Bottom Line: Instead of only relying on security vendors’ claims about Zero Trust, benchmark them on a series of five critical success factors instead, with customer results being key.
Analytics, Zero Trust Dominated RSA
Analytics dashboards dominated RSA from a visual standpoint, while Zero Trust Security reigned from an enterprise strategy one. Over 60 vendors claimed to have Zero Trust Security solutions at RSA, with each one defining the concept in a slightly different way.
RSA has evolved into one of the highest energy enterprise-focused conferences today, and in 2019 Zero Trust was center stage in dozens of vendor booths. John Kindervag created the Zero Trust Security framework while at Forrester in 2010. Chase Cunningham, who is a Principal Analyst at Forrester today, is a leading authority on Zero Trust and frequently speaks and writes on the topic. Be sure to follow his blog to stay up to date with his latest research. His most recent post, OK, Zero Trust Is An RSA Buzzword — So What?, captures the current situation on Zero Trust perfectly. Becca Chambers’ blog post, Talking All Things Zero Trust at RSA Conference 2019, includes an insightful video of how the conferences’ attendees define Zero Trust.
With so many vendors claiming to offer Zero Trust solutions, how can you tell which ones have enterprise-ready, scalable solutions? The following are five ways to demystify Zero Trust:
Customer references are willing to talk and case studies available. With the ambitious goal of visiting every one of the 60 vendors who claimed to have a Zero Trust solution at RSA, I quickly realized that there’s a dearth of customer references. To Chase Cunningham’s point, more customer use cases need to be created, and thankfully that’s on his research agenda. Starting the conversation with each vendor visited by asking for their definition of Zero Trust either led to a debate of whether Zero Trust was needed in the industry or how their existing architecture could morph to fit the framework. Booth staffs at the following companies deserve to be commended for how much they know about their customers’ success with Zero Trust: Akamai, Centrify, Cisco, Microsoft, MobileIron, Palo Alto Networks, Symantec, and Trend Micro. The team at Ledios Cyber, who was recently acquired by Capgemini, was demonstrating how Zero Trust applied to Industrial Control Systems and shared a wealth of customer insights as well.
Defines success by their customers’ growth, stability and earned trust instead of relying on fear. A key part of de-mystifying Zero Trust is seeing how effective vendors are at becoming partners on the journey their customers are on. While in the Centrify booth I learned of how Interval International has been able to implement a least privilege model for employees, contractors, and consultants, streamline user onboarding, and enable the company to continue its rapid organic growth. At MobileIron, I learned how NASDAQ is scaling mobile applications including CRM to their global sales force on a Zero Trust platform. The most customer-centric Zero Trust vendors tend to differentiate on earned trust over selling fear.
Avoid vendors who have a love-hate relationship with Zero Trust. Zero Trust is having an energizing effect on the security landscape as it provides vendors with a strategic framework they can differentiate themselves in. Security vendors are capitalizing on the market value right now, with product management and engineering teams working overtime to get new applications and platforms ready for market. I found a few vendors who have a love-hate relationship with Zero Trust. They love the marketing mileage or buzz, yet aren’t nearly as enthusiastic about changing product and service strategies. If you’re looking for Zero Trust solutions, be sure to watch for this and find a vendor who is fully committed.
Current product strategies and roadmaps reflect a complete commitment to Zero Trust. Product demos at RSA ranged from supporting the fundamentals of Zero Trust to emulating its concepts on legacy architectures. One of the key attributes to look for is how perimeterless a given security application is that claims to support Zero Trust. How well can a given application protect mobile devices? An IoT device? How can a given application or security platform scale to protect privileged credentials? These are all questions to ask of any vendor who claims to have a Zero Trust solution. Every one of them will have analytics options; the question is whether they fit with your given business scenario. Finally, ask to see how Zero Trust can be automated across all user accounts and how privileged access management can be scaled using Identity Access Management systems including password vaults and Multi-Factor Authentication (MFA).
A solid API strategy for scaling their applications and platforms with partner successes that prove it. One of the best questions to gauge the depth of commitment any vendor has to Zero Trust is to ask about their API strategy. It’s interesting to hear how vendors with Zero Trust-based product and services strategies are scaling inside their largest customers using APIs. Another aspect of this is to see how many of their services, system integration, technology partners are using their APIs to create customized solutions for customers. Success with an API strategy is a leading indicator of how reliably any Zero Trust vendor will be able to scale in the future.
