Defining (and Redefining) Zero Trust


By: Andrew Braunberg

Earlier this year, Microsoft (Nasdaq: MSFT) made a startling announcement regarding its security business. According to the vendor, this segment of the company’s business has surpassed $10 billion a year in revenue.

Microsoft makes clear that it considers “security” to include its traditional security products and services as well as its compliance, identity, and management businesses. But still, that is a healthy run rate. And we think this is a logical bundling that makes even more sense when you look at Microsoft’s strategic vision for its security business.

Microsoft is betting big on the idea of Zero Trust. According to the company’s announcement, a “Zero Trust mindset … is the cornerstone of effective protection, the foundation for organizational resilience, and the future of security.” The word mindset is important because Microsoft also makes clear its position that Zero Trust is not and will not ever be delivered as a standalone product. Rather, it is a philosophy about how to approach living and working in a digital world.

How Zero Trust Has Evolved

Zero Trust is a concept that has been gaining considerable traction over the last decade. As it has become more popular it has also become more comprehensive. When first evangelized by research analyst John Kindervag a decade ago, Zero Trust was chiefly focused on network segmentation, and it addressed the lack of a defensible perimeter to protect the enterprise. The idea was simple: Don’t trust any traffic, regardless of location, and verify every request before allowing connections.

Zero Trust has become so mainstream that the U.S. National Institute of Standards and Technology (NIST) put out a guidance publication on Zero Trust Architecture (NIST SP800-207) last summer. The report notes that Zero Trust “is not a single architecture but a set of guiding principles for workflow, system design, and operations.” NIST defines Zero Trust as “a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.” It recommends a focus on “authentication, authorization and shrinking implicit trust zones.”

Not surprisingly, identity management and next-generation firewall (NGFW) vendors were early to embrace the Zero Trust concept. Indeed, Kindervag moved over to Palo Alto Networks (NYSE: PANW) about five years ago to help the company better incorporate Zero Trust into its line of network security products. But interestingly, in March 2021, Kindervag left Palo Alto and took a job with managed security services provider ON2IT. ON2IT is a much smaller company but one with a potentially broader view of Zero Trust.

The Current Outlook on Zero Trust

Network segmentation will remain a key requirement for Zero Trust implementations, but a holistic embrace of Zero Trust also needs to address data, people, devices, and workloads. This expanded view of Zero Trust becomes increasingly compelling because it applies security to every use case.

Which gets us back to the fact that Zero Trust is not a product. But there are a host of products and services that have been built with the goal of creating a larger Zero Trust architecture. For example, many of the components of Secure Access Service Edge (SASE) solutions are compatible with a Zero Trust vision.

As part of Futuriom’s expanded security coverage, we will release a Market Trend Report next month taking a closer look at Identity-Based Access and Zero Trust Security.