The Biden administration’s cybersecurity Executive Order (EO) in May made it clear that zero-trust was the way forward – and not only for the federal government. The EO mandates that any vendor selling into the government must follow a zero-trust architecture.
ESG Research analyst John Grady said regardless of why organizations begin to implement zero-trust, most report at least some level of success. “Zero-trust should be a journey and issues can arise, but the fact that nearly half of respondents believe their initiatives have been very successful is a reassuring proof point for those considering the approach,” said Grady.
On the plus side, because zero-trust is more of an architecture and approach to security, security teams can start small and expand, rather than taking on a massive transformation project. ESG Research found that for most enterprises, a zero-trust journey typically starts with a single use case.
For those who have started their zero-trust journey, more than one-third accelerated zero-trust rollouts because of the pandemic. The best news of all: 85% of respondents say that their zero-trust experience has been either “very successful” (46%) or “successful, but with some bumps in the road” (39%).
Not surprisingly, ESG Research found a lot of confusion in the market around zero-trust. Some 56% continue to equate zero-trust with technology. This has become a problem, and one all vendors should take seriously, and maybe even some of the blame for. For a decade now, zero-trust has been the go-to marketing term in the industry, and for good reason. It’s a sound concept and there’s great interest in finding a better way forward. The perimeter-based model cannot work in a world dominated by mobility, hybrid cloud, and work-from-anywhere.
The pandemic has cleared away the hype and showed us the way forward. We now know that employees are not coming back to the office in the way they once did. We know that third-parties will continue to need access to enterprise assets, but that they also represent a major source of risk. We can see that hybrid cloud will be the reality for a long time to come, and that microservices, not monolithic apps, are the future.
With zero-trust mandates coming from the federal government, we can no longer ignore how much implicit trust exists in our defenses. At the heart of the issue has been visibility and control. Zero-trust requires authentication of all users, authorized and continuously monitored before getting access to applications and data.
In the pre-COVID world, visibility, and control over remote user activity, be they employees or partners, had been a major weakness of legacy access solutions such as virtual private networks (VPN). The old reality was that security teams, in many cases, were flying blind, unsure of what was happening on the network, or what users were doing across hybrid cloud partners. This is clearly not aligned with zero-trust.
The solution category names will change over time, just look at the endpoint's transition from detection and response (EDR) to extended detection and response (XDR). The product names will change too, as will company names. The security industry will consolidate, it must. However, we can’t change our commitment to the underlying principles of zero-trust, whatever we call the tools.
Now’s the time to get our collective heads around zero-trust. Focus on the basic tenants and start small. ESG’s survey showed this approach has been working. And it’s a journey. It will need to adapt and change as enterprise IT changes over time. We need an industrywide commitment to the concept of zero-trust, for every user and every action.
Dor Knafo, co-founder and CEO, Axis Security