Survey Sees Accelerated Shift Toward Zero-Trust Architectures
A shift toward zero-trust architectures appears to be gaining momentum, with a global survey of 500 senior cybersecurity executives published today showing that 40% of respondents have launched an initiative to achieve that goal.
In North America, the survey finds there has been a 275% year-over-year growth in the number of organizations that have or plan to have a defined zero-trust initiative in place in the next 12 to 18 months.
Sami Laine, director of technology strategy for Okta, said that shift is likely to only be further accelerated in the wake of the COVID-19 pandemic. With many employees now working from home for the foreseeable future, there is no network perimeter for cybersecurity teams to defend. Employees are now accessing corporate applications using a variety of managed and unmanaged devices. More than half of survey respondents now want those devices to known, managed and verified, which Laine said is driving the shift to zero-trust architectures.
Historically, IT organizations assumed that every device behind a firewall could be trusted. However, as cybercriminals have become more adept at bypassing firewalls, malware now moves laterally through IT environments once a platform on the network is compromised. Thwarting those attacks requires a zero-trust architecture to be in place that, among other things, employs identity-based access controls, network segmentation to isolate breaches and security event information management (SIEM) platforms to hunt for potential threats.
The COVID-19 pandemic is bringing this issue to fore because location is no longer a relevant metric for determining trust—most of the devices being employed are no longer physically attached to a local area network. They typically are accessing corporate resources over a virtual private network (VPN) or software-defined wide area network (SD-WAN). Unfortunately, many end users are also accessing applications over public internet connections that are completely unprotected.
Laine said the challenge, of course, is that a zero-trust architecture is not something that can be bought and implemented overnight. It requires organizations to integrate a set of security and networking technologies created by vendors that participate in the same ecosystem. Otherwise, it’s still possible for cybercriminals to exploit the seams between different products and services.
Once that architecture is in place it then becomes more feasible to implement automation to bring down the total cost of cybersecurity, noted Laine, adding that layer of automation then becomes the foundation from which best DevSecOps practices are implemented.
Of course, some organizations may need to rely on a managed security services provider (MSSP) to implement a zero-trust architecture. The technologies that need to be mastered are complex, and even during an economic downturn, the number of cybersecurity professionals with the right skills is limited.
Regardless of the approach, zero-trust architectures are rapidly becoming a default requirement at a time when organizations are embracing digital business transformation initiatives more rapidly. The only real question is how much political and economic capital will need to be mustered to overcome all the internal inertia that often conspires to make transitioning to a new architecture a much more extended process.
