August 23, 2023
What is Zero Trust? Past, present and future of security
In this article we tell you about the trend and evolution of Zero Trust initiatives, but first let's get back to basics.
What is Zero Trust?
Zero Trust is a security model that assumes that all entities within the network, including those that have access to the network, are potentially malicious. Therefore, all transactions and access to resources are verified and authenticated before being allowed. This means that instead of trusting in the position or identity of a user or device to determine access to resources, a thorough verification is carried out whenever a resource is accessed. The implementation of Zero Trust requires a combination of security technologies, such as multi-factor authentication, encryption, policy based access control and behavioural analysis to ensure network security.
In short, Zero Trust is a security approach focused on exhaustive verification and authentication rather than trust in the identity or location of users and devices. This approach helps to prevent security breaches and maintain the confidentiality of sensitive information in a constantly evolving and highly connected environment
The evolution of Zero Trust in recent years
What a difference four years make.
Since Okta published its first State of Zero Trust report in 2019, it has been said that the framework represents the future of security. This year, the adoption of Zero Trust reached a turning point.
In 2019, many organizations surveyed acknowledged that Zero Trust was important, but only 16% had invested in Zero Trust initiatives. In 2022, organisations are ready take action; 97% of respondents have a defined Zero Trust initiative underway or plan to have one in the coming months.
In Okta's fourth annual report on the State of Zero Trust, prepared from surveys conducted with 700 security managers, it reveals a radically changed landscape in which there is no one-size-fits-all security solution. As different organisations, industries and regions adopt different Zero Trust strategies and priorities, some fascinating trends have emerged.
Zero Trust initiatives have made astonishing progress in one year
In the last year, the development of Zero Trust programs has been remarkable. In fact, the percentage of companies with a defined Zero Trust initiative underway has more than doubled:
- In 2021, only 24% of respondents had a Zero Trust initiative underway, and 65% had plans to implement one in the next 12-18 months.
- In 2022, 55% of respondents have a Zero Trust initiative, and 42% say they will implement one in the near future
More than ever, security and user-friendliness are mutually inclusive
In 2020, organizations around the world needed to provide sudden support to distributed and dynamic work forces, so it is understandable that considerations regarding accessibility and usability often prevailed over security concerns.
After implementing systems that allowed teams to work from anywhere, many organisations accumulated security shortfalls and are now learning where their vulnerabilities reside. But they have also realised that security does not necessarily have to be to the detriment of usability, as demonstrated by the increasingly widespread adoption of password authentication:
- Password access is a global priority in the next 12-18 months.
- 24% of respondents in the financial services sector plan to adopt it shortly or have already done so.
Almost one fifth of the respondents in the healthcare sector (17%) and software sector (18%) plan to do the same.
The verdict is favourable: identity is vital for a Zero Trust strategy
The central principle of the Zero Trust security model is "never trust, always verify," and although there may be a number of methods to do so, none is as reliable as identity and access management.
- 80% of respondents believe that identity is important for their Zero Trust strategies.
- 19% went one step further, declaring that identity is critical for the business.
In total, 99% of the organisations surveyed point to identity as a key factor for Zero Trust. The figures are similar when talking to high-level leaders, such as CISOs and other C-suite executives, with 98% recognising the integral role of identity in a robust approach to Zero Trust.
“We’re becoming an identity-driven security team, which is a real shift in culture, because we’re talking about a team that was built for a flat, on-prem network.” — John McLeod, CISO, NOV
Identity is key to health and financial services
Zero Trust is rapidly gaining ground in the healthcare sector, as the last holdouts commit to new initiatives in the future. In 2021, 37% of organisations had started to implement Zero Trust initiatives, but this figure has increased to 58% in 2022. It is also worth noting that 96% have at least one initiative planned for the next 12 to 18 months, and for the vast majority, those initiatives will involve identity.
- 99% of healthcare organisations believe that identity is essential to their Zero Trust strategies.
- 72% of respondents describe it as important, while 27% say it is critical for the business.
The adoption of identity solutions has also driven the transformation of the financial services sector, and many organisations have focused first on their internal systems and their staff:
- Almost 75% of financial service companies intend to extend the single-session sign-on (SSO) and MFA to servers, databases and APIs within 18 months.
- For almost 80% of respondents, SSO has already extended to employees, but currently only 37% have extended MFA to users outside their organisations.
EMEA and APAC give priority to access automation and management
The speed with which regions adopt new security initiatives can shed light on their Zero Trust priorities. For example, both EMEA and APAC respondents are doubling their commitment to managing privileged access to cloud infrastructure:
- The take-up rates in the EMEA region are forecast to reach 97% in the next year and a half.
- For APAC, adoption rates are expected to double in the next 18 months, from 44% in 2021 to 88% in 2022.
- In comparison, adoption rates in North America will also double, but will peak at 70%.
Organisations across the APAC region are also investing heavily in automating employee provisioning and deprovisioning processes, and adoption rates are expected to increase from 22% in 2021 to 76% in 2022. The adoption rates in EMEA are not far behind, as 74% of organisations indicate that they will implement this security practice within the next 18 months.
Conclusion
These trends broadly illustrate how the adoption of Zero Trust is transforming sectors and security around the world (you can read the full report here) in response to the growing complexity of technological environments and the need to protect sensitive information.
Without a doubt, factors like the widespread adoption of cloud and mobility have led the traditional network to evolve towards a much more distributed and less predictable environment, thereby necessitating greater security.
Share
You may be interested in
Improving security by saying goodbye to passwords. We explain how.
The digital world now faces complex authentication problems that we can no longer address using archaic techniques such as username and password based credentials.
The time has come to make the move towards new authentication mechanisms that, in addition to being more secure, improve user experience (UX).