Forrester Research has identified four qualities it says security executives should investigate when selecting a partner to help build a Zero Trust environment. These include strong advocacy of the approach, a commitment to ubiquitous enforcement, support for micro-segmentation, and providing identity beyond identity and access management.
A Zero Trust approach differs from traditional security in that, rather than relying on perimeter defences, it assumes every action inside the ecosystem needs to be verified.
Zero Trust doesn’t refer to a specific technology, but to the application of several technologies that enable it.
According to Okta’s Sami Laine, Director of Technology Strategy, “One of the biggest misconceptions people have about Zero Trust is that Zero Trust is a product, or that Zero Trust is a company or platform that you can implement.” Instead, he said, “Zero Trust is a foundational philosophy change, where we say let’s evaluate every single access.”
The latest Forrester Wave research — called “The Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019” — places Okta firmly in the leadership quadrant.
The report, written by Chase Cunningham, Joseph Blankenship, Matthew Flug, and Diane Lynch, argues that “Okta makes user-focused Zero Trust easy,” and suggests that Okta’s Zero Trust approach can be summed up by two words: identity rules.
According to the authors, “Since acquiring ScaleFT in the latter part of 2018, Okta has invested heavily to extend the fabric of security-focused infrastructure outward to the end-user and inward for the infrastructure itself.”
The report describes Okta’s approach to Zero Trust enablement as bound to user identity. “Leveraging the connectivity and control, the ScaleFT offering brings to the networking pillar of ZTX, the vendor extends enterprise security controls outward to the network edge — be it on-premises, off-premises, in the cloud, or at the local coffee shop.”
The report also praises the employee experience Okta provides. “Okta is doing its thing, and end users never really know that they’re operating in a secure fashion, much less in a Zero Trust system. Of all the vendors we analysed for this research, Okta has the cleanest and most easily usable administrator UI.”
They also write that this is a benefit for anyone administering the technology for a Zero Trust eXtended (ZTX) ecosystem. ZTX is the Forrester definition of Zero Trust — a complete ecosystem and platform allowing complete, contextual assessment of security.
The report also discusses in some detail the areas security executives need to satisfy themselves on to build a Zero Trust framework.
Actively advocating for Zero Trust due to the rapid adoption of Zero Trust and ZTX as security initiatives, Forrester says there is a real need to align more clearly the message and importance of this key strategy. Security pros must understand the benefits of Zero Trust and know how the vendor community can help them achieve their objectives. Forrester’s rationale is that vendors who align themselves to the Zero Trust framework deliver real Zero Trust capabilities, and active participants in the community are well-positioned to educate the market and drive adoption.
Micro-segmentation support Forrester says that creating microsegments is a critical capability for Zero Trust solutions. It notes that some vendors focus more on users or identities as the point of segmentation; others push for segmentation at the network layer; and a handful of vendors deliver micro-segmentation at the device level. The most important takeaway is that there’s no excuse not to enable micro-segmentation for any company or infrastructure. It’s no longer a question of whether you can do it — the question is how.
Enforce policy everywhere vendors need to provide integrated and optimised policy-based offerings that leverage APIs and hook into other capabilities throughout the ZTX ecosystem, according to Forrester. Those with extensive integrations and well-documented APIs are well-positioned to enable policy creation and enforcement across the enterprise.
Provide identity beyond identity and access management (IAM) Today’s bring-your-own-device (BYOD) world mandates paying attention to the devices that users leverage for work and any operational technology (OT) or internet-of-things (IoT) devices on the network. The report notes that everything has an identity and must be under consideration for ZTX — users, devices, cloud assets, and network segments. Monitoring the behaviours of each identity enables more understanding of what that identity is actually doing, meaning administrators can better identify malicious behaviour.
In the Wave report, Okta achieved the highest possible score of 5.0 across a range of measures including ZTX vision and strategy and advocacy, network security, people/workforce security, automation and orchestration, manageability and usability, and two out of three market presence metrics.
About this author
Andrew Birmingham is the director of the Which-50 Digital Intelligence Unit. Okta is a corporate member of the Digital Intelligence Unit. Members provide their insights and expertise for the benefit of the Which-50 community. Membership fees apply.