Oh, how time flies! It seems that the whole story of Zero Trust as a revolutionary concept for designing computer networks began just yesterday, but it’s been over a decade already. In fact, the very idea that was later somewhat awkwardly named “de-perimeterization” was being discussed nearly 20 years ago. Back then, in the early 2000s, years before the era of the cloud and ubiquitous presence of smart mobile devices, organizations were already feeling the pressure to reorganize their networks for the digital transformation – establishing communications to their partners, contractors, and even customers, building API-based public interfaces to their data siloes and embracing the early ideas of Internet-scale computing.

In 2009, John Kindervag, back then with the analyst firm Forrester, has come up with the idea that networks should be designed without implicit trust, enforcing strict identity verification and least-privilege access policies for every user, device, or application, regardless of whether they are located in the former local area network or somewhere on the Internet. The deceptive simplicity of the idea and the catchy name appealed to both industry experts and the public, and for over a decade Zero Trust has been one of the hottest buzzwords in IT.

Zero Trust: so close and yet so elusive

Alas, it seems that Zero Trust has been also one of the most elusive buzzwords as well. Back in the same 2009, Google has introduced BeyondCorp, a security framework created as a result of a sophisticated cyberattack on their internal infrastructure and aimed to prevent similar breaches in the future. BeyondCorp shifted access controls from the perimeter to individual devices and users. In a sense, it was a reference implementation of Zero Trust that the company has deployed internally. Now everyone wanted to be like Google!

Unfortunately, being like Google turned out to be somewhat complicated to achieve. Most organizations were looking for off-the-shelf solutions that would completely replace their existing network infrastructures: they were planning on “buying Zero Trust”. Turned out, Zero Trust doesn’t work this way. The very foundational principles of the concept show that Zero Trust is not a product or even a technology – first and foremost it requires a major paradigm shift in many aspects of IT and even core business processes of an organization. The only sensible way to achieve Zero Trust is a long journey where every step solves a specific problem and also strategically brings you a bit closer to the “holy grail”.

The gift that keeps on giving

On the bright side, however, even if the concept itself turned out to be quite hard to get hold of, it has created entirely new markets for innovative security, compliance, and IAM solutions. Without Zero Trust, we would not have software-defined networking and microsegmentation, no cloud access security brokers (CASB), and definitely no Secure Access Service Edge (SASE) platforms. And when the COVID pandemic radically changed our society, the solutions that evolved from the original concept have made our lives a bit easier and safer.

Almost exactly a hundred years before Zero Trust, Vladimir Lenin once said: “The electron is just as inexhaustible as the atom, nature is infinite…”. Well, it seems that this idea is just as applicable to the notion of Zero Trust: over a decade after its conception, it keeps on giving…

But why am I writing this post anyway? Well, two things. First, last week Google has announced BeyondCorp Enterprise, the direct descendant of their original Zero Trust solution. Some of the new features include agentless design (in fact, Google Chrome will be the platform’s agent, but you probably have it already), integrated threat and data protection, and simplified deployment. It seems that after 12 years in development, Google believes that Zero Trust has finally reached the product stage. Is it too ambitious a claim?

Come to the Zero Trust side

Hopefully, we’ll find out soon how BeyondCorp Enterprise fares against competitors – after all, the Zero Trust market is already pretty crowded, with both large companies like Microsoft, Cisco, or Akamai and more specialized vendors like Okta or Pulse Secure already have their own solutions to all your Zero Trust needs. When it comes to the potential ease of deployment and agentless operations, one could, for example, argue that Microsoft's ubiquitous presence on desktops (with Windows), in data centers (with Active Directory), and in the cloud (with Azure AD and Office 365) would make it an even more enticing choice for customers.

After all, the key obstacle to adopting Zero Trust beyond just standalone “quick win” deployments is the need to make the model work in every layer of your IT, from devices and networks to applications and data. Without a carefully planned strategy, it may end up wasting enormous efforts and resources. But how to avoid a Zero Trust disappointment?

Well, here comes a great opportunity to find it out yourself! KuppingerCole is planning an online event on Zero Trust on February 17th, with a focus on “Making Zero Trust a Reality”. We’ll be discussing a broad range of topics and technologies that enable or are enabled by Zero Trust and show how they can solve the very tangible challenges your company is facing during these difficult times.

See also