RSA is in many ways a microcosm of the enterprise security market in general and Zero Trust specifically. The millions of dollars in venture capital invested in security analytics and Zero Trust made it possible for vendors to create exceptional in-booth experiences and demonstrations – much the same way venture investment is fueling many of their roadmaps and sales teams. Zero Trust vendors will need to provide application roadmaps that show their ability to move beyond prevention of breaches to more prediction, at the same time supporting customers’ needs to secure infrastructure, credentials, and systems to ensure uninterrupted growth.
The metrics comprising the index are designed to interpret where companies are on their journeys to becoming Intelligent Enterprises. The following are the 11 metrics that are combined to create the Index: IoT Vision, Business Engagement, Technology Solution Partner, Adoption Plan, Change Management Plan, Point of use Application, Security & Standards, Lifetime Plan, Architecture/Infrastructure, Data Plan and Intelligent Analysis. An online survey of 918 IT decision makers from global enterprises competing in healthcare, manufacturing, retail and transportation and logistics industries was completed in August 2018. IT decision makers from nine countries were interviewed, including the U.S., U.K./Great Britain, France, Germany, Mexico, Brazil, China, India, and Australia/New Zealand. Please see pages 24 and 25 for additional details regarding the methodology.
Key insights gained from the Intelligent Enterprise Index include the following:
86% of enterprises expect to increase their spending on IoT in 2019 and beyond. Enterprises increased their investments in IoT by 4% in 2018 over 2017, spending an average of $4.6M this year. Nearly half of enterprises globally (49%) interviewed are aggressively pursuing IoT investments with the goal of digitally transforming their business models this decade. 38% of enterprises have company-wide IoT deployments today, and 55% have an IoT vision and are currently executing their IoT plans.
49% of enterprises are on the path to becoming an Intelligent Enterprise, scoring between 50 – 75 points on the index. The percent of enterprises scoring 75 or higher on the Intelligent Enterprise Index gained the greatest of all categories in the last 12 months, increasing from 5% to 11% of all respondents. The majority of enterprises are improving how well they scale the integration of their physical and digital worlds to enhance visibility and mobilize actionable insights. The more real-time the integration unifying the physical and digital worlds of their business models, the better the customer experiences and operational efficiencies attained.
The majority of enterprises (82%) share information from their IoT solutions with employees more than once a day, and 67% are sharing data in real-time or near real-time. 43% of enterprises say information from their IoT solutions is shared with employees in real-time, up 38% from last year’s index. 76% of survey respondents are from retailing, manufacturing, and transportation & logistics. Gaining greater accuracy of reporting across supplier networks, improving product quality visibility and more real-time data from distribution channels are the growth catalysts companies competing in retail, manufacturing, and transportation & logistics need to grow. These findings reflect how enterprises are using real-time data monitoring to drive quicker, more accurate decisions and be more discerning in which strategies they choose. Please click on the graphic to expand to view specifics.
Enterprises continue to place a high priority on IoT network security and standards with real-time monitoring becoming the norm. 58% of enterprises are monitoring their IoT networks constantly, up from 49%, and a record number of enterprises (69%) have a pre-emptive, proactive approach to IT security and network management. It’s time enterprises consider every identity a new security perimeter, including IoT sensors, smart, connected products, and the on-premise and cloud networks supporting them. Enterprises need to pursue a “never trust, always verify, enforce least privilege” approach and are turning to Zero Trust Privilege (ZTP) to solve this challenge today. ZTP grants least privilege access based on verifying who is requesting access, the context of their request, and ascertaining the risk of the access environment. Designed to secure infrastructure, DevOps, cloud, containers, Big Data, and scale to protect a wide spectrum of use cases, ZTP is replacing legacy approaches to Privileged Access Management by minimizing attack surfaces, improving audit and compliance visibility, and reducing risk, complexity, and costs for enterprises. Leaders in this field include Centrify for Privileged Access Management, Idaptive, (a new company soon to be spun out from Centrify) for Next-Gen Access, as well as Cisco, F5 and Palo Alto Networks in networking.
