The annual RSA Conference is a good barometer of where we are in the cybersecurity market. It’s an opportunity to see what everyone’s talking about, as you walk the show floor with approximately 530 exhibitors and 45,000 attendees. It’s a chance to meet up with old friends and colleagues, make new connections and, let’s face it, look for new opportunities. I know I had my fair share of people approaching me asking about openings at Ingram-Micro!
So, I thought it would be good to take a moment and reflect on what I took away from this year’s show. Most of the time I was meeting with partners and end-customers, but I did have a chance to attend a few talks and got an overall sense of some of the conference’s key themes. I think one word was at the center of it all – zero-trust. (Actually, that probably counts as two words?)
The term zero-trust was first coined by my friend, John Kindervag, back in 2012, during his tenure as a Vice President and Principal Analyst at Forrester Research. (Note, he is now Field CTO at Palo Alto Networks). He described a breakdown in the traditional “Trust but Verify” model that was typically used in cybersecurity. He noted that as soon as someone or something was declared trusted, verification was rarely done, which left organizations open to compromise and misuse.
But, if you eliminate the concept of trust within the network and agree there’s no more trusted interfaces, users, packets or applications, then it’s clear everything must be scrutinized, everything must be verified. John laid out three concepts for zero-trust:
- All resources need to be accessed in a secure manner, regardless of location.
- Access control follows a “need-to-know” basis and is strictly enforced.
- All traffic is inspected and logged.
As a result, a zero-trust model makes it a lot harder for employees to misuse their access or attackers to steal credentials and siphon off sensitive data. A zero-trust model changes your approach to cybersecurity, forcing you to focus efforts on what you really want to achieve – stopping attackers from eavesdropping, stealing data or disrupting your operations.
It’s no wonder it was all over RSA, however, I think it’s interesting that it was such a presence this year, considering the concept has been around for six+ years now. I think it’s because CSO’s are still confused about how to make it a reality. There are a lot of products out there that help you achieve a zero-trust model, but not a lot of cohesive policy guidelines that make it a reality, everywhere.
With so many different solutions – network, applications, endpoints, clouds, IoT, etc. – customers are struggling with how to manage everything clearly. Which is why visibility was also all over the show. Everyone claims to provide visibility, but if an organization doesn’t know what it’s looking at or how it all fits together, it’s hard to extract as much value as possible from those insights.
There seems to be links missing that can bring all the people, products and processes together. And, if not addressed, it’s only going to get worse, as the Internet of Things (IoT) and new distributed, cloud-native applications add to the complexity. The hope, I believe, lies in the continuous integration of machine learning, artificial intelligence, automation and orchestration technologies.
These technologies are probably not stand-alone solutions. Most likely they will manifest as capability enhancements or overlay solutions that ultimately make security more intuitive and predictive in its defense. These capabilities will also reduce the time and effort required to create and manage security policies that enforce zero-trust models, which is of paramount importance given the well-documented talent shortage within cybersecurity. They will also enable security to more seamlessly integrate with DevOps, mirroring the continuous deployment models to ensure security can be incorporated into everything.
Despite a lack of buzz words on the show floor, probably because these capabilities aren’t stand-alone, I have seen a lot of advancements in ML/AI/automation/orchestration capabilities. Ultimately, I think it is these capabilities that will enable organizations to better utilize the security they have deployed and actually realize the zero-trust environment that can keep their business safe.