Survey Sees Zero-Trust Transition Gaining Momentum

A survey of 800 information security decision-makers published this week found 61% of respondents worked for organizations that have implemented a zero-trust IT initiative, with another 35% planning to do so soon.

The survey, conducted by Okta, a provider of an identity and access management platform, found a full 80% of respondents said budgets for these initiatives increased year over year, with 20% reporting spending increased by a significant 25% or more.

Initiatives that have already been implemented include multifactor authentication (MFA) for external users (34%), MFA for employees (33%), application programming interface (API) security (31%), device security posture assessments (29%) and privileged access management (PAM) for cloud services (29%).

Top priorities for the coming year are PAM for cloud services (42%), securing APIs (42%), implementing MFA for employees (42%) and connecting employees to a directory of cloud applications (40%), the survey found.

Chris Niggel, a regional chief security officer for Okta, said these initiatives are being funded because they are tied to efforts to improve customer and end-user experiences by replacing passwords with authentication technologies based on technologies that rely on identity management platforms to streamline workflows and enhance security. In fact, the survey found that more than half of respondents (51%) worked for organizations that viewed identity as extremely important.

There are, of course, multiple ways to implement zero-trust policies, but they all revolve around some method for managing identities as an alternative to usernames and passwords, to varying degrees. The challenge is there is no turnkey solution. Instead, IT and cybersecurity teams are required to integrate multiple technologies to implement, for example, multifactor authentication.

More challenging still, most applications currently employed by organizations use hardcoded usernames and passwords for authentication. Upgrading those applications to support alternative authentication protocols represents a multi-year challenge, noted Niggel.

Nevertheless, with most cybersecurity breaches being tracked back to a phishing attack that results in stolen passwords being used to compromise an IT environment, it’s apparent organizations are ready to embrace alternative approaches. The challenge is finding ways to ensure zero-trust without compromising the end-user experience, said Niggel.

Most organizations that, for example, experimented with MFA have run afoul of usability issues, he added.

Regardless of past experiences, however, a rising tide of regulations will require organizations to manage access at a more granular level using platforms that authenticate users based on some type of confirmation of their identity. The issue that remains unresolved is finding a way to achieve that goal while reducing rather than increasing friction.

Of course, that means working closely with developers and business leaders to implement zero-trust policies. Cybersecurity professionals, given their role, are not always the best judge of how to implement zero-trust policies in a way that end users will actually accept, so most organizations are going to be better off creating a cross-functional team to manage the transition.

One way or another, however, fundamental changes to authentication processes are now being made. The only issue to be resolved is how long it will take organizations to adapt at a time when cybercriminals continue to steal credentials with impunity.