with Chase Cunningham, chief strategy officer at Ericom Software and a retired Navy cryptologist. Cunningham explained that there are significant gaps in SMB and mid-tier enterprise networked workspaces today — gaps that are difficult to close due to reliance on obsolete perimeter-based technologies.

Cunningham says for any zero trust solution to scale and protect SMBs with the same level of security that enterprises achieve, security policy enforcement must occur at the edge, where users, devices, apps, and workloads interact. Scalability also means the system must be transparent to users, so that users can focus on their jobs instead of trying to figure out security. Moreover, the system must be simple to activate, set policy, scale, and modify as an organization’s needs adapt to new circumstances. On top of that, scalability requires a fully integrated, no-cost identity access management (IAM) tool that works with any authentication provider.

Factor 2: A proven track record

To excel at delivering a zero trust solution, a cybersecurity vendor needs to provide one or more ways to gain real-time insights and visibility across all endpoint assets, devices, and data stores. Identifying and isolating rogue devices is also essential for protecting every endpoint. Evaluating potential zero trust vendors on this attribute will quickly separate those who have active R&D programs going on today and push the limits of their machine learning, AI, and related advanced analytics functions.

Another reason this is a helpful benchmark because it’s impossible to fake this functionality on a legacy cybersecurity platform or app that relies on interdomain or group-based controls.

Zero trust vendors who double down on R&D spending around automating network discovery and optimizing workflows are setting a quick pace of innovation. Look for AI-based zero trust apps and platforms with customer references as a good evaluation criterion. Leaders in this area include Akamai, Forescout, Fortinet, and Ivanti. Automated network discovery workflows are an essential element of network access control platforms.

The most advanced zero trust solutions in this area include user and entity behavior analytics (UEBA) anomaly detection, alert-based integration with third-party networks for OT threat detection and response, agentless profiling, and support for hosting on public cloud platforms, including Amazon AWS and Microsoft Azure. Of the many competitors in this area of the zero trust market, the Ivanti Neurons hyperautomation platform shows the potential to deliver value for IT and operations technology (OT) reporting and deterrence.

Factor 3: Protection of human and machine identities

Machine identities (including bots, robots, and IoT) are growing twice as fast as human identities on organizational networks, according to Forrester’s recent Webinar, How To Secure And Govern Non-Human Identities. According to a Venafi study, machine identity attacks grew 400% between 2018 and 2019, increasing by over 700% between 2014 and 2019. These studies and the rapid rise in machine-to-machine breaches over the past 18 months make securing machine identities using a least-privileged-access approach a must for any organization.

Benchmarking vendors claiming to offer zero trust for machine identities need to be validated with customers currently running centralized IAM  across all machines. Ideally, each customer needs to have IAM and privileged access management (PAM) operational at the machine level.

Financial services, logistics, supply chain, and manufacturing companies that rely on real-time monitoring as a core part of how they operate daily need to prioritize this product feature of zero trust vendors. In financial services, machine identities and machine-to-machine interactions are growing faster than IT, and cybersecurity teams struggle to keep up. Leading zero trust security providers for machine identities, including bots, robots, and IoT, are BeyondTrust, ThycoticCentrify, CyberArk, and Ivanti. HashiCorp has proven its ability to protect DevOps cycles that are primarily machine-to-machine based.

Factor 4: Simultaneous endpoint security and IT asset tracking

Benchmarking zero trust vendors’ innovations — their ability to go beyond the basics of endpoint security and deliver more resilient, persistent, and self-healing endpoints — is an area to address. Venture capital, early-stage investors, and private equity investors are all paying attention to self-healing endpoints, as their sales have the potential to outgrow the broader cybersecurity market.

Absolute Software’s recent announcement of its intent to acquire NetMotion is one of several transactions in process. Absolute is one of the few companies publicly disclosing their acquisition plans this year.

Organizations need more automated approaches to identifying endpoints that need self-healing apps, security clients or agents, firmware, and operating systems. Every organization could use greater visibility and control across IT and OT systems. Leading zero trust vendors will have references proving they can deliver IT and OT insights.

