Does Your Zero-Trust Access Vendor Actually Practice Zero Trust?

In a crowded market of zero-trust access solutions, vendors are always looking for ways to stand out. The pressure to demonstrate innovation, especially in the area of AI, has led some vendors to begin training models on the vast amounts of customer data they hold – even framing their ability to do so as a competitive advantage.

But this approach raises an important question: Is it not a violation of the most fundamental zero trust principles to treat customer logs as proprietary data for fueling AI?

And even more significantly, what are the inherent risks that arise when security vendors hold and store sensitive customer data?

What Can Go Wrong When Vendors Hold Your Data

Zero trust is a security framework founded on the idea that no user or device should ever be trusted inherently. The basic mantra of zero trust is “never trust, always verify.” Yet even as zero trust security has gained widespread acceptance in the security community and beyond, security vendors still regularly demand the trust of their own customers.

On the one hand, it may seem understandable that security vendors consider themselves more secure and therefore more trustworthy than third-party vendors in other industries. But if zero trust truly means zero trust, then there is good reason to question the standard practice of vendors requiring customers to hand over encryption keys, credentials, and other sensitive assets in exchange for security and access management tools. Scrutiny is even more overdue now that some vendors have started using customer data to train their AI models.

The fact of the matter is that security vendors should know better than anyone that every organization has vulnerabilities. When security vendors break the zero-trust model by holding and storing sensitive customer data, that data is left at risk of exposure if the vendor is breached or otherwise attacked.  

This is not to imply that security vendors have malicious intentions; they most likely just overestimate their own capabilities or else do not see themselves as part of the zero-trust ecosystem. Still, the primary goal of cybersecurity is to minimize the attack surface for threat actors — and requiring that customers relinquish access to their sensitive data and assets explicitly contradicts this goal. 

A New Cybersecurity Standard for a New Era of Zero Trust 

For years, the cybersecurity industry has advocated for the zero-trust approach — except when it comes to security vendors themselves. This paradox persists despite numerous high-profile security incidents and data breaches involving security companies (in which their customers are often left exposed). Now is the time to adopt a new standard that includes security vendors in the zero-trust framework.  

For Almog Apirion, our CEO and co-founder at Cyolo, true zero trust has always been a guiding principle. In his past role as a CISO, he became increasingly frustrated that every secure access solution presented to him required vendor trust. Eventually, he set out to create Cyolo.  

“When building Cyolo and our secure remote access solution, we refused to accept that we, as the vendor, must require the inherent trust of our customers. Instead, we designed a unique trustless architecture that purposely never stores any customer data," Apirion explains.

How Cyolo Practices True Zero Trust

Cyolo's approach to zero trust sets a new benchmark for cybersecurity. The Cyolo solution’s architecture ensures that all secrets, data, and encryption keys remain within the customer’s trusted boundaries, eliminating the risk of exposure if Cyolo were to be breached. And because Cyolo has no access to customer data in any environment — whether in testing, quality assurance, production, on-premises, in data centers, or in the cloud — our customers can rest assured that their secrets are safe even if Cyolo is targeted in a cyberattack. 

 “The fight against cybercriminals will never be an equal one, and for this reason, we ‘good guys’ cannot be creating extra risk. Why not make cybercriminals’ lives a little harder by practicing what we preach when it comes to zero trust?” says Apirion.   

Moving Toward a Real Zero-Trust Future  

The path forward in cybersecurity must include a rigorous commitment to true zero trust, including from security vendors. It’s time for us as an industry to reevaluate the norms around data decryption and commit to developing solutions that do not require vendor trust. By doing so, we can better safeguard our customers against threats and move collectively towards a safer and more secure digital future.