David Holmes, Principal Analyst
When the Zero Trust security model was conceptualized well over a decade ago, enterprise security was very different than it is today. But just like the cybersecurity function, Zero Trust has evolved and adapted with the times and is likely more useful today than it’s ever been. In this episode, Principal Analyst David Holmes reviews the evolution of Zero Trust and provides his insights on where it will go next.
The episode starts with Holmes describing his first exposure to Zero Trust while working as a software developer in the early 2010s. He was asked for his opinion on a Forrester report that had been making some waves in the cybersecurity world. “It was like one of those lightbulb moments in your life when you realize that we have been doing everything wrong,” he recalls.
Holmes says that the original report laid out three core principles of Zero Trust that resonated with him and others in the security world at the time:
- Allow access based on identity, not where the user is coming from on the network.
- Least privileged access should be used.
- Assume that you are going to get breached.
Holmes says the third point is more relevant today than it was then, as a recent Forrester survey found that 74% of respondents’ organizations had been breached at least once in the past year.
The discussion then turns to how Zero Trust continues to evolve to meet new demands. As an example, Holmes points to the early days of the COVID-19 pandemic, when security teams were scrambling to establish secure VPNs and ensure that the flood of new homeworkers had secure network access. Holmes says that Zero Trust was helpful in getting many organizations back to full productivity efficiently in those early days of the pandemic.
From there, Holmes turns his focus to the future of Zero Trust, saying that more systems will be designed around it. He says Zero Trust edge is an example of an architecture that uses Zero Trust principles to provide users (both remote and in-office) access, whether the systems are on-premises or in the cloud. He says that, in the next five years, “We’re going to have systems that are not just Zero Trust by design … they’ll have to be Zero Trust by default. But we’re not there yet.”
Later in the episode, the discussion focuses on how Zero Trust (and, to some extent, confidential computing) can deliver broader business benefits in the future and drive business growth. Examples include opening new business locations in regions once considered too unsecure or the ability to make acquisitions more efficiently without security being a roadblock.
Want to learn more about Zero Trust? Check out the agenda for the upcoming Security & Risk Forum in Washington, D.C., November 14–15. Holmes will be hosting a Zero Trust workshop and presenting a keynote entitled The Future Of Zero Trust Is … Everywhere.