In addition, endpoint detection and response (EDR) vendors continue to prioritize integrations with as diverse a base of IAM systems, log systems, zero trust mobile platforms, and anti-phishing email systems as possible. What’s fascinating about this aspect of cybersecurity product development is how varied the approaches are for solving this challenge, as reflected in the recent VentureBeat story on addressing endpoint security hype.

Evaluation in this case is far from simple. As Absolute CTO Nicko van Someren, who has designed, developed, and implemented self-healing endpoints, noted, there is a wide gap between what’s not known about zero trust on endpoint devices and what is known.

His advice: “When evaluating zero trust endpoint solutions, focus on the questions that force vendors to think through where their gaps are what they’re doing to close them.” Moreover, van Someren said, anyone evaluating endpoint solutions can help drive more innovation by using a more Socratic approach — one that constantly questions what one doesn’t know.

Factor 5: Enforcement of zero trust across DevOps, SDLC

Zero trust vendors vary significantly on how effective they are in protecting privileged access credentials across an entire software development life cycle (SDLC). This has become more evident in the wake of the SolarWinds breach, which  showed how vulnerable DevOps teams are to sophisticated, patiently executed hack attempts by bad actors. Ensuring security and DevOps are on the same development platform is itself a challenge. Closing those gaps is one of the most effective approaches to streamlining product development times and delivering a higher quality code base that meets periodic security audit requirements.

Vendors claiming to support zero trust to the SDLC and CI/CD progress level need to show how their APIs can scale and adapt to rapidly changing software, configuration, and DevOps requirements. Leading zero trust vendors in this market area include Checkmarx, Qualys, Rapid7, Synopsys, and Veracode.

Factor 6: Deep expertise in baseline requirements

Leading zero trust vendors continue to invest R&D resources that span a broad spectrum of core authentication technologies. They range from those technologies focused entirely on alleviating passwords or streamlining authentication with greater context and intelligence.

Vendors should go beyond MFA and microsegmentation, as these are the baseline requirements to compete in zero trust opportunities. Look for deep expertise in adaptive authentication and support for context and user role as verification factors in the most advanced zero trust vendors in this area.

The rapid growth of virtual teams is accelerating this requirement. To secure remote workers’ identities and endpoints requires zero trust, automating as many tasks related to authentication as possible to streamline the experience. Of the many zero trust-based innovations in authentication today, Ivanti’s Zero Sign-On (ZSO), now a core part of the platform following the acquisition of MobileIron, relies on proven biometrics, including Apple’s Face ID, as a secondary authentication factor to gain access to work email, unified communications and collaboration tools, and corporate-shared databases and resources. An acid test for whether a password alternative is effective is testing to see how well it can act as a mobile threat defense to the network, device, and identity level.

Among innovative approaches to authentication is the Ericom Software Automated Policy Builder that learns how a policy for zero trust needs to be applied to a user or an application or both, with no input from administrators required.

Factor 7: Encryption algorithms to protect data throughout all processes

Evaluating zero trust vendors on if — and how much — they can enable native OS encryption mechanisms is also a practical approach to separate vendors selling hype versus results.

Just as Zoom upgraded its security to 256-bit AES with GCM (Galois/Counter Mode) in 2020, evaluating zero trust vendors on their support for this standard will help prioritize the most experienced zero trust vendors under consideration. GCM is designed for high-performance data streaming over block transfers, which scales well across virtual teams that rely primarily on web conference calling apps to communicate. GCM also can authenticate encryptions, further supporting a zero trust security architecture.

The more advanced zero trust vendors will also support Transport Layer Security (TLS) 1.2 cipher suites for protecting data-in-transit across the open internet.

Trust is major key

Overall, the seven factors provided here are meant as a roadmap to help guide organizations in selecting zero trust vendors that can scale and support rapidly changing business initiatives.

In evaluating frameworks, it is key to understand how competitive a given vendor is in the fastest-changing areas of zero trust. These include IAM and PAM to the machine identity level, as well as new machine-to-machine zero trust implementations.

A track record of continual innovation in passwordless and advanced authentication technologies and the constant development of encryption algorithms are good benchmarks to apply to any zero trust vendor that an organization might look to confidently engage.