To stave off never-ending security exploits, organizations are investing in advanced technologies and processes. The purpose of this report, sponsored by Entrust, is to provide important information about the use of zero trust, encryption trends, credential management and HSMs to prepare for and prevent cyberattacks. The research also reveals what organizations believe to be the most significant threats. The top three are hackers, system or process malfunction and unmanaged certificates.
A second report will present the research findings of PKI and IoT, as well as how organizations are preparing to transition to post quantum cryptography in order to mitigate the quantum threat. For both reports, Ponemon Institute surveyed 4,052 IT and IT security practitioners who are familiar with the use of these technologies in their organizations.
“With the rise of costly breaches and AI-generated deepfakes, synthetic identity fraud, ransomware gangs, and cyber warfare, the threat landscape is intensifying at an alarming rate,” said Samantha Mabey, Director, Solutions Marketing at Entrust. “This means that implementing a Zero Trust security practice is an urgent business imperative – and the security of organizations’ and their customers’ data, networks, and identities depends on it.”
The countries in this research are the United States (908 respondents), United Kingdom (458 respondents), Canada (473 respondents), Germany (582 respondents), UAE (355 respondents), Australia/New Zealand (274 respondents), Japan (334 respondents), Singapore (367 respondents) and Middle East (301 respondents).
Organizations are adopting zero trust because of cyber risk concerns. Zero trust is defined in this research as an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources. It assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location or based on asset ownership. Sixty-two percent of respondents say their organizations have adopted zero trust at some level. However, only 18 percent of respondents have implemented all zero-trust principles.
In the survey, 67 percent of respondents say the most important drivers to implementing a zero-trust strategy is the risk of a data breach and/or other security incidents (37 percent) and the expanding attack surface (30 percent).
Following are the most salient findings from this year’s research
The slow but growing adoption of zero trust
- As evidence of the importance of zero trust to secure the organization, 57 percent of respondents that have or will implement zero trust say their organizations will include zero trust in their encryption plans or strategies. Sixty-two percent of respondents say their organizations have implemented all zero-trust principles (18 percent), some zero-trust principles (12 percent), laid the foundation for a zero-trust strategy (14 percent) or started exploring various solutions to help implement its zero-strategy (18 percent). According to the research, a lack of in-house expertise is slowing adoption.
- Senior leaders are supporting an enterprise-wide zero-trust strategy. Fifty-nine percent of respondents say their leadership has significant or very significant support for zero trust. As evidence of senior leadership’s support, only 37 percent of respondents say lack of leadership buy-in is a challenge. The biggest challenges when implementing zero trust are lack of in-house expertise (47 percent of respondents) or lack of budget (40 percent of respondents).
- Securing identities is the highest priority for a zero-trust strategy. Respondents were asked to select the one area that has the highest priority for their zero-trust strategy. The risk areas are identities, devices, networks, applications and data. Forty percent of respondents say identities and 24 percent of respondents say devices are the priorities.
- Best-of-breed solutions are most important for a successful zero-trust strategy (44 percent of respondents). This is followed by an integrated solution ecosystem from one to three vendors (22 percent of respondents).
Trends in encryption and encryption in the public cloud: 2019 to 2024
- Hackers are becoming more of a threat to sensitive and confidential data. Organizations need to make the hacker threat an important part of their security strategies. Since the last report, a significant increase from 29 percent of respondents to 46 percent of respondents cite hackers as the biggest concern to being able to protect sensitive and confidential information.
- Management of keys and enforcement of policy continue to be the most important features in encryption solutions. Respondents were asked to rate the importance of certain features in encryption solutions. The most important features are management of keys, enforcement of policy and system performance and latency.
- Since 2019, organizations have been steadily transferring sensitive and confidential data to public clouds whether or not it is encrypted or made unreadable via some other mechanism. In this year’s study, 80 percent of respondents say their organizations currently transfer (52 percent) or likely to do so in the next 12 to 24 months (28 percent).
- Encryption performed on-premise prior to sending data to the cloud using organizations’ own keys has declined significantly since 2019. The main methods for protecting data at rest in the cloud are using keys generated/managed by the cloud provider (39 percent of respondents) or encryption is performed in the cloud using keys their organizations generate and manage on-premises. Only 23 percent of respondents say encryption is performed on-premise.
- There has been a significant decrease in organizations only using keys controlled by their organization (from 42 percent to 22 percent of respondents). Instead, the primary strategy for encrypting data at rest in the cloud is the use of a combination of keys controlled by their organization and by the cloud provider, with a preference for keys controlled by their organization, a significant increase from 19 percent of respondents to 32 percent of respondents in 2024. This is followed by only using keys controlled by the cloud provider (24 percent of respondents).
- The importance of privileged user access controls has increased significantly. Respondents were asked to rate the importance of cloud encryption features on a scale of 1 = not important to 5 = most important. Privileged user access controls increased from 3.23 in 2022 to 4.38 in 2024 on the 5-point scale. The importance of granular access controls and the ability to encrypt and rekey data while in use without downtime also increased significantly.
Trends in credential management and HSMs: 2019 to 2024
- Lack of skilled personnel and no clear ownership makes the management of credentials painful. Fifty-nine percent of respondents say managing keys has a severe impact on their organizations. There are interesting trends in what causes the pain since 2019. The lack of skilled personnel (50 percent of respondents) and no clear ownership (47 percent of respondents) continue to make credential management difficult. Insufficient personnel increased from 34 percent to 46 percent of respondents. Not causing as much pain are the inadequacy of key management tools (from 52 percent to 32 percent) and systems are isolated and fragmented (from 46 percent to 29 percent).
- Many types of keys are getting less painful to manage. Between 2019 to 2024 the following keys have become less painful to manage are external cloud or hosted services including Bring Your Own Keys (from 54 percent to 22 percent of respondents), SSH keys (from 57 percent to 27 percent of respondents) and signing keys (e.g. code signing, digital signatures (from 52 percent to 25 percent of respondents).
- Management of credentials is challenging because it is harder to consistently apply security policies over credentials used across multi-cloud and cross cloud environments. Fifty-five percent of respondents say the management of credentials becoming more challenging in a multi-cloud and cross-cloud environment. Thirty-six percent of respondents say it is due to the difficulty in consistently applying security policies over credentials used across cloud services followed by it is harder to have visibility over credentials that protect and enable access to critical data and applications (33 percent of respondents). The applications that require the use of credential management across cloud-based deployments are mainly KMIP-compliant applications (44 percent of respondents), and databases, back-up and storage (43 percent of respondents).
- More organizations are using Hardware Security Modules (HSMs). HSMs are a dedicated crypto processor that is specifically designed for the protection of the crypto key lifecycle. Since 2019, the use of HSMs has increased from 47 percent of respondents to 55 percent of respondents.
- Organizations value the use of HSMs. Since 2019, organizations are increasing the use of HSMs as part of their encryption and credential management strategies. The use of application-level encryption, database encryption and TLS/SSL have increased significantly. For the first time, respondents were asked where HSMs are deployed. Most are deployed in online root, offline root and issuing CA.
You can download a full copy of the report at Entrust’s website.