Zero trust may be an ideal solution to an increasingly porous cybersecurity approach. So why aren’t more organizations trusting?
Cybersecurity seems to be in the middle of a perfect storm. Data breaches and other cyberthreats are on the rise. The number of endpoints accessing the network is skyrocketing. Users are more mobile, making traditional perimeter barriers ineffective, yet data is the crown jewels of the organization and must be protected at all costs. How can organizations meet all of these cybersecurity challenges while working with such a hybrid IT architecture and with the new emphasis on data privacy?
The zero trust security model would appear to be the optimal solution to this cybersecurity storm. This trust-nothing-verify-everything approach provides a high-level way to protect data, but according to a new study from Pulse Secure and Cybersecurity Insiders, nearly half of organizations surveyed admit they lack the confidence to apply zero trust.
“The sheer volume of cyberattacks and enormity of data breaches in 2019 has challenged the veracity of secure access defenses, even in well-funded organizations,” said Scott Gordon, chief marketing officer at Pulse Secure, in a formal statement. “Zero trust holds the promise of vastly enhanced usability, data protection and governance. However, there is a healthy degree of confusion among cybersecurity professionals about where and how to implement zero trust controls in a hybrid IT environment.”
The Reasons Behind the Confusion
When asked about that healthy degree of confusion, Pulse Secure CEO Sudhakar Ramakrishna suggested the reason is due, in part, to a lack of understanding surrounding the term.
“While the term ‘zero trust’ has been around for nearly 10 years, it has only recently garnered sufficient interest due the overwhelming volume of threat vectors,” he said. “Many vendors have also jumped on the zero trust bandwagon, often without a complete product set to address typical customer concerns. Consequently, those same customers are left trying to sort through varying claims as marketed by both qualified vendors and unqualified ones.”
Another area of confusion involves the shift from thinking about security in a traditional way versus the BYOD model and the addition of cloud technologies that most organizations now deploy. Now IoT is adding more chaos into the security mix. To implement zero trust, BYOD devices must be validated and verified prior to connecting to networks to reduce malware propagation, and secure access gateways must be deployed for cloud resources. However, too often organizations are racing to adopt new technologies without considering the security behind them. Organizations are concerned about applying better security to these technologies, but they just aren’t there yet.
Introducing Zero Trust in the Hybrid Environment
According to the study, a third of the respondents said they find value in introducing zero trust into a hybrid IT environment, and more than half say they intend to do so. Ramakrishna believes that the rapid changes in both how users access data and the network and the increase in threat vectors requires a shift in how organizations approach security and think about the way boundaries are morphing.
“Zero trust delivers higher levels of security, from the endpoint to the application, than traditional methods,” Ramakrishna said. “Through continuous authentication and authorization, entity verification and data protection, organizations can securely enable increasingly mobile workforces, reduce the chance of data loss or leakage and increase productivity with streamlined access.”
Willingness for Adoption
Despite the lack of confidence many organizations have about applying zero trust security, nearly two-thirds of the respondents have either already implemented it or are planning to do so in 2020. “This dichotomy is striking but not wholly unsurprising; as organizations try to stem the tide of threat vectors, they must encourage and adopt architectures that enhance productivity,” said Ramakrishna. “It is a daunting challenge and one that organizations are addressing as quickly as they can.”
Organizations can make this transition more confidently if they educate themselves on the theory behind zero trust and how it works. “A true zero trust framework is an end-to-end proposition,” Ramakrishna noted. “It starts with making sure that all devices meet corporate compliance and security policy standards before accessing applications.”