Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

Companies Pursue Zero Trust, but Implementers Are Hesitant

Almost three-quarters of enterprises plan to have a zero-trust access model by the end of the year, but nearly half of cybersecurity professionals lack the knowledge to implement the right technologies, experts say.

Worried about protecting data, the likelihood of breaches, and the rise of insecure endpoint and Internet of Things (IoT) devices, companies are looking to technologies and security models that focus on continuous authentication, experts say.

On February 4, survey firm Cybersecurity Insiders published its "Zero Trust Progress Report," finding that two-thirds of surveyed cybersecurity professionals would like to continuously authenticate users and devices and force them to earn trust through verification, two foundational tenets of the zero-trust model of security. Yet while the average cybersecurity professional is confident he or she can apply the zero-trust model in their environment, a third of respondents had little confidence, and 6% were not confident at all, the report found.

Other studies have found a similar conclusion: The concept of a zero-trust architecture, now a decade old, appears ready to go mainstream, but cybersecurity professionals remain uncomfortable with its implementation, says Jeff Pollard, vice president and principal analyst with Forrester Research, the analyst firm that coined the model in 2010.

"Zero trust is one of those initiatives that is being driven from the top-down perspective," he says. "Previous models, security architectures — were very practitioner-driven. They were very organic and grew over time. ... But because zero trust is a different model and a different approach, it is going to take time for all the practitioners out there to become ultimately familiar with what this looks like from an operations standpoint."

The zero-trust concept evolved as a reaction to the disappearance of the network perimeter, as personal smartphones and other devices became widely used by employees at the office and as more workers did their jobs remotely. While old models of network security assigned trust based on location — anyone in the office was often trusted by default — zero-trust models focus on users and context. 

Those components also create the biggest challenges for companies, according to the survey, which was sponsored by network security firm Pulse Secure. Most companies (62%) have to worry about over-privileged employees accessing applications as well as whether partners (55%) are only accessing the resources assigned to them. About half of respondents (49%) are worried about vulnerable mobile and rogue devices in their networks.

"Digital transformation is ushering in an increase in malware attacks, IoT exposures, and data breaches, and this is because it's easier to phish users on mobile devices and take advantage of poorly maintained Internet-connected devices," Scott Gordon, a spokesman for Pulse Secure, said in a statement. "As a result, orchestrating endpoint visibility, authentication, and security enforcement controls are paramount to achieve a zero-trust posture."

The result is that companies have to move their entire infrastructure to the new model to benefit from the overall benefits of a zero-trust approach — one of the reasons that the process has taken so long, says Forrester's Pollard.

"They cannot take what they have done in the past, and forklift it over to the new architecture — taking an existing infrastructure and porting it over," he says. "There is just so much technical debt in the old environment. Instead, we recommend of taking a more thoughtful approach."

Security practitioner should first focus on using the zero-trust approach for cloud services, which are often new projects and which do not have much security debt. With the move, companies could also find new ways of accomplishing zero trust, such as security-as-a-service (SaaS) models.

The hesitation on the part of companies surveyed by Cybersecurity Insiders is understandable, says Holger Schulze, founder and CEO of the firm.

"Some organizations are hesitant to implement zero trust as SaaS because they might have legacy applications that will either delay, or prevent, cloud deployment," he said in a statement. "Others might have greater data protection obligations, where they are averse to having controls and other sensitive information leaving their premises, or they have a material investment in their data center infrastructure that meets their needs."

Done right, zero trust should not be any more expensive than the perimeter-focused security that most companies use today, says John Kindervag, field chief technology officer for security firm Palo Alto Networks and the person credited with formalizing the zero-trust model.

"Zero trust is not more costly than what is being done today — in fact, we typically see significant savings in capital expenditures, because often multiple technologies are collapsed into a single one or legacy technology is not needed in a zero-trust environment," he says. "We also see significant savings in operational expenditures, because smaller teams can effectively operate zero-trust environments."

Finally, companies need to focus on educating, not just the practitioners, but the users as well, says Forrester's Pollard. New tools and systems are necessary, but the user is essential, he says.

"Make sure that you understand that they user is at the epicenter of the zero-trust model," he says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "C-Level & Studying for the CISSP."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...