A zero-trust architecture aims to move defenses from static, networked-based perimeters to users, assets, and resources. Sponsored by Converge Technology Solutions Corp. and Check Point Software Technologies, Ponemon Institute conducted research to determine the status of zero-trust adoption in organizations. According to the research, 48 percent of respondents believe traditional perimeter-based security solutions such as VPNs, next-gen firewalls, and network access control (NAC) products are ineffective at securing distributed hybrid cloud infrastructures.
The research shows that zero-trust architecture improves the ability to manage vulnerabilities and user access. Unlike VPNs which permit secure access to an entire network, zero trust segments access and limits user permissions to specific applications and services. Zero trust assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location or asset ownership.
Ponemon Institute surveyed 694 IT and IT security, including cybersecurity practitioners, in the United States who are familiar with their organizations’ zero-trust strategy. As part of the screening process, practitioners invited to complete the survey were asked if their organizations had adopted a zero-trust strategy. Thirty-one percent of these practitioners whose organizations did not adopt zero trust were excluded from the research. The two primary reasons for these organizations not adopting zero trust are that the value is not understood (40 percent) or there is no executive buy-in (33 percent).
Respondents were asked to rate the effectiveness of their security practices before implementation and following implementation to determine the value of zero trust to organizations.
The following findings reveal the value of a zero-trust strategy
- Zero-trust architecture improves vulnerability management because it segments access and limits user permissions to specific applications and services. The primary reasons for adopting zero-trust network architecture are: reducing connectivity issues; improving user experience; reducing difficulty in setting up, deploying, enrolling new users; and decommissioning departing users.
- Zero trust is considered to improve security practices. As a result, zero trust is regarded as important or very important in ensuring customer trust and retention.
- Controlling access is a critical objective of zero-trust architecture. Zero trust ensures attackers who gain access to users’ accounts can only access their specific tools and services and nothing else. Identity and access management and authorization are the primary components of a zero-trust architecture. Some organizations use behavioral analytics and threat intelligence to improve asset security.
- Identity management and authorization policies are important components in zero-trust security models. As shown in the research, the primary components of a zero-trust strategy are a single strong source of identity for users and non-person entities (NPEs) and authorization policies around application or resource access
- Zero trust is believed to reduce attacker “dwell time” in the network. Respondents also say zero trust is very or highly effective in eliminating all lateral movement between users and servers because users are isolated from the corporate network. Zero trust is also considered highly effective in authenticating, authorizing, and inspecting all traffic flow at all times to ensure malware and attacks don’t sneak in accidentally or maliciously.
According to the research, the following are steps to take to achieve a mature zero-trust strategy
- Gain the support of senior leadership by regularly informing them about the effectiveness of the zero-trust program as measured by key performance indicators (KPIs). Such support can make the implementation of a zero-trust strategy more of a priority and, as a result, secure the necessary resources such as budget and in-house expertise.
- Quantify and track the benefits of zero trust. The top three metrics used by organizations represented in this study measure the reduction in the number of data breach incidents, the reduction in the number of known vulnerabilities and reduction in the number of threats.
- Identify existing security technologies that can be both cost-effective and aligned with the zero-trust strategy. Prioritize what new security technologies are needed as part of the organization’s zero trust implementation. A significant obstacle to achieving a strong zero-trust security posture is the continued use of legacy technologies.
- Other obstacles to successfully implementing a zero-trust strategy include the lack of in-house expertise and budget. According to the research, the average annual IT security budget is $32 million, with an average of $2.4 million dedicated to organizations’ zero-trust strategy.