Since RSA this year, the drumbeat of Zero Trust across the market has continued to grow louder. Almost daily, the inquiries and conversations around Zero Trust and ZTX are coming in at an ever-increasing rate. That’s a good thing. In truth, most of the inquiries are from end user clients now, vice the vendor side of the equation. Those conversations focus around a variety of issues, but sooner or later, they all come back to a few questions:

  1. What vendors understand Zero Trust, and how do they help us on our journey?
  2. Where do we start to get to Zero Trust?
  3. How do we ensure that we are getting the value out of these solutions (AKA, not buying more tech to continue marginally solving the same problem)?
  4. Can we see the reference architectures Forrester built?
  5. How do we describe Zero Trust to the board?

Great; those are all good questions. Here are my answers (basically, anyway):

  1. Go look at our Forrester Wave™ evaluation and ZTX ecosystem reports; that’s the ground truth on how we see the industry around ZT right now.
  2. I still say start simple, and that’s IAM/device work. Solve simple solutions where the threat lives and move onward.
  3. What is your strategy going forward, and can you map your goals to your own technology needs?
  4. Yes, yes, you can.
  5. Zero Trust is strategically focused on addressing lateral threat movement within the infrastructure by using microsegmentation and granular enforcement based on user context, data access controls, application security, and the device posture. I then point them to the decade of research we have and tell them to pull from that data set as they see fit.

There are a couple of points to take away here, I think:

  1. Notice that there is no one asking for a literal interpretation of Zero Trust; they all understand this is a strategy and a plan with some framework and technology behind it that can be modified to their particular needs and not a LITERAL implementation of the words ZERO TRUST.
  2. End users are still working on starting down the path. That’s OK. A start is a start, and if they realize this isn’t a sprint, starting fresh is a good way to make changes that matter.
  3. Everyone is looking for guidance and concrete examples, architectures, and “measures” of technology for Zero Trust.

That brings me to my point for those vendors that seek to be included in the upcoming Wave for Zero Trust or the Zero Trust eXtended ecosystem reports. In my opinion, one of the most important criteria for being part of the evaluation for inclusion in this research is being noted by the end user community as “aligned with Zero Trust” or “understanding the tenets of Zero Trust and ZTX.”

The point of the Wave and the ecosystem papers is to try and ferret out what technologies and tools really enable and map clearly to the strategies that Zero Trust espouses. It’s a labor-intensive process as an analyst, but it’s a process that’s even harder for folks with “regular” jobs that are engaged in Zero Trust. The point being that, if a vendor wants to be known as part of the Zero Trust side of the industry or wants to be part of a Wave or research area, the best thing they can do is spend the time and resources to gain mindshare with end user clients as being aligned with Zero Trust.

The way to do this should look like this:

  1. Work to understand how your solution or solutions fit into Zero Trust and ZTX (do some research on your own, or work with us to gain this insight).
  2. Go to market with your approach to enabling Zero Trust using your solutions and gain some market/mindshare (this is where end users start learning and asking about how your solution enables their Zero Trust strategy).
  3. Work to promote/enable Zero Trust in the industry by growing Zero Trust outside the bounds of just your technology (dive in on an industry initiative that helps the collective grow in Zero Trust; there are projects already in place that need help).
  4. Work on being very detailed when the criteria for Zero Trust is released for the Waves, eXtended ecosystem paper, etc.
  5. Continue 1–4. Rinse and repeat.

What you should notice from the above is that the vendors are held to a similar standard as the end user. Zero Trust is not a one-and-done; it isn’t a technology or an end state. This is a process, a journey, a marathon, a grand strategy (as John Kindervag would say). Anyone involved and buying in on the ground being gained in the industry for Zero Trust must understand this and should be willing to play the long game, vendor and end user alike.

Vendors and end users can ride the “Wave” for Zero Trust, but to catch the swell, you must first paddle out, and you must be willing to go with the rising tide, even when the water might be choppy near the shore. Expecting to just catch the Wave standing on the beach is a bad idea and more than likely leads to being crushed under the tsunami around Zero Trust.