What to Look for (And Avoid) with Zero Trust Solutions

Originally published by CXO REvolutionaries.

Written by Sanjit Ganguli, VP & CTO in Residence; Nathan HoweVP, Emerging Technology & 5G; and Daniel Ballmer, Senior Transformation Analyst, Zscaler.

Zero trust architecture is part of a transformation journey that involves both technology and non-technology factors. The technology aspect of the zero trust journey requires the careful selection of a solution that accomplishes the goals of network and security transformation.

When selecting a solution to embrace a zero trust architecture, there are several pitfalls to avoid.

To begin with, organizations should focus on vendors who excel in seven key areas of successful digital transformation. Each of these seven factors is described in its own section below.

Fully address the specific needs of the enterprise

A successful zero trust solution scales for business needs today and, more importantly, for its future goals. Scalability is not simply the mechanism to build out, but to address enterprise needs without sacrificing the function, stability, and protection of the business.

The zero trust solution should:

• provide evidence and transparency of its global cloud deployment
• have documented and validated SLAs for its zero trust services
• have a history of deploying several customer organizations of relevant size and complexity
• deliver all critical functions to all sites without backhauling or hairpinning traffic
• provide inline and out-of-band protection
• offer solutions designed for operational and functional resilience

Core zero trust tenants

Protecting an enterprise and its users must be approached in a way that delivers access on a need-to-know, least-privileged basis. It is imperative to separate the jargon and marketing hype of “zero trust” from the core functionality that defines the term.

To this end, a true zero trust foundation should:

• protect all enterprise services by validating the identity of the entities before allowing conditional access; everything else must be blocked
• check various contexts such as device posture, user risk, etc.
• connect users to specific applications, not the network
• be network-agnostic and eliminate routable networks
• eliminate the attack surface for internal application

Cloud-native infrastructure

Recent industry reports indicate that 85% of cyberattacks come through encrypted channels. This makes the ability to inspect encrypted traffic critical for organizations. Inspecting this traffic at scale, with minimal latency, requires leveraging the power of the cloud.

Only zero trust solutions with properly optimized cloud-native architecture can deliver:

• inspection of all traffic at production scale with minimal impact on performance, based on a proxy architecture
• a single memory scan architecture for decryption at scale
• the experience to guide customers through the steps and challenges of performing SSL/TLS inspection

Flexible, diverse, and scalable

Flexible, diverse, and scalable zero trust deployment options provide organizations all the benefits of zero trust, regardless of geographic location. In other words, security must extend to every user, app, and resource no matter where they are.

Look for vendors offering solutions that:

• can be managed from a central control plane with corporate policies applied evenly and dynamically across all users/devices or IoT/OT communications
• extend the same protections to managed and unmanaged/ BYOD devices, facilitating third-party access for contractors and remote employees without increasing the attack surface
• provide workload-to-workload security that affords DevOps and CloudOps engineers the same zero trust protections for their applications when accessing other workloads, other clouds, or the internet

Optimal end-user experience

The success of any transformation, be it digital, network, or security, is driven by the end-user experience. The ultimate goal of any zero trust project is to improve end-user experience while reducing threat exposure and increasing security.

Therefore, look for:

• a zero trust solution that optimizes the user experience and uses a proactive approach to measure and diagnose problems
• a zero trust solution that collects metrics from applications, endpoints, and network layers to find anomalies and provide root cause analysis
• A zero trust vendor who provides minimal hops between their cloud and popular destinations like Microsoft 365 to minimize latency

Strong ecosystem integrations

Vendors that cobble together a zero trust solution portfolio through acquisitions tend to fall behind in product innovation and often lack interoperability with third parties. Look for zero trust vendors that integrate with leading ecosystem players (like CSPs, SD-WAN, IAM, SOAR/SIEM, EDR, etc.), future-proof their technology, and reduce technical debt. Zero trust vendors who offer rich, API-based, third-party integrations provide operational efficiencies by allowing organizations to orchestrate best-of-breed solutions and avoid vendor lock-in.

Easy to pilot and deploy

Performing a pilot will determine whether a zero trust solution is easy to deploy, performs well in the production environment, and achieves business objectives.

Look for:

• zero trust vendors that can demonstrate a low TCO, a single unified agent, access to a global set of service edges, and a centralized and easy-to-use UI, indicating that maintaining the solution will be straightforward and cost-efficient
• zero trust architecture and design that makes it easy to add on features with minimal additional deployment requirements (like adding more agents or VMs), allowing organizations to take a phased approach to zero trust knowing that moving between phases will not require heavy lifts
• zero trust vendors with a positive track record of being customer-focused, and demonstrate this quality during the pilot