The Zero Trust Shift

It’s one of the biggest trends in cybersecurity, and also one of the hardest to define. Regardless, zero trust continues to grow as a priority for many organizations amid intensifying cyberthreats. What’s happened in 2023, however, is that zero trust has started to get real — with many organizations now actually starting to implement a new cybersecurity strategy based on zero trust principles. And that has revealed a lot.

[Related: Netskope, Zscaler, Palo Alto Networks Lead Gartner’s SSE Magic Quadrant For 2023]

For instance, nearly a fourth of security and IT leaders reported struggling to get buy-in from other departments around zero trust, according to a CyberRisk Alliance survey. Gartner research, meanwhile, found that just 10 percent of large enterprises are on track to have a “mature and measurable zero-trust program” in place by 2026.

In other words, zero trust is not going to happen overnight.

Still, a wide array of organizations are on the path. When it comes to zero trust, “we’re moving from marketing hype into reality,” said John Watts, vice president and analyst at Gartner, in an interview. Among other things, that means that businesses are starting to encounter some of the inevitable pitfalls.

As part of CRN’s Cybersecurity Week 2023, we’re diving into some of those stumbling blocks, while also highlighting where some of the opportunities are for solution and service providers. We’re also looking at some of the areas of debate — including around what counts as zero trust, whether public cloud can support zero trust and whether that’s even still the best term. We’ve included insights from executives at key industry players in the space including Netskope, Zscaler, CrowdStrike, Illumio and Cloudflare, as well as from security solution providers such as Optiv.

Stopping Hackers

While a brief definition for zero trust can prove challenging, as mentioned, the ultimate goal of it is less so: Zero trust, according to many experts, is the ideal architecture for thwarting hackers in today’s threat environment. Following the principles of zero trust means implementing more ways to verify users really are who they claim to be, and adding measures to ensure malicious actors won’t get far even if they thwart initial defenses.

A variety of security tools have come to embody the idea. Those include identity authentication and authorization tools, especially those that ensure users can’t access more than they need to for their role, known as “least-privileged access.”

Another piece of the puzzle is deploying a modern remote access platform—known as ZTNA (zero trust network access)—which is considered a more secure replacement for VPN. A third element that’s useful for zero trust, micro-segmentation, can prevent a breach from spreading across an organization’s environment.

Trust No One

If there is a snappy definition of zero trust, it’s probably this often-repeated phrase: “Never trust, always verify.” That motto derives from the original 2010 paper on zero trust by John Kindervag, then a Forrester analyst, who coined the term “zero trust” and described the key principles of the concept. Kindervag, who is now chief evangelist at zero-trust segmentation vendor Illumio, continues to advocate for the core principles of zero trust that he outlined more than a decade ago. But in an interview with CRN, Kindervag said he has no illusions about how serious of an undertaking zero trust can be.

“Every zero trust environment has to be tailor-made for the [resource] you’re protecting. So you can’t just say, ‘I’m going to roll out this technology or roll out that technology, the way we used to, and maybe hope that I’m going to [achieve zero trust],’” he said. “I know that a lot of people want to do that, because it feels like that’s the ‘easy button.’ But there’s no easy button.”

What follows are 10 big things to know about zero trust security in 2023.