What’s Missing from Standard Zero Trust Architectures?

Has your company decided to embrace a Zero Trust architecture?

If so, you are in good company. Interest in Zero Trust security has exploded over the last few years. As evidence —

• A Google search of “Zero Trust security” pulls up 406,000 results along with advertisements by firms like Illumio, Zscaler, Bettercloud, VMware, Okta, Axis Security, Wondera, Akamai, and Sonrai Security.
• Forrester Research, who originated the Zero Trust concept in 2010, has published research papers listing over 50 different security vendors that now support the Zero Trust architecture.
• At the RSA 2020 conference, a CISO from a Fortune 100 company gave a presentation to a packed audience about how his firm has adopted Zero Trust security over the past few years. (It was, to me, the best presentation at the conference, by far.)

What Is Zero Trust?

If you’re not exactly sure what Zero Trust is, you are also in good company. At the RSA conference, I overheard Garrett Bekker, one of the analysts at 451 Research, say that “no one knows what Zero Trust is, but everyone knows they’ve gotta have it”.

The core of Zero Trust is the belief that access to resources should not be granted on the basis of where you are, but on the basis of who you are and how trustworthy you are. Therefore, identity becomes more important for security, including characteristics such as how you are behaving. This is why network security vendors are beefing up their identity awareness, e.g. Cisco bought Duo Security. (And why large enterprises are so interested in Armis, but I’m getting ahead of myself….)

In the middle of a Zero Trust architecture  sits a set of access controls. These access controls allow or deny access to resources on the network or in the cloud. They take their orders from a policy engine and a bevy of other controls that include strong authentication, SSO federation, risk assessment engines, and behavioral monitoring systems.

But What’s Missing?

Although I’m happy to say that Zero Trust is alive and well, I’m sad to say that there is an elephant in the room. Something is missing from the standard Zero Trust architecture  that most enterprises have by now deployed. Here’s the rub: Almost no attention has been paid to unmanaged and IoT devices, which currently outnumber managed devices in enterprise environments. The following graphic shows the current situation that most enterprises who adhere to Zero Trust security principles find themselves in in the year 2020:

The standard Zero Trust security controls that are commonly available for managed devices simply don’t work well for unmanaged devices, IoT devices and off-network devices such as Bluetooth peripherals.  Instead, the most common security approach for unmanaged devices is to allow the devices onto the network, and then … basically ignore them. In the case of Bluetooth devices such as headsets and keyboards, and Zigbee systems such as building lightning systems, not even this much can be done. This is the antithesis of Zero Trust.

The Armis Approach to Zero Trust

Armis has designed a security platform that includes a broad range of security controls similar to the controls shown on the left of the diagram above, but designed for the myriad of devices shown on the right of the diagram. By adding Armis, you can effectively extend your Zero Trust architecture  to cover all unmanaged and IoT devices. It’s a bargain, eh?

To learn more about the gaping holes that are present in most implementations of Zero Trust, and how Armis fills the gaps for unmanaged and IoT devices, download our white paper.