Zero Trust isn’t a new concept, but it has emerged over the past year as a critical security framework especially well suited to the needs of an increasingly agile and distributed remote workforce, who face new and more sophisticated security threats whenever they work outside the protection of corporate networks.
First defined by John Kindervag at Forrester over a decade ago, Zero Trust embraces the idea of ‘least privilege.’ Unlike traditional VPNs, remote access solutions based on Zero Trust will grant access only to the specific application, service or resource that the user has explicit permission to request, and nothing more. For legitimate users, there is practically no difference. But for organizations, this has enormous benefits, as it stops unauthorized lateral movement through the network.
Granular policies enable tighter controls
When applied in this way to the field of secure remote access, Zero Trust tools can provide far more granular policy and user-access controls – allowing IT, network or security teams to set strict parameters that protect users and corporate resources. The most important thing is to establish the authenticity of the user’s identity, which can be several ways, such as by confirming device signatures and OS information, by verifying various user credentials, user location and even the time of day. There are literally dozens of parameters that IT teams can choose from to authenticate a user.
Despite all of the media coverage, Zero Trust has taken a while to gather steam. There are various possible reasons for this, but part of it may be due to some lingering confusion about Zero Trust – it is a broad-ranging concept after all. The fact is, there is still a disparity between the number of IT pros who say they have begun implementing Zero Trust and those that have actually adopted technologies like software defined perimeter (SDP) or zero trust network access (ZTNA) that embrace its principles.
Many IT Pros Claim to Have Started Their Journey to Zero Trust… Yet Few Are Using ZTNA or SDP Technology
While 62% of organizations claim to be adopting Zero Trust as part of their cybersecurity approach, according to NetMotion’s latest survey of 750 global IT professionals, just 15% have adopted ZTNA or SDP solutions. By comparison, adoption of these new remote access solutions lags significantly behind that of VPNs, which remain the most popular cloud security solution with roughly 54% adoption.
But if most organizations aren’t yet using ZTNA, what Zero Trust solutions are IT pros using? And are they being effective?
Given the relative maturity of the organizations surveyed, and their limited investment in ZTNA, another possible explanation is that IT leaders may be overestimating their own capabilities. Alternatively, their organizations may have just started adopting Zero Trust in very limited ways, as an entry point towards Secure Access Service Edge (SASE).
Ultimately, reaching a truly Zero Trust environment is a journey. Some vendors have made unrealistic claims that the VPN is dead, or that it’s time to “kill the VPN,” but the reality is that switching to Zero Trust is not like flipping a switch, which would require a very costly and very disruptive forklift upgrade. In practice, most organizations are likely to require two or three years to get to the other side of their Zero Trust transition, which may also include other elements of a SASE framework such as CASB (if their resources are 100% in the cloud), or Secure Web Gateways (SWG).
Adopting a phased approach that leverages both a cloud VPN and SDP/ZTNA technology in the short term is often the best way to get started with Zero Trust and SASE. However, with the line between networking and security technologies becoming increasingly blurred each year, the question becomes who should be responsible for implementing new technology?
IT Teams are Three Times More Likely to be Driving SASE Implementation
Regardless of geography, IT is overwhelmingly the team pushing the move to SASE, a pattern that is also consistent across industries. In fact, NetMotion’s latest research found that IT is between two and three times more likely than security or networking teams to be responsible for setting their organization’s SASE strategy.
By comparison, companies in the UK tend to be influenced more by their security teams than in other markets, while German companies are more likely to be influenced by their networking teams. Interestingly, Japan is significantly more likely to have management (or non-technical team members) pushing for adoption of SASE than other regions.
Ultimately, however, there is no right answer for who or which team has to be responsible for implementing Zero Trust. That’s something that IT leaders will need to work on with their networking and security team counterparts, as they search for the best mix of vendors to meet SASE requirements across their broader technology stack.
To learn more about how Zero Trust can be implemented as part of an organization’s journey to SASE, download our new report.