Zero trust as a strategy is essentially to trust nothing, verify everything. A colleague and I had an interesting chat the other day where we examined how that concept applies to the intersection of device management and identity. I created a decision tree that assesses the positive and negative consequences of accepting certain risks.
Those risks flow from these scenarios:
- IAM vendor A has partnered with MDM/EMM vendors B and C. The IAM system implicitly trusts the MDM. The question we raised to each other was "since when is an integration zero trust?"
- Big vendor D has a patchwork of services, which requires different teams to manage identities and devices. There's internal trust that an insider risk such as a "careless insider" won't drop the ball.
- Vendor E offers integrated IAM and MDM/EMM for a unified approach w/ policy management
Feel free to take a look and add to the discussion. Zero Trust is a strategy, not products, and there are some very appealing solutions on the market. Each has its respective strengths and weaknesses (glass houses and all that).
