3 min read time

The Current State of Zero Trust

by   in Cybersecurity

There has been a lot of discussion across Cybersecurity about the role zero trust (ZT) plays as a foundational approach to security. Deploying a ZT architecture can quickly become a daunting endeavor especially considering that the average life span of a CIO is three to five years. It begs the question of whether this short tenure serves as a barrier to assembling a ZT environment since it pushes CIOs to focus on near-term ROIs. ZT can be pretty involved, and it's easy for them to see less complex security projects as a way to quickly show cybersecurity progress.

Current State of Zero TrustIt’s in this context that the NetIQ Team commissioned Dark Reading to conduct a survey with IT security teams to measure where they are at in their ZT pursuits. The demographics of the respondents in this report are pretty impressive, with half of them involved in strategic directions:

  • 23%: security or IT director or head of the department, such as fraud detection or risk management
  • 22%: executive level titles such as CSO/CISO, Chief of threat intelligence, CIO/CTO or VP of IT or cybersecurity

And the other half being implementers or working directly with those who are:

  • 26%: information security department manager or staff
  • Titles of the rest: network administrator, engineer, cloud architect, security architect

More than just a Buzz Word

As the commissioned State of Zero Trust report shows, ZT is more than just a buzzword promoted by talking heads. Instead, security teams have ZT targeted as a long-term objective and are actively assembling technologies to achieve it. The top categories of capabilities in focus include: 

  • Least privilege access: grant only as much risk as needed.
  • Micro-segmentation: segment out identity and access checkpoints to a criteria compartment that makes sense to the organization. No more cart blanch access from a single authentication.
  • Multi-factor authentication: gain greater identity assurance as needed based on a state defined as unacceptable.
  • API control and monitoring: secure programmatic access with the same type of identity and access policies and controls used for online access.
    • Dynamically responding to risk: recognize potential risk and take steps to mitigate its threat; gain stronger confirmation of the requestor’s identity, restrict what that requestor can do, or break the session.

Top Findings

Having already rolled out ZT or making plans to do so, almost 9 out of 10 of the respondents claimed that they were on a path to a ZT environment. These same organizations clarified that any lack of progress is due to budget or resource limitations, not a lack of interest.

The other key indicator of organizational commitment to ZT is the claims of new technology rollouts in the next year or two. Here are some highlighted examples of that commitment:

  • While today just 30% of respondents had a data governance solution in place, an additional 50% of them claimed that they would within the next year.
  • While less than 30% of respondents had MFA across their organization, an additional 56% of them said that it would be completed within a year.
  • Today, less than 15% of respondents have any type of context-based access policies, but another 53% said they would in a year.
  • 35% of respondents said they had identity security for API access, but another 44% said they would within 12 months.

There is a typical pattern across this shortlist. Can you see it? In all of these specific cases, more respondents forecast implementing them in the next 12 months than those already using them. So while organizations have made notable progress toward their ZT goals, it’s quite possible that 2023 might be the year of the hockey stick. My guess is that these respondents were optimistic, but it certainly is an interesting finding.

Learn More:

If you’re interested in comparing your ZT progress with large enterprises showcased in the survey, be sure to read the State of Zero Trust report. If you’re concerned about maintaining usability as you implement new ZT technologies, you may find this white paper, Is Your Environment Adaptive Enough for Zero Trust? Helpful.  The CyberRes Zero Trust Architecture page has links to other useful information as well.

Join our Access Manager Community | Join our Identity Manager Community | Join our Identity Governance and Administration Community

Labels:

Identity & Access Mgmt