In the face of never-ending threats and continued technology evolution, zero trust has quickly progressed from an intriguing idea and buzzword to a critical business imperative. Regardless of how advanced or how early their implementations are, all organizations are on this journey.

At the core of this zero-trust journey is identity, which serves as the front door to every user interaction, the heart of the remote work security challenge, and the foundation to making zero trust a reality. Recent survey data from Okta backs up that belief, with 80% of all security leaders calling out identity as an important component to their overall zero trust security strategy, with an additional 19% going so far as to call identity "business critical."

Understanding Zero-Trust Evolution

The "Okta State of Zero Trust Security Report" introduces an identity adoption model that provides clarity and direction for security practitioners trying to understand where they are in their zero-trust journey. This five-phase model provides companies with a way to understand how their peers are prioritizing identity projects today, and which initiatives they plan to prioritize and focus on over the coming months.

Phase One: Traditional

Organizations in the first phase typically are at the beginning of their cloud transformation journey: They're either trying to anticipate the challenges of cloud adoption or they're already experiencing them. These are organizations seeking to add multiple layers of security to their authentication processes to ensure they're giving the right people access to the right resources, including multifactor authentication (MFA) for employees, or connecting the employee directory to business-critical cloud apps.

Okta's report highlights how almost every organization has either begun or is shortly planning to begin this critical step in their evolution, with 95% of respondents stating they plan to complete the first phase of their zero-trust initiatives over the next 12–18 months.

Phase Two: Emerging

In phase two, organizations typically are leaning more heavily on the cloud while securing and simplifying user access to increase security and productivity. They may adopt new tooling such as MFA for external users, enable self-service factor resets to reduce help desk costs, or automate provisioning and deprovisioning for applications.

Zero-trust and identity-first strategies illustrate the critical need to extend authorization policies and standards throughout an organization's supply and partner ecosystem, and it's here that organizations showed the need for continued progress. The Okta research found that while nearly 80% of respondents have extended SSO for their employees, only 38% of respondents said their companies have extended MFA to external users.

Phase Three: Maturing

Maturing organizations experience more complex challenges such as increased compliance and regulatory requirements, a hybrid infrastructure, and the need to support a large, dynamic workforce.

Meeting these challenges means extending and expanding identity and access management (IAM) efforts beyond their employees and legacy network to accommodate a growing world of external users, as well as an expanding cloud or multicloud infrastructure. Organizations are recognizing the priority, with MFA and SSO for infrastructure set to make a significant leap in the next 12–18 months, jumping from 31% to 67%, by 2023.

Phase Four: Elevated

In the elevated phase, organizations are intelligently consolidating or deprecating any outdated tech and protecting key custom applications they find to be potential security weak points. In their bids to complete their digital transformation, they may add secure access to APIs, deploy proxy tools to modernize legacy technologies, or implement context-based access policies. Progress in this phase has become less streamlined as these projects are prioritized by companies at a disproportionate rate. For instance, roughly half of worldwide respondents already have implemented MFA across user groups (49%) and secured access to APIs (54%), but only 6% have implemented context-based access policies.

Phase Five: Evolved

By phase five, organizations have reached the stage where they can shift their focus away from implementing core zero-trust projects toward optimizing user life-cycle management, applying security access to servers, and implementing passwordless access.

Projects in this phase include deploying secure passwordless access across the board or making access decisions at the data layer based on user and device posture. Okta report data shows that nearly 22% of respondents from financial services companies plan to adopt passwordless access options within the coming 12–18 months, with 16% of healthcare and software companies not far behind. However, only 7% of government institutions either already have passwordless access in place or are planning to do so.

The Future of Zero Trust

The path to zero trust is both evolving and simultaneously continuous, and maturity models like the one details in the Okta report will themselves evolve. What's critical for security practitioners and leaders alike is to work across the IT and security landscape to take stock of business goals and context to prioritize the areas that not only minimizes risk, but drive productivity and efficiency for the organization.

About the Author

Amanda Rogerson is a change agent who wants to disrupt the way you think about digital security and identity. Having worked with organizations globally across industries in various roles throughout her 20-year career, she is mindful of the impact new security practices have across organizations. As a self-proclaimed nerd, she likes to weave pop-culture references into her discussions to make topics relatable.