We just wrapped up five months of in-depth research focused on providing some clarity into what technologies from which vendors actually enable Zero Trust (not just talk about it). It didn’t take long to discern those among the vendor community that really embraced the strategic benefits of Zero Trust — and those that seemed to just want to try to ride the rising tide around the explosion of Zero Trust. Our research points and demonstration scripts for the Forrester Wave™ evaluation were aimed solely at getting to the heart of the technical solution’s ability to help an organization move from the typical (AKA, failed) “perimeter” model of security toward a more effective Zero Trust-enabled enterprise.
To offer some examples, we asked vendors to answer some questions and show us a few things, such as:
- How does your solution allow the end user to discover and secure data within the enterprise?
- Show us how the system enables functional microsegmentation but doesn’t hinder practical use of the network.
- Detail how the tool or technology helps secure users and limits their access to critical components.
- How does the system improve visibility into dark corners of the network, and how does the system address cloud networks?
- Show how the system functions as a platform for end users.
This evaluation was difficult to do, as we required vendors to show us the way that they could take an end user from their current state to one of near Zero Trust — and show us all that capability in 9o minutes. Part of that evaluation was to force the vendors to show us an actual realistic deployment of the technology. The solution had to be shown in action, and the technology had to be shown in actual operation — no power points, actual deployment, and functional use.
The final (and most important piece of the whole equation) was to ask the end users of those systems to “tell us how the vendor solution enables your team to achieve Zero Trust for your enterprise.” That single question is where the truth came out, often with a vengeance. Usually, the demonstrations were flawless, and the vendors had a well-scripted and practiced method for espousing the power of their platform, but when the end user responded to us, the story sometimes changed. One of the best end user responses we had after asking about the vendor enabling Zero Trust was:
“We use them for security stuff; I have no idea what the hell Zero Trust is.”
“OK, fair enough. Thanks for the time.”
The demonstrations were good (most of the time); the Wave showed that vendors understand the technology mappings of ZTX and that they understand how to speak Zero Trust (OK, market the term, I mean). And we now are certain that the ZTX model is clarifying this space, as each vendor we evaluated was easily able to break down which pieces of their platforms enabled which pillar of ZTX — it was a beautiful thing to see. The truth in the Wave (and, honestly, the most telling piece) came out from the folks on the ground using the vendor platforms for their journey toward Zero Trust. That’s where this all matters the most, anyway.