Partially because of all the marketing fluff – including the firewall and SD-WAN vendors (ironically) rebranding their solutions as Zero Trust or SASE – Zero Trust is suffering from a Rodney Dangerfield type lack of respect. Or, at the very least, it may be difficult to see the true potential of Zero Trust without filtering through the marketing noise.
So Zero Trust is more secure (if properly implemented). But Zero Trust is not just a better mousetrap – e.g. yet another ‘next-gen’ of yet another point solution, passing the next-gen torch down the line. Let me not bury the lede too far: Zero Trust, done right, puts security into the nucleus of the application development and delivery lifecycle.
In that sense, Zero Trust can help businesses meet automation, agility and business velocity goals, in a manner similar as virtualization. VMs and containers helped us automate and accelerate app dev and delivery: they abstracted us from the underlying compute infrastructure. Zero Trust, done right (as app embedded code), abstracts us from the underlying secure networking infrastructure. In a sense, this is the next chapter of software eats world (software has not yet eaten security and networking infrastructure). Code replaces configuration. Infrastructure-as-Code (IaC) meets Security-as-Code (SaC).
Because we are so conditioned to the eternal tug of war between business velocity and security, we are looking past the fact that Zero Trust (done as SaC) can stop the war. We don’t need to compromise velocity for security, or vice-versa. We can have both. In fact, I would argue modern businesses *need* both in order to win. We know the slow will lose. We increasingly see that the insecure lose in an always-on, hyperconnected world because security breaches can stop their businesses, and impact their supply chains. Investing in security is no longer an insurance policy against internal costs of a breach; investing in security may be necessary to keep the lights on (and keep your supply chain functional). Keeping the lights on versus avoiding potential internal cost exposure is a massive change. In that realm, security needs to be put into the nucleus of the app dev and delivery lifecycle. Zero Trust, in Security-as-Code (Sac) form, can enable that.