Why Zero trust is the new norm (Why your IT experts expect a breach)

By Dan Conrad, Security and Management Team Lead at One Identity

According to David Totten, CTO of Global Partner Solutions at Microsoft, Zero Trust has been defined as ‘a proactive, intentional integrated approach to multi-layers of security, focused on three essential principles: Explicit and continuous verification, a principle of least privilege, and intelligence and advanced metrics, identification and response.’

Very few security terms and models have received the level of ‘buzzword’ status which Zero Trust has over the past few years. You would struggle to sit on a panel of security professionals in 2022 and not hear the term used by security and identity thinkers right across the spectrum.

However, this ubiquitous status has not been acquired in a vacuum; the real-world situation around identity, security and authentication has forced Zero Trust into the mainstream, and with good reason.

Zero Trust as the new normal

There are several factors which have facilitated the Zero Trust revolution. Chief amongst these is mass migration to the cloud. Specifically, the move to public cloud systems, combined with a system of highly distributed, disparate set of corporate applications and associated access rights, which organizations have failed to understand fully. This identity sprawl creates a system which is totally lacking in defensive capabilities, and with access rights are everywhere.

The second, undeniable factor at play is the everyday reality on the ground of data breaches. There is no more if; accepting that the breach will happen and attempting to minimize it needs to go hand in hand with preventing future breaches. A holistic model towards security works to prevent it, but expects their efforts to fail and so integrates multi-factor authentication and prevents lateral movement inside applications.

This reality on the ground is typified by the increased number of entry points which the explosion in work and hybrid devices has facilitated. Microsoft’s CTO David Totten explained this on the recent Better Together podcast, stating that “over the last few years, people working remotely, people working from home, people working from different offices, whether it’s partners, customers, distributors, we want everyone to have more access to their information. However, what that does is it increases that threat vector ratio. In the context of a security posture, let’s make sure people get access to that data from wherever they are, but that obviously introduces complexity with the security model.”

However, despite these obvious factors which should be a major driver of the Zero Trust model, uptake of Zero trust remains relatively low, with only 38% citing digital transformation as a reason for their move to, as opposed to a fully program. Why is this?

Why are companies so slow to adapt their cybersecurity?

Zero Trust heavily relies on an organization’s ability to accurately identify and classify the data it holds in each document, endpoint or system, and its ability to accurately identify and classify every user or system that may need to access that data. This can create logistical problems, with many organizations struggle with the basics of accurately identifying the number of systems they have and how they may be exposed. To further classify the data relating to those systems is a complex task that is realistically beyond the reach of most.

Furthermore, the costs of Zero Trust are not just the products or services required to execute it effectively. The costs include the time the organization spends planning such a complex project, the time of every team in the organization to help classify their data and the time it takes for users to adapt their working ways to be compatible with a Zero Trust security strategy. Current business setups are overly permissive internally because it is just more straightforward and less costly for the business to operate this way

Zero Trust has excellent value to more mature and agile organizations that can afford and need to invest highly in security to guarantee the continued success of their business. But for most, it could be seen as an unrealistic goal. This is the gap which security organizations’, practitioners and professionals need to bridge.

Don’t get left behind

Zero Trust is happening whether organizations are ready for adoption or not; the larger, more agile organizations are seeing to this. Grand View research suggests that “the global Zero Trust security market size was valued at USD 19.8 billion in 2020 and is expected to register a compound annual growth rate (CAGR) of 15.2% from 2021 to 2028. The proliferation of endpoint devices, coupled with the rising adoption of cloud technology, has triggered the need for implementing a Zero-Trust security framework.”.

With the market expected to grow and keep growing. Failure to adapt to this change, or at least to ensure your systems are ready for the change, may mean that you fail to meet the demands of the ever-increasingly complicated authentication systems we’re all expected to navigate.

What’s worse, failure to move appropriately with the teams could lead to your systems being viewed not only as outdated by your peers, and customers (who will increasingly demand security as a top priority), but also by threat actors looking to make the most of your inaction.

About Author:

Dan Conrad is a technology veteran who has spent the best part of the last decade keeping our online identities safe and secure at One Identity. In previous roles he has worked at Dell as a software consultant, and understands the importance of the digital identity to the modern enterprise better than most.