Gauging the maturity and health of the BeyondCorp and Zero Trust movement is something I admittedly obsess over, which is why I was so pleased to read an in-depth article from Microsoft’s Offensive Security Research titled, “Building Zero Trust networks with Microsoft 365”. Microsoft has offered a number of components that form the basis a Zero Trust system for some time now, but it’s the realization that the architecture as a whole is right for the modern organization that makes this noteworthy, more so than the use of the term itself.
That now makes 2 out of 3 major cloud vendors promoting their own native Zero Trust story, which begs the question – who’s winning? That’s purposefully a loaded question, and here’s my purposefully vague answer – it depends. I do want to unpack a few points from this news, however.
First, the cloud wars are fought a number of ways, with vendor lock-in acting as much needed defensibility. Now, when you’re a pure Google shop or a pure Microsoft shop, you will naturally gravitate towards the native solution. But how many companies are 100% bought into one provider? Studies have shown that most organizations operate in a multi-cloud fashion, but even beyond that (no pun intended), a Zero Trust system spans much wider than a pure infrastructure decision – it touches people, devices, apps, and services.
Second, in this article, Microsoft is placing the emphasis on the enterprise application suite as the guiding force behind their Zero Trust solution. You might find that curious given their stake as the decades long de facto leader in enterprise identity via Active Directory. This speaks to where they see the most value from a customer perspective, but there may be some additional subtext in diminishing AD’s role in the modern cloud, as more organizations look to migrate away from legacy back office systems.
Finally, where’s AWS in all of this? Even though they haven’t come out and said as much, it’s relatively safe to assume that they have something in the works. Their existing service catalog already provides much of the primitives to piece together a system yourself, but there is one gaping hole in their offering - a native IdP. I would expect to hear more from them in the near future in this regard, but will refrain from making any bold predictions.
Bringing these points together, it’s our belief at ScaleFT that the majority of organizations operate in heterogeneous environments, and the role of a functional Zero Trust solution is to support any and all through unified, dynamic access controls. The cloud vendors recognize the multi-cloud world, and make the effort to be compatible outside their given realm, but will continue to lure organizations towards their native offer to achieve that ever so valuable state of lock-in. Know that, but don’t necessarily fear it. Make the right call for your organization that leads to be the best security and productivity outcomes over the long-term. Keyword: long-term.
Here are a few other things that caught my eye this past week.
Multicloud: Taming the Rookery [Medium]
This article from Apigee (now part of Google Cloud) talks about the challenges with regards to heterogeneous environments, and how APIs provide the necessary abstraction layer to make it work effectively. While the article is focused primarily on application architectures, the same theory applies to system architectures. Decoupling logic from the network and legacy systems is a step in the right direction, with Zero Trust as the right supporting architecture to deliver security as an API.
Scaling Network Security: RIP, the Moat [Securosis]
The good folks at Securosis have began another series of articles, this time focused on scaling network security. As always, top notch content from them, starting with the realization that the network perimeter is no longer effective as an access control mechanism. They go beyond the obvious declaration of such with specifics, setting the stage for what will certainly be a treasure trove of practical advice. I look forward to the rest of the series.
How to hack your security culture [TechBeacon]
Sensational headline aside, this is a great article that speaks to injecting security into your organizational culture the right way. What I appreciate about this article’s approach is the focus on the people, and making champions out of the folks who advocate for better practices. Incentives really can work wonders.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT