When Okta speaks, the IT world listens. They’ve just released a report called The State of Zero Trust Security in Global Organisations and given the fact that three-quarters of the world is now working from home, it has never been more important to put trust in tech rather than in people.
That may sound a bit brutal but it’s the choice between meeting the access and usability demands of today’s employees or being the lead character in the next episode of Massive & Catastrophic Data Breaches: When Cyberbaddies Attack.
To quote the estimable Cameron Poe in Con Air, ‘there’s only two men I trust. One of them is me. The other is not you.’ A methodology that businesses will do well to adhere to, especially as zero trust has been upgraded from ‘buzzword’ to ‘seriously, you still haven’t adopted it yet?’
To Recap – What Exactly Is Zero Trust?
It was originally developed way back in 2009 (the year we were introduced to e-readers, smartphones, the explosion of Facebook and Twitter, apps as the norm and the very short-lived Google vs Bing war) by an analyst at Forrester Research called Jon Kindervag.
He dismissed the idea that businesses should have a ‘trustworthy’ internal network and an ‘untrustworthy’ external network. In order to meet – as we mentioned above – the access and usability demands of today’s discerning employees, companies moved towards ‘a more robust and comprehensive security posture that’s centered around the zero trust principle of ‘never trust, always verify.’
Put simply, it is a security model based on the principle of maintaining strict access controls and not trusting anyone as the default position, even those already inside the network perimeter.
Modern Security For A Perimeter-Less World
The implications of a perimeter-less IT environment have been amplified given what we’re currently going through.
‘Since this focus on remote work enablement — ensuring the right people have the right level of access, to the right resources, in the right context — will persist long after the crisis ends, every security leader should be working towards a long-term zero trust strategy to protect their business.’
But is zero trust, in theory a great idea, a pipe dream in the real world? Many have wondered if it is really possible to achieve such an ideal, let alone ensure that individual access privileges are continually assessed without adding a layer of friction for the user.
We think it is but it involves a change of mindset. In order to achieve a zero trust environment, we need to replace the traditional network perimeter-centric view of security with an identity-centric view that guarantees secure access for all user types regardless of device, location or network.
The Okta State of Zero Trust Security in Global Organisations Report
Or TOSOZTSIGOR for short, is the result of a survey of 500 security leaders from around the world designed to learn more about how they are approaching identity-driven zero trust environments today and where they’re heading in the next year to 18 months.
It’s a very long report packed full of wonderful statistics and you can read it in its full glory here, but there are some very important takeaways, starting with how many businesses and organisations are even speaking the language of zero trust.
Takeaway 1: Modern, Zero Trust Security Has Taken Hold
Okta conducted the same research a year earlier (with only North American businesses) and there has been a staggering 275% year-on-year growth, up from 16% who had defined zero trust initiatives or plans to 60%.
The 2020 report included companies from around the world and while North America are the trailblazers, Australia and New Zealand aren’t too far behind on 50% but it’s Europe and the Middle East who must hang their (our) collective heads in shame, lagging behind as they are on a paltry 18%.
Takeaway 2: The Role Of The API Economy Is Driving A Shift In Security
As digital business models evolve, businesses and organisations will demand seamless connections with external supply chains, emerging data sources and third-party technology systems.
In this connected environment, API security is critical. 21% of all organisations are planning projects to secure access to their APIs in the coming years, led by 40% of European businesses and 30% in Australia and New Zealand.
Takeaway 3: Device Dominates Risk Signal Priorities
More than ever before, businesses recognise the value of looking at risk signals beyond checking which networks their users are originating from. When determining the risk of access decisions, they’re elevating the importance of device health (as recommended by plenty of zero trust advocates).
In 2019, 55% of Okta’s respondents still listed the network as a top factor for context-based access decisions, but that drops to 20% this year. The key considerations companies — across regions and industries — now use in their access decisions are all about device posture and physical location.
Takeaway 4: We’re All In This Together
While the zero trust technology stack is expanding, there’s no silver bullet. With that said, businesses are leveraging identity and access management (IAM) to connect and optimise mitigation across their end-to-end security architecture.
- 76% of businesses outside North America plan to invest in security and event management systems over the next 12-18 months
- This year, just 11% of companies say they aren’t prioritising any new security integrations with IAM (down from 36% last year)
A clear indication that the majority of organisations recognise the need for a comprehensive approach.
Takeaway 5: Healthy Security, Happy Patients
By comparing a number of aspects of zero trust maturity across a selection of industries, it’s abundantly clear that the healthcare sector leads the way, topping the ranked list for almost every current and planned IAM initiative.
More than 90% of healthcare providers are already implementing single sign-on (SSO) for staff and over 40% plan to implement SSO for external users in the next 12 months – a number that will surely rise as the ripple effects of Covid-19 navigate their way through the industry.
‘Interestingly,’ says the report, ‘ownership over IAM technologies is completely in the hands of security teams at 40% of these organizations (more than twice the percentage of any other industry). Coincidence? We think not.’
Vox Populi, Vox Dei…
…or, ‘the voice of the people is the voice of God.’ OK, so maybe not God, but it’s worth listening to the people who know.
‘By 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the user interface, up from 40% in 2019.’ Gartner
‘It used to be that security and convenience didn’t really go hand-in-hand. We’ve been able to raise our game in terms of cybersecurity and securing our environments, while providing a frictionless and convenient user interface.’ Jamshid Khazenie, CTO, USA Today Network
‘Okta was key to accelerating our evolution to a zero trust model. This was the identity plane where we could introduce so much of the control that we needed to have in order to assess who a person is. So it was actually a way to accelerate our thinking around zero trust.’
Melody Hildebrandt, Global CISO, 21st Century Fox
‘We consistently find that enterprises have the earliest and rapidest success if they focus on improving identity management and device security. These two core components of the Zero Trust eXtended (ZTX) ecosystem drive rapid risk reduction and build confidence with executives that the organization can realize security benefits from its Zero Trust program quickly.’
Practical Guide To A Zero Trust Implementation, Forrester Research
Like you, we don’t know if ‘rapidest’ is a word either.
Contact us today on email@example.com or call 020 7078 0789 and we’ll talk cloud and email security, communications platforms, cutting-edge IT solutions or what’s better, Zoom, Teams, WhatsApp, letter or smoke signals…