Analytics and security dominate enterprise’ IoT management plans this year. 66% of enterprises are prioritizing analytics as their highest IoT data management priority this year, and 63% an actively investing in IoT security. The majority are replacing legacy approaches to Privilege Access Management (PAM) with ZTP. Enterprises competing in healthcare and financial services are leading ZTS’ adoption today, in addition to government agencies globally. Enterprises investing in Lifecycle management solutions increased 11% between 2017 and 2018. Please click on the graphic to expand to view specifics.
One of the most common questions I get from students is where they can find free cloud computing and enterprise software research.
Few if any of my students work for companies who have subscriptions with the top analyst firms however. A small group of students are working on a start-up on the side and want to absorb as much market data as they can.
Many of my former students are also in IT management roles, and when they become interested in a specific cloud computing or enterprise topic over time, they write me and ask if I have any data on their subject of interest. I keep the following list updated from them too. To serve all these students I’ve been adding to the list shown below for a number of years. None of these companies are current or past clients and I hold no equity positions in any of them.
The requests are so prevalent in global competitive strategy courses I distribute this list at the beginning of the semester with the following disclaimers.
Many of the cloud computing and enterprise software companies pay to have white papers written and research done. Writing white papers and doing research for an enterprise software vendor client is a very lucrative business for many industry analyst firms. Ethical industry analysts will often insist that a disclaimer be included in the white paper and on the website stating that they and their firms were hired to write the paper or do the research and publish the report.
The reports are intellectual property of the firms publishing them. Enterprise software vendors often pay tens of thousands of dollars at a minimum for reprint rights and the right to provide them on their websites. I advise my students to seek out the copyright and quote policies of the research firm of interest if they plan on re-using the graphics in any published materials or in their blog posts. One for example, the Gartner Copyright and Quote Policy is shown here.
Pay attention to the methodologies used in each report and realize they change over time. This is especially the case with the Gartner Magic Quadrant and MarketScopes. Gartner has been very active this year in refining the Magic Quadrant methodology for example.
The following are the list of cloud computing and enterprise software vendor sites that offer free downloads of cloud computing and enterprise software research:
BMC Software – Many free reports from Gartner, Forrester, The 451 Group and other research firms covering advanced performance analytics (APA), cloud computing, IT Service Management and long-term technology trends. Link: http://www.bmc.com/industry-analysts/reports/
Computer Associates – An extensive collection of cloud computing and enterprise software research organized into the following categories: cloud; data management; energy and sustainability management; IT automation; IT security; IT service management; mainframe; project and portfolio management; service assurance and virtual organizations. CA requires opt-in on the latest research as they use this site as part of their lead generation strategy. Link: http://www.ca.com/us/collateral/industry-analyst-reports.aspx
Cisco Systems – Data Center and Virtualization; includes the latest Current Analysis, Forrester, Gartner, IDC, Lippis and Yankee Group research reports covering Big Data, blade servers, cloud computing, Hadoop, unified data centers and many other topics. Be sure to click across the Computing, Network, Orchestration/Automation, and Network Services tabs to find additional research: Link: http://www.cisco.com/en/US/solutions/ns340/ns857/ns156/ns1094/analyst_reports.html
Microsoft – Balancing the need to support their enterprise applications today and create demand for cloud-based initiatives now and in the future, Microsoft’s series of analyst reports reflect their evolving business model. Microsoft has licensed the latest research from Enterprise Strategy Group (ESDG), Forrester, Gartner, IDC, Ovum, Yankee Group and others listed on this site. Link: https://www.microsoft.com/en-us/news/itanalyst/
Oracle – The most comprehensive collection of industry analyst research online for any enterprise software vendor, Oracle has hundreds of research reports available for viewing under their reprint licenses for free, and also for download. The reports are organized into corporate, infrastructure, systems, services, solutions, industries, enterprise applications and regions. Link: http://www.oracle.com/us/corporate/analystreports/index.html
SAS – The most extensive and well-organized online collection of analyst research on analytics and business intelligence (BI) available, SAS makes research available from fifteen analyst firms across six industries on this area of their website. You can find the SAS Analyst Viewpoints section of their website here: http://www.sas.com/news/analysts/
Symantec – Provides downloadable analyst reports in the areas of risk and compliance, endpoint security and management, information and identity protection, messaging security, backup and archiving, storage and availability management, services and emerging trends. ESG, Info-Tech Research Group, Forrester, Gartner and IDC reports are on this page for download. Link: http://www.symantec.com/about/industryanalysts/analystreports.jsp
Teradata – Extensive collection of industry analysis and research organized into the sections of Active Data Warehousing, Active Enterprise Intelligence, Enterprise Data Warehousing, Teradata Analytical Ecosystem and Teradata Integration Analytics. The latest market frameworks from Gartner, Forrester, IDC and other research firms are available for download. Link: http://www.teradata.com/analyst-reports/
According to what Cisco is seeing in the market, the transition to private clouds starts with consolidation of systems and applications to reduce costs, followed by a targeted virtualization strategy.
