The events of 2020 have drastically and unexpectedly accelerated the need for a new network security model. Zero trust security is hardly new, but it has taken center stage — and security leaders agree it will improve security and simplify security processes for distributed teams and hybrid networks.
However, rolling the model out has proven to be complicated, presenting organisations with a mixed bag of successes and obstacles.
A widespread move to remote work — and the corresponding need for better remote workforce security — has spurred investment in zero trust security. The ability to authenticate and monitor all traffic, regardless of its position inside or outside of a corporate network, promises to reduce or eliminate many security risks.
But many organizations find it complicated to implement a zero trust security approach. One key reason is that zero trust adoption is a logistical challenge, not just a technical one. Security modernization often depends on the progress of user identity consolidation and cloud transformation — both complex, long-term projects.
So what is the current state of zero trust adoption? And what challenges have organizations faced along the way?
To answer these questions, Forrester Consulting recently conducted a study on behalf of Cloudflare. The survey reached over 300 global security leaders, and polled respondents on their organizations’ successes and challenges with 2020’s changes. The study identified:
2020 brought changes no business was prepared for. Fifty-two percent of security leaders surveyed identified remote work as one of the top factors impacting their IT security programs in 2020.
Amidst the pandemic, the survey also identified a rise in security incidents related to corporate networks and confidential data. Fifty-five percent of security leaders reported that their organisation experienced an increase in phishing attacks this year. Additionally, 58% of security leaders said their organisation experienced a data breach of some kind.
Simply staying connected was a challenge, as well. Many security teams found that their out-dated VPN platforms could not handle all the traffic of remote employees, with 46% reporting latency issues due to increased VPN usage.
A zero trust security framework is a natural answer to these growing risks because it accomplishes the following:
Zero trust provides benefits beyond network security. It also simplifies access processes and allows employees to work from a wider variety of locations and devices, which both increases productivity and improves the employee experience.
Our survey findings reflect this variety. When we asked security leaders about their high-priority zero trust use cases, a wide-ranging use case came out on top: gaining visibility into cloud workloads, which was selected by 87% of respondents. It’s not hard to imagine why — understanding how employees use the cloud helps the organisation make smarter cloud investments, in addition to giving the ability to monitor and secure data wherever it sits.
The next three most popular zero trust use cases were similarly multifaceted:
All of these external pressures and use cases have created widespread interest in zero trust security. The survey found that 80% of security leaders say their organisation is committed to zero trust adoption. Additionally, half of all organisations recently elevated their chief information security officer to board-level visibility because of the importance the organisation places in zero trust and reducing cyber risk.
However, this interest has not yet led to concrete adoption. Only 39% of organisations surveyed reported having competed at least one zero trust pilot this year.
What are the reasons for this widespread lack of progress?
One culprit could be challenges with overall cloud transformation. Eighty percent of organisations accelerated their cloud adoption plans in 2020, but were unprepared. When large chunks of data have not yet moved to the cloud from isolated data centers, it can become harder to secure using a single security tool.
Another obstacle proved equally challenging for zero trust adoption: identity and access management (IAM) complexity. Seventy-six percent of security leaders surveyed said they struggled to shift to a zero trust approach due to the complexities of user access needs in their organisation. Zero trust relies on a single source of truth for identity management, yet larger organisations in particular have often accumulated multiple incompatible identity providers over the years. They must also understand access patterns across a huge number of applications — most of which cannot be shut down even for a moment in order to be migrated to a new identity platform.
What can security leaders do to overcome these challenges? Here, briefly, are three approaches to consider:
These findings were compiled by Forrester in September of 2020, in a study commissioned by Cloudflare. The results are a culmination of surveys of 317 global security leaders across more than 20 industries. Respondents come from companies of a variety of sizes, with 32% working at organizations with more than 5,000 people and 17% working at organizations of less than 500 people or less.
To explore the complete findings in more depth, download the Leaders Are Now Committed To Zero Trust report.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.