The events of 2020 have drastically and unexpectedly accelerated the need for a new network security model. Zero trust security is hardly new, but it has taken center stage — and security leaders agree it will improve security and simplify security processes for distributed teams and hybrid networks.
However, rolling the model out has proven to be complicated, presenting organizations with a mixed bag of successes and obstacles.
A widespread move to remote work — and the corresponding need for better remote workforce security — has spurred investment in zero trust security. The ability to authenticate and monitor all traffic, regardless of its position inside or outside of a corporate network, promises to reduce or eliminate many security risks.
But many organizations find it complicated to implement a zero trust security approach. One key reason is that zero trust adoption is a logistical challenge, not just a technical one. Security modernization often depends on the progress of user identity consolidation and cloud transformation — both complex, long-term projects.
So what is the current state of zero trust adoption? And what challenges have organizations faced along the way?
To answer these questions, Forrester Consulting recently conducted a study on behalf of Cloudflare. The survey reached over 300 global security leaders, and polled respondents on their organizations’ successes and challenges with 2020’s changes. The study identified:
The top business and technology trends driving zero trust adoption
The most popular planned use cases for zero trust security
Common obstacles in zero trust adoption
2020 brought changes no business was prepared for. Fifty-two percent of security leaders surveyed identified remote work as one of the top factors impacting their IT security programs in 2020.
Amidst the pandemic, the survey also identified a rise in security incidents related to corporate networks and confidential data. Fifty-five percent of security leaders reported that their organisation experienced an increase in phishing attacks this year. Additionally, 58% of security leaders said their organisation experienced a data breach of some kind.
Simply staying connected was a challenge, as well. Many security teams found that their out-dated VPN platforms could not handle all the traffic of remote employees, with 46% reporting latency issues due to increased VPN usage.
A zero trust security framework is a natural answer to these growing risks because it accomplishes the following:
Stops phishing attacks by putting additional identity verification measures in front of every application.
Prevents attackers who do gain access to one application or service from getting carte blanche access to the entire internal network.
Removes the need for VPNs, because identity verification is required to access individual applications.
Zero trust provides benefits beyond network security. It also simplifies access processes and allows employees to work from a wider variety of locations and devices, which both increases productivity and improves the employee experience.
Our survey findings reflect this variety. When we asked security leaders about their high-priority zero trust use cases, a wide-ranging use case came out on top: gaining visibility into cloud workloads, which was selected by 87% of respondents. It’s not hard to imagine why — understanding how employees use the cloud helps the organisation make smarter cloud investments, in addition to giving the ability to monitor and secure data wherever it sits.
The next three most popular zero trust use cases were similarly multifaceted:
Ensuring safe and fast developer access (selected as important by 83% of respondents). In addition to stronger security, this use case also helps developers access tools and environments more reliably — a significant productivity boost.
Starting or expanding a bring-your-own-device (BYOD) program (selected by 81% of respondents). This use case also offers cost savings, and can spare IT teams from managing and updating corporate devices.
Replacing overburdened VPNs (selected by 71% of respondents). Not only is zero trust more secure than VPNs, but it also allows employees to access applications more reliably and saves IT teams from keeping track of VPN clients.
All of these external pressures and use cases have created widespread interest in zero trust security. The survey found that 80% of security leaders say their organisation is committed to zero trust adoption. Additionally, half of all organisations recently elevated their chief information security officer to board-level visibility because of the importance the organisation places in zero trust and reducing cyber risk.
However, this interest has not yet led to concrete adoption. Only 39% of organisations surveyed reported having competed at least one zero trust pilot this year.
What are the reasons for this widespread lack of progress?
One culprit could be challenges with overall cloud transformation. Eighty percent of organisations accelerated their cloud adoption plans in 2020, but were unprepared. When large chunks of data have not yet moved to the cloud from isolated data centers, it can become harder to secure using a single security tool.
Another obstacle proved equally challenging for zero trust adoption: identity and access management (IAM) complexity. Seventy-six percent of security leaders surveyed said they struggled to shift to a zero trust approach due to the complexities of user access needs in their organisation. Zero trust relies on a single source of truth for identity management, yet larger organisations in particular have often accumulated multiple incompatible identity providers over the years. They must also understand access patterns across a huge number of applications — most of which cannot be shut down even for a moment in order to be migrated to a new identity platform.
What can security leaders do to overcome these challenges? Here, briefly, are three approaches to consider:
Choose a zero trust tool with self-service functionality. Like cloud transformation, managing user access patterns will never be simple. To make time for this important work, security leaders should look for zero trust tools that make other access management actions — e.g. integrating applications, or creating roles and role-based permissions — as easy and self-directed as possible.
Gradually reduce dependence on a VPN, starting with developer apps. Security leaders agree that VPNs are overburdened and ineffective in a remote work environment. Zero Trust Network Access platforms replace the traffic-hauling latency of a VPN with identity-based protection on a per-application basis. Developer apps like Jira, Jenkins and Grafana are a great, common starting point on this journey.
Consider integrated platforms that can grow with you along your adoption journey. Using multiple point solutions for zero trust implementation is harder to manage. It also adds risk, since each solution is an additional point of failure.
These findings were compiled by Forrester in September of 2020, in a study commissioned by Cloudflare. The results are a culmination of surveys of 317 global security leaders across more than 20 industries. Respondents come from companies of a variety of sizes, with 32% working at organizations with more than 5,000 people and 17% working at organizations of less than 500 people or less.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.