Cisco sees this as a step to making their customers’ businesses more aligned to line-of-business strategies and goals. The final step is automation, which is the transformation of IT into a foundation for business strategies and future growth.
The following Cisco presentation has several interesting insights into how they are working with their clients to transition from data centers to private clouds. Results customers are achieving are provided throughout the slide deck, which provide a glimpse into the cost, time, and strategy savings from moving to private cloud architecture.
Cisco treads a fine line between showing a private cloud architecture that is entirely proprietary (like Oracle) and educating the market on how they see private clouds evolving. They do this by showing how commitment their product strategies are to open integration standards and how critical they see aligning to business strategies first. The net result is a useful 38-page presentation that is worth checking out, to see how they view the progression of data centers to private clouds occurring in the years to come.
Note: I’m not working for Cisco and they did not pay me to write this.
In August, 2010 Cisco completed a study that included interviews with 80 enterprise IT decision makers (CIOs, CTOs, and infrastructure VPs) from 43 enterprises and public-sector organizations across industries throughout the US, Europe and India. In addition, Cisco completed one-one-one interviews with 20 subject-matter experts.
The primary focus of the study was on the adoption of the public cloud for enterprise applications. The report Network Service Providers as Cloud Providers Survey Shows Cloud Provision Is a Bright Option can be downloaded here.
Cisco forecasts that the global market for Cloud Computing Service Revenue will be $43.8B by 2013, with SaaS contributing $29.5B, or 6 7%. Workload migration will also be the greatest in that segment as well. The study provides additional insight into the IaaS and PaaS key success factors and the implications network service providers. (Click on image to expand it for ease of reading).
The study found that in the Business Processing segment, the greatest near-term opportunity is in SaaS-based ERP, which according to this study is predicted to reach a 13% adoption rate by 2013. This is consistent with International Data Corporation estimates of SaaS-based ERP adoption in comparable time periods. ERP’s growth on the SaaS platform continues to be constrained by lack of Master Data Management (MDM) functionality, lack of a pervasive mobile APIs on the several SaaS ERP systems launched, and concerns over security of costing. ordering, production, and quality management data. (Click on image to expand it for ease of reading).
Celebrating women’s accomplishments and thought leadership in science and technology, Ada Lovelace Day needs to permeate the cultures of the world. Only when that happens will the coming generations of women have a chance to make the most of their potential in these areas.
Padmasree Warrior of Cisco is a case in point of why this day and the thought behind it are important, especially for young women who are gifted in math and science, seeking role models.
Hidden Brilliance That Needs To See the Light of Day
In the graduate courses I’ve taught the most surprising aspect of any class are the women of exceptional brilliance that tend to hide their intelligence in science and math, only to show exceptional command of complex concepts on tests. These women, many from Asian, Middle Eastern and Eastern European cultures, would never engage in a fiery debate over the ethics of the Internet censorship in China or the best approach to defining an ERP system for a given case study. Yet when they put pen to paper as part of our case studies their work is perfect. Flawless. Excellent. The ones who attended British schools in Hong Kong analyze and write at a level that is well beyond their peers. They have so much talent yet such a reluctance to make the most of it. These are the women who need to hear about Ada Lovelace.
Padmasree Warrior, Senior VP and CTO of Cisco Systems Speaking on Cloud Services
In the following video clip Padmasree Warrior explains the fundamentals of Cisco’s Unified Service Delivery, a key component of their foundation for Cloud Services. At 5 minutes it’s worth watching and listening to.