Zero trust is a hot topic in cybersecurity, and for a good reason. There is no one-size-fits-all solution to securing your data and networks; rather, zero trust offers a more holistic perspective comprised of many different safety measures and practices and a shift in perspective on security. As threat actors step up their efforts and business operations, and depend more and more on digital communications and assets, organizations are increasingly choosing to adopt zero-trust principles and infrastructure in the hopes of securing their enterprise against breaches and attacks.
Cybersecurity Insiders, in collaboration with Fortra, released a report on their recent survey of cybersecurity professionals to understand how organizations are approaching zero trust. Summarized below are some of the key findings of the report.
Security Concerns and Challenges
One of the factors the survey explores is what difficulties businesses are facing in regard to cybersecurity. While 45% of those surveyed responded that excessive privilege was responsible for less than 25% of their organization’s security incidents in the last 12 months, a combined 40% of respondents said that it caused more than 25% of incidents. Excessive privilege risk is one of the biggest challenges that zero trust can help to mitigate, either way.
In contrast to the proportion of incidents believed to be caused by excessive privilege, a combined 89% of respondents believe that at least a few users in their organizations have access privilege beyond what is necessary. In response to a question about their enterprise’s current security priorities, 57% of respondents cited improved Identity and Access Management (IAM), 52% cited secure access to applications, and 46% cited supplementing Endpoint Detection and Response (EDR). These were followed by improved vulnerability remediation (45%) and Data Loss Prevention (40%).
The Appeal of Zero Trust
As a framework that provides a principled approach to cybersecurity, zero trust has many aspects that draw security professionals to it. Nearly two-thirds of respondents (66%) cited continuous authentication and authorization as a tenet of zero trust that is most compelling to their organization, followed by trust earned through identity verification (65%), data protection (64%), end-to-end access visibility and auditability (61%), and least privilege access (60%).
Unsurprisingly, several of the biggest drivers toward zero trust have to do with protecting sensitive enterprise data from breaches, leaks, and theft. Almost four out of five professionals surveyed (79%) cited data protection as a key driver, while 68% cited breach prevention. While it may be daunting to think about adopting zero trust in addition to current security measures, many people are beginning to understand that zero trust principles and practices are necessary for data security and protection against cyberattacks.
Difficulties of Implementation
In spite of the growing industry comprehension of the importance of zero trust, there are still significant challenges to overcome, including gaps in organizations’ knowledge of zero trust and readiness to shift to a more secure framework. Only 17% of survey respondents stated that they were “extremely confident” in their ability to apply zero trust. In response to a different question about their organizations’ zero trust plans, 31% said they were “not yet ready” or “not sure where to start.”
Often, the very factors that make zero trust a good idea are the same things getting in the way of implementing it. When it comes to the challenges of securing access to applications and other resources, 48% of respondents cited at-risk devices, 47% overprivileged employee access, and 46% cyberattacks. While these are certainly hurdles that make it more difficult to secure an organization’s networks and data, they are also precisely the reasons it is necessary to do so.
Plans to Adopt Zero Trust Framework
Even when faced with a difficult road, an encouraging number of organizations – including the United States Army – are planning to begin or step up their adoption of zero-trust infrastructure. Of the survey respondents, 19% said zero trust access was already in place, 30% said there were zero trust access projects underway, and 38% said they had projects planned. The majority of respondents (52%) stated that zero trust security is either already implemented or planned in the next nine months.
Implementing a zero-trust framework is not a quick or easy task, nor is it a cheap one. Nearly half of those surveyed (47%) stated that they expected their organization’s budget for zero trust costs to increase over the next 18 months. Some of the specific goals and measures that respondents plan to prioritize are multi-factor authentication (65% of respondents), identity management and governance (46%), anomalous activity detection and response (50%), and re-evaluating the existing security infrastructure in place (40%).
While awareness of the necessity of zero trust is growing over time, there is still a long way to go before it is implemented as widely as it should be. Many organizations are currently prioritizing zero trust, but many others are paralyzed by their current infrastructure or lack of resources. There is a wide range of problems with data and network security, cloud access, and regulatory compliance that can be helped by the use of zero trust principles, and cybersecurity professionals in all organizations are increasingly understanding and adopting a zero trust framework.
To learn more about how enterprises are implementing zero trust security in their organizations, including key drivers, adoption trends, technologies, investments, and benefits, you can download the 2023 Zero Trust Report here.
About the Author:
PJ Bradley is a writer on a wide variety of topics, passionate about learning and helping people above all else. Holding a bachelor’s degree from Oakland University, PJ enjoys using a lifelong desire to understand how things work to write about subjects that inspire interest. Most of PJ’s free time is spent reading and writing. PJ is also a regular writer at Bora.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.