Zero Trust – Big Aspirations, High Hopes, What Next
In the world of Zero Trust, there appears to be some dichotomy between action and confidence. A recent Cybersecurity Insiders survey of over 400 IT security professionals found that while 73% of organizations have or plan to implement Zero Trust capabilities this year, nearly half of respondents lack confidence in its application. Here are some highlights of the published Zero Trust Progress Report.
The sheer volume of cyberattacks and the enormity of data breaches in 2019 have challenged the veracity of secure access defenses, even in well-funded organizations. While the average consumer may be desensitized to breach news and how much of their personal data exists on the dark web (do you know where your sensitive data resides?), today the question of cyberattack prevention, preparedness and resiliency is a board room question and an IT organization imperative – hence the resurgence of Zero Trust.
Survey respondents found that data protection, trust earned through entity verification, and continuous authentication and authorization were the most compelling tenets to justify spend for Zero Trust. Indeed 40% intend to increase their spend around Zero Trust initiatives over the next 18 months.
Zero Trust access holds the promise of vastly enhanced usability, data protection and governance. Despite popular infosec vendor belief, this is not addressed by one tool. The question for many practitioners remains on where, how and when best to orchestrate Zero Trust-aligned policies and controls. Close to a third of respondents either had no plans or direct familiarity with Zero Trust.
Over 40% of respondents expressed concern with public cloud application access security and Bring Your Own Device (BYOD) access security enablement. Over-privileged access remains a key issue. Secure Access starts with proper and well-maintained user, role and application provisioning but requires active entity authentication and compliance checks to invoke conditional access – regardless if a user is remote or on a corporate network, if the device is personal or corporate-owned, or if the application is internal or in the cloud. Appropriately, 70% of organizations plan to advance their identity and access management capabilities as a first step towards Zero Trust advancement.
IT organizations are also experiencing more sophisticated malware attacks, new IoT exposures and increased data leakage. Not surprisingly, the survey found vulnerable mobile and at-risk devices, insecure employee and partner access, cyberattacks, and shadow IT as the top challenges to secure access to applications and resources.
Workforce mobility and hybrid IT utilization will spread workloads beyond the shelter of corporate networks and traditional perimeter defenses. This requires organizations to re-evaluate their access security posture and data privacy obligations as they migrate applications and resources from on-premises to public and private cloud environments. Aligned with these market trends, 53% of survey respondents cited the requirement for a hybrid IT implementation of Zero Trust, with a quarter electing to pursue a SaaS/cloud implementation.
Check out the full Zero Trust Progress Report that provides more detail and insights as to the perceptions, drivers, adoption, technologies, investments and benefits of Zero Trust access. I also enjoyed participating in a webinar, How to Make Zero Trust Work, which delved into the findings and examined the topic with Cybersecurity Insiders founder Holger Schulze.