Surveys Show Enterprises Slow to Adopt Zero Trust

The Zero Trust approach to cybersecurity is beginning to make inroads in IT departments of all shapes and sizes. Nevertheless, a recent survey shows that while cybersecurity professionals are aware of the growing risks posed by technological change, integrating Zero Trust systems is low on their to-do lists. The aforementioned survey, commissioned by identity management purveyor Okta, reveals insights regarding the implementation of Zero Trust in companies across the globe.

Zero Trust is an idea introduced by analyst firm Forrester Research as an alternative architecture for IT security. Whereas traditional security systems automatically trust all entities within the security perimeter, Zero Trust systems are defined by the principle of “never trust, always verify.” Essentially, in a Zero Trust system, regardless of whether a user is within the firewall, access privileges are granted on a case-by-case basis and are determined by multiple factors. Every person and device trying to access resources on a private Zero Trust-enabled network is subject to strict identity verification procedures, which are conducted with the help of machine learning and artificial intelligence. The goal is to prevent lateral movement within the network and to prevent outsiders from accessing the network.

AppSec/API Security 2022

Although the benefits are clear, there are numerous challenges slowing  enterprise adoption of Zero Trust solutions. A study published by Pulse Secure, a vendor providing software-defined secure access solutions, gives credence to the challenges faced by enterprises experiencing rapid technological change. Nevertheless, It’s easy to see why the idea is gaining popularity: as various forms of technology, such as mobile computing, cloud integration and BYOD become more integrated into the workplace, IT professionals are recognizing that a radical shift in approaching cybersecurity is necessary for maintaining clients’ confidence in the safety of their data.

Simply put, initiatives such as digital transformation are changing the information security landscape, resulting in companies facing deficiencies in their security. Other changes, such as the combination of private cloud services, public cloud services, data centers, and the introduction of mobile and BYOD devices into the work environment, are creating additional vectors for attackers.

The Okta survey polled more than 1,000 IT, security and engineering decision-makers from global companies with at least $1 billion in revenue. More than half—60%—of respondents to the survey were working toward or planning to introduce Zero Trust into their security practices. While these results show that Zero Trust has a long way to go before it is implemented fully across enterprises, they also show that there exists an opportunity for security professionals to adopt a more secure methodology for protecting data, which is a necessity for enterprises undergoing digital transformation and implementing cloud services into their organization.

The Okta survey also reveals some of the factors that create a necessity for Zero Trust systems. Increasingly, enterprises are implementing cloud apps to supplement their on-premises systems. Although 75% of respondents run at least some apps in the cloud, most large companies intend to keep at least a third of their applications running on-premises. In addition, 62% of respondents indicated they expected the end state of their company’s cloud application use to be between 10% and 50% of apps running in the cloud. While increasing adoption of cloud services presents clear benefits for efficiency and productivity, it also poses a unique cybersecurity risk, which companies that are relying on outdated security architectures are ill-equipped to handle.

The Pulse Secure survey, which was conducted independently by IDG Connect, comprised of more than 300 information security decision-makers in enterprises with more than 1,000 employees across U.S., UK and Germany/Austria/Switzerland region. Furthermore, the respondents represented a number of industries, including financial services, health care and manufacturing. The survey reveals that enterprises are aware of new challenges and are taking steps to mitigate threats, including improving endpoint security and remediation prior to access, enhancing IoT discovery, isolation and access control and fortifying network and cloud access visibility and resource segmentation. Recognizing these new types of threats, 91% of enterprises plan on increasing secure access expenditure over the next several months.

However, As these systems promise to address some of the structural failings of traditional perimeter-based security systems, security professionals should strongly consider implementing a Zero Trust methodology into their workflow. According to Scott Gordon, CMO at Pulse Secure: “The acceleration to leverage hybrid IT service delivery and the impact of consumer and IoT device in corporate networks is ushering in a new swath of endpoint security and data breaches as reflected in news. We are seeing the impact of these exposures. Organizations are motivated to deploy Zero Trust access security systems, such as software-defined perimeter, to increase user, device and resource authentication and mitigate access visibility and control gaps.”

Though it may seem that Zero Trust systems would cause frustration for users who simply want broad access to resources within a network, the benefits of implementing such a system far outweigh the drawbacks, particularly in the context of today’s more technologically diverse and mobile workplace. Noted Lisa Lorezin, director of emerging technologies at Zscaler: “Today what we need is context-based trust, and it needs to be a comprehensive solution that applies no matter where the user is and no matter where the resource is.” Implementing Zero Trust systems allows enterprises to maintain the security of their data while enabling the flexibility required for today’s rapidly evolving work environment.

As enterprises move their business to the cloud and rely upon multiple cloud services, line of business applications become scattered across different cloud providers, making privilege management more difficult. In light of these expanded concerns, enterprises have taken to integrating additional verification methods. A little more than half (54%) of the Okta survey respondents use software-generated one-time passwords, 36% use physical and U2F tokens and 30% use biometrics-based factors. While this diversity in approach shows that enterprises are serious about exploring different ways of handling changes in security considerations, Okta’s survey contends that these developments alone are insufficient and instead considers methods such as multi-factor authentication as steps on “the road to Zero Trust.”

The urgency for integrating Zero Trust is clear. “The security models we’ve come up with in the 20th century and since have all failed as evidenced by all the big data breaches,” said John Kindervag, a field chief technology officer at Palo Alto Networks. Fortunately, a number of platforms enabling the integration of a Zero Trust framework exist, which forward-looking security professionals are sure to take advantage of. Several different vendors offer Zero Trust solutions, and while they differ in approach, each has the same goal of establishing access management defined by policies. 

Those vendors have also created partner programs and are looking for MSPs and Integrators to bring Zero Trust solutions to a potentially large market. Though it’s been a decade since Forrester introduced the Zero Trust model, it has not yet seen widespread adoption across enterprises despite a clear and expanding necessity. As such, the opportunity for vendors who offer Zero Trust platforms is substantial, and security professionals have an obligation to take advantage of these platforms to protect their businesses for the threats of today and of the future.

Tyler Ohlhorst contributed to this story

Frank Ohlhorst

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Frank Ohlhorst

Frank is an award-winning technology journalist and IT industry analyst, with extensive experience as a business consultant, editor, author, and blogger. Frank works with both technology startups and established technology ventures, helping them to build channel programs, launch products, validate product quality, create marketing materials, author case studies, eBooks and white papers.

frank-ohlhorst has 40 posts and counting.See all posts by frank-ohlhorst