More APAC firms use zero trust but talent crunch, UX issues persist

By now, the concept of zero trust is not new to most organisations in Asia-Pacific, especially after close to three years of remote and hybrid working, which have fuelled a rethink of how cyber defences are set up.

Today’s cloud-first approach to IT has meant that old perimeter defences are no longer enough. Users are bypassing their office servers: They connect from home, a cafe, or elsewhere directly to the cloud.

Thus, it is not surprising that more Asia-Pacific organisations have embraced zero-trust security initiatives of late, according to The State of Zero Trust Security in Asia Pacific 2022 study commissioned by Okta.

About 50% of them have implemented zero-trust initiatives, up by a significant 18 percentage points from a year ago. However, this growth rate is still lower than the global figure of 31%, showing that Asia-Pacific organisations are lagging their counterparts elsewhere.

Perhaps more worryingly, Asia-Pacific organisations are also slower to recognise the importance of leaving passwords behind in the quest for stronger security, as well as identity and access management (IAM) to combat increasingly sophisticated cyberthreats.

Of all organisations worldwide, those in Asia-Pacific had the lowest adoption of passwordless access, with only 0.5% having implemented the feature and only 10% planning to implement it in the next 18 months.

This means they are behind the curve in terms of their zero-trust efforts, because an identity-first approach is paramount to this new way of securing one’s digital assets.

If an IT environment is set up to “trust no one” without the right credentials, then those who need to access files, devices, and other digital assets need to have an effective, secure, and fuss-free way to identify themselves.

Passwords, frequently phished and stolen from users, are weaker than new passwordless authentication methods, which include facial recognition and other biometric authentication methods that are ubiquitous on mobile devices today.

Unfortunately, the disconnect in Asia-Pacific organisations also calls into question how effective their zero-trust setups can be in future, especially when coping with new dynamic threats.

Why identity first and zero trust

The good news is that Asia-Pacific organisations do see the importance of identity-first security. In Okta’s study of 700 senior decision makers, the importance of identity to overall zero-trust security strategy is rated at 83% while an additional 15% say identity is business-critical.

Putting this into action is key. For organisations, the way forward is stronger security and IAM. By integrating this with other critical security solutions, organisations can set up a powerful central control point for intelligently governing access among users, devices, data, and networks.

This goal is to enable seamless, convenient access with watertight security to provide a high-quality user experience. Having