Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

Companies Pursue Zero Trust, but Implementers Are Hesitant

Almost three-quarters of enterprises plan to have a zero-trust access model by the end of the year, but nearly half of cybersecurity professionals lack the knowledge to implement the right technologies, experts say.

Worried about protecting data, the likelihood of breaches, and the rise of insecure endpoint and Internet of Things (IoT) devices, companies are looking to technologies and security models that focus on continuous authentication, experts say.

On February 4, survey firm Cybersecurity Insiders published its "Zero Trust Progress Report," finding that two-thirds of surveyed cybersecurity professionals would like to continuously authenticate users and devices and force them to earn trust through verification, two foundational tenets of the zero-trust model of security. Yet while the average cybersecurity professional is confident he or she can apply the zero-trust model in their environment, a third of respondents had little confidence, and 6% were not confident at all, the report found.

Other studies have found a similar conclusion: The concept of a zero-trust architecture, now a decade old, appears ready to go mainstream, but cybersecurity professionals remain uncomfortable with its implementation, says Jeff Pollard, vice president and principal analyst with Forrester Research, the analyst firm that coined the model in 2010.

"Zero trust is one of those initiatives that is being driven from the top-down perspective," he says. "Previous models, security architectures — were very practitioner-driven. They were very organic and grew over time. ... But because zero trust is a different model and a different approach, it is going to take time for all the practitioners out there to become ultimately familiar with what this looks like from an operations standpoint."

The zero-trust concept evolved as a reaction to the disappearance of the network perimeter, as personal smartphones and other devices became widely used by employees at the office and as more workers did their jobs remotely. While old models of network security assigned trust based on location — anyone in the office was often trusted by default — zero-trust models focus on users and context. 

Those components also create the biggest challenges for companies, according to the survey, which was sponsored by network security firm Pulse Secure. Most companies (62%) have to worry about over-privileged employees accessing applications as well as whether partners (55%) are only accessing the resources assigned to them. About half of respondents (49%) are worried about vulnerable mobile and rogue devices in their networks.

"Digital transformation is ushering in an increase in malware attacks, IoT exposures, and data breaches, and this is because it's easier to phish users on mobile devices and take advantage of poorly maintained Internet-connected devices," Scott Gordon, a spokesman for Pulse Secure, said in a statement. "As a result, orchestrating endpoint visibility, authentication, and security enforcement controls are paramount to achieve a zero-trust posture."

The result is that companies have to move their entire infrastructure to the new model to benefit from the overall benefits of a zero-trust approach — one of the reasons that the process has taken so long, says Forrester's Pollard.

"They cannot take what they have done in the past, and forklift it over to the new architecture — taking an existing infrastructure and porting it over," he says. "There is just so much technical debt in the old environment. Instead, we recommend of taking a more thoughtful approach."

Security practitioner should first focus on using the zero-trust approach for cloud services, which are often new projects and which do not have much security debt. With the move, companies could also find new ways of accomplishing zero trust, such as security-as-a-service (SaaS) models.

The hesitation on the part of companies surveyed by Cybersecurity Insiders is understandable, says Holger Schulze, founder and CEO of the firm.

"Some organizations are hesitant to implement zero trust as SaaS because they might have legacy applications that will either delay, or prevent, cloud deployment," he said in a statement. "Others might have greater data protection obligations, where they are averse to having controls and other sensitive information leaving their premises, or they have a material investment in their data center infrastructure that meets their needs."

Done right, zero trust should not be any more expensive than the perimeter-focused security that most companies use today, says John Kindervag, field chief technology officer for security firm Palo Alto Networks and the person credited with formalizing the zero-trust model.

"Zero trust is not more costly than what is being done today — in fact, we typically see significant savings in capital expenditures, because often multiple technologies are collapsed into a single one or legacy technology is not needed in a zero-trust environment," he says. "We also see significant savings in operational expenditures, because smaller teams can effectively operate zero-trust environments."

Finally, companies need to focus on educating, not just the practitioners, but the users as well, says Forrester's Pollard. New tools and systems are necessary, but the user is essential, he says.

"Make sure that you understand that they user is at the epicenter of the zero-trust model," he says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "C-Level & Studying for the CISSP."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel i...
PUBLISHED: 2021-05-06
A heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This vulnerability may lead to arbi...
PUBLISHED: 2021-05-06
aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
PUBLISHED: 2021-05-06
The administrator application on ASUS GT-AC2900 devices before allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_chec...
PUBLISHED: 2021-05-06
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.