Zero-trust market shows signs of maturity at RSA 2022

Zero trust needed a crucible to burn away the hype and leave the essence of what every cybersecurity vendor has to offer, and the pandemic did that. Akamai, Appgate, Cisco, CrowdStrike, Delinea, Ivanti, Palo Alto Networks, Zscaler and many others either announced their next generation of zero-trust solutions or demonstrated their latest releases at RSA 2022. 

Where zero trust is maturing 

While many in the cybersecurity vendor community still treat zero trust as a series of product features, not an architecture or framework, this year’s RSA proves vendors are maturing their platforms by choosing to solve more challenging problems. CrowdStrike taking on the challenge of providing real-time telemetry data and long-term data archiving with Humio for Falcon and their launch of Asset Graph, which shows the vendors understand zero trust is about architectures and frameworks first. Real-time telemetry data is invaluable in building a zero-trust architecture.

Cisco is introducing the Cisco Security Cloud, demonstrating Cisco Secure Access by Duo and Box, as well as their unified Secure Access Service Edge (SASE) solution Cisco+ Secure Connect Now, which reflects how rapidly zero-trust vendors are maturing. 

In addition, Ericom’s partnership with Cyber Guards to deliver Zero Trust Network Access (ZTNA) to midsize businesses and SMBs brings SASE to businesses who need ZTNA support the most but are often the most budget-constrained.

Ericom’s ZTEdge SASE platform reflects how quickly zero-trust solutions are maturing in the mid-market and for SMBs. Its many innovations in Remote Browser Isolation (RBI) extend to Web Application Isolation (WAI), which enables organizations to allow third party unmanaged device and bring your own devices (BYOD) access to corporate apps, while protecting their data and apps using web-based RBI-based technologies, is another proof point. 

ZTEdge Web Application Isolation (WAI) air gaps public and private web and cloud apps in an isolated, secure cloud environment, where organizations can enforce granular app access and data use policies. Ericom’s been able to deliver this without requiring contractors to install apps or browser extensions, make configuration changes to third-party devices, or use special “corporate” browsers.

John Kingervag created zero trust while at Forrester and currently serves as senior vice president of Cybersecurity Strategyat ON2IT Cybersecurity. An interview he gave during RSA provides guardrails for getting zero trust right. 

“So, the most important thing to know is, what do I need to protect? And so I’m often on calls with people that said, ‘Well, I bought widget X. Where do I put it?’ Well, what are you protecting? “Well, I haven’t thought about that.” Well, then you’re going to fail,” Kingervag said during the interview. 

Signs avendor understand zero trust

Separating the vendors who understand zero trust is becoming easier, given how quickly the landscape is maturing. The vendors who get it realize their systems and solutions are part of an integrated zero-trust architecture. Enterprises don’t “buy” zero trust; it’s an architecture integrated into a given business’s unique workflows. 

During RSA, two standards were released that provide vendors with the guardrails and guidance needed to help serve enterprises. First, the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) published Implementing a Zero Trust Architecture. The NCCoE is planning to release two additional guides in July and August. 

Kindervag and Chase Cunningham, chief strategy officer at Ericom Software, were among several industry leaders who wrote The President’s National Security Telecommunications Advisory Committee (NSTAC) draft on Zero Trust and Trusted Identity Management. The report defines zero-trust architecture as “an architecture that treats all users as potential threats and prevents access to data and resources until the users can be properly authenticated, and their access authorized.”  

The NSTAC Draft on Zero Trust and Identity Management and the new NCCoE guidelines can help enterprises plan their zero-trust initiatives while helping vendors move away from feature sprawl and deliver streamlined, effective solutions. The NTSAC document provides a five-step process that = Kindervag briefly discussed in his interview at RSA.  

A few key aspects that show a cybersecurity vendor understands zero trust solutions with value and minimal feature sprawl include: 

• Multirole and multicloud support in Identity Access Management (IAM). RSA 2022’s watermark for zero trust maturity is delivering and implementing IAM support for multiple roles, personas and hybrid cloud configurations. IAM vendors doubling down on how to get this right are advancing zero-trust adoption across enterprises today because their customers can use their solutions in more use cases. Zero-trust vendors are innovating rapidly in this area, making it one of the best-kept secrets at RSA 2022. CISOs went to RSA looking to understand how to control multicloud access across AWS, Google Cloud Platform, Microsoft Azure and others on the same IAM platform. Organizations need cloud-based multifactor authentication (MFA) platforms that can support multiple roles or personas at the same time. AWS Identity and Access Management, BeyondTrust, Ivanti, Microsoft, SailPoint and others all support multirole IAM.

• Resilience improves in every release. One of the main messages of Gartner’s top cybersecurity predictions for 2022–23 is that enterprises need to focus more on building resilient tech stacks than attempting to shut down the most prevalent threat of the day. Cybersecurity vendors delivering the most value with their zero-trust solutions already have a track record of delivering resilience in their platforms and systems. Vendors showing maturity in this area include Absolute Software with its continual improvements to Absolute Resilience, Absolute Ransomware Response and a new series of partnerships announced during RSA for its Absolute Application Persistence-as-a-Service (APaaS).  Utopic and WinMagic rely on Absolute’s firmware-embedded technology to monitor and automatically heal their mission-critical security solutions across their customer bases. Akamai, Cisco, Illumio, Ivanti, Palo Alto Networks and Symantec Enterprise Cloud are zero-trust vendors whose product releases over the last two years reflect how each is designing in greater resilience at the tech stack level.

• Achieving scale with integrations. The more adoption any enterprise software gains, the greater the demand for broader integration. Every enterprise’s tech stack is unique, making integration options a challenge. Another of the best-kept secrets of this year’s RSA is how abundant the activity is in this area. It’s a leading indicator of which zero-trust vendors have the most active, varied sales cycles. Absolute Software’s announcement before RSA that they’re partnering with BlackBerry to enable their shared customers to strengthen CylancePROTECT with Absolute Application Persistence capabilities reflects how each achieves greater scale with integrations. The partnership aims to enable joint Absolute Resilience customers to extend Absolute’s firmware-embedded, self-healing endpoint device connections to BlackBerry’s Endpoint Protection Platform (EPP). Box also announced more thorough integrations with Cisco, Relativity, Theta Lake and Splunk. New security enhancements to its core platform were also introduced at RSA that will help admins and security teams protect the flow of content inside and outside the organization and across multiple devices.

Maturity in the zero-trust sector is growing

From a marketing blitz in 2020 to a show of force in 2022 by vendors who understand zero trust and are contributing to their customers’ cybersecurity and risk management, RSA has also moved forward. Fewer vendors, less feature sprawl and more focus on solving complex security challenges were a key part of the show. Enterprises are overcoming their inertia of implementing zero trust, as Kindervag alluded to in his RSA interview. 

“What we’ve done is figured out how to break a massively complex problem called cybersecurity into very small pieces called protect surfaces. And as one friend of mine said, ‘We argued for longer than it took us to build the first zero-trust environment that we built.’ So stop arguing about it and do it,” he said.