"As we start to offer more cybersecuritysecurity services to our customers, the subject of Zero Trust methodologies often comes up. However, the non-technical customers have a difficult understanding of what Zero Trust is all about," said Evan J. Leonard, president and co-founder of Chips Technology Group, an MSP located in Syosset, NY. It is an issue shared by many.
Perhaps understanding the Zero Trust model has fallen victim to the nomenclature used by IT pros, or perhaps it is hard for non-technical folks to visualize, slowing down the adoption of what could be a solution to many cybersecuritysecurity issues.
Zero Trust, introduced by analyst Forrester Research, is an alternative architecture for IT security, defined by the principle of "never trust, always verify". In essence, a Zero Trust model dictates that access privileges are only granted based upon multiple factors, even for those users inside the firewall. The goal of Zero Trust is to prevent lateral movement within the network, while also preventing outsiders accessing resources. In other words, Zero Trust security requires strict identity verification for every person and device trying to access resources on a private network.
Leonard added: "Zero Trust can be very effective in preventing insider attacks and compromises fueled by password or credential hacks, yet Zero Trust requires a different mindset."
Yet for all its promise, Zero Trust has taken a back seat to other security models, evidenced by a recent survey that reveals that the concepts of using Zero Trust methodologies are not high on the to-do lists of enterprise security professionals.
The survey, which was commissioned by identity management purveyor Okta, polled over 1,000 IT, security, and engineering decision makers from global companies with at least $1bn in revenue. The survey revealed that 60 percent of respondents were working towards or planning to bring Zero Trust into their security practices; an indicator that Zero Trust adoption still has a long way to go. Yet, that can mean opportunity for savvy integrators looking to promote a more secure methodology for protecting assets, especially in light of digital transformation and cloud adoption projects.
The survey also revealed that large organizations are adopting cloud apps to supplement their on-premise systems. While 75 percent of respondents run at least some apps in the cloud, a majority of large companies plan to still have at least one third of their applications running on-premise. Sixty-two percent of respondents were over 30 percent of their way to that end state, sending a signal that while respondents' cloud journeys are early, many are well on their way.
That journey to the cloud can complicate cybersecurity security, simply because line-of-business applications may be scattered about different cloud providers making privilege management that much more difficult. To deal with that particular concern, as well as extend cybersecurity security protections to contractors, remote workers and partners, many enterprises have turned to MFA (Multi Factor Authentication) or one-time-use passwords. Fifty-four percent of respondents use software-generated one-time passwords, 36 percent use physical and U2F tokens, and 30 percent use biometrics-based factors. Ultimately, the spectrum of potential authenticators illustrates how wide-ranging the approach to security can be, even among global companies.
Ultimately, the survey spells out the variety of security solutions in use and the reliance on MFA and other password-driven technologies to address what should be an issue of establishing trust. For the channel, that spells opportunity.
Numerous vendors are playing in the Zero Trust space, each with their own approach, yet with the same goal of establishing access management defined by policies. Several vendors, such as Akamai, Centrify, Cyxtera Technologies, Forcepoint, Fortinet, and Illumio have also created partner programs and are seeking MSPs and integrators to bring Zero Trust solutions to a potentially large market.
Although Forrester defined the Zero Trust model 10 years ago, it has been slow to take hold across enterprises. Yet the SME market is ripe for such a solution, and SMEs rely on integrators, MSPs, and solution providers far more than any other business segment. Simply put, there is no lack of technology to service that market; however, business culture may need to change to fuel that growth.
Leonard added: "As more businesses encounter breaches, compromises and ransomware, Zero Trust will become a much easier technology to sell."
Some say performance, others say money but it may be systems and processes that carry the day
Greg Lock is replaced by former HPE and IBM boss Peter Ryan
Public cloud vendor also pledges to boost training with France universities partnership
CEO Robbins claims Cisco has done everything necessary to reduce exposure to new 25 per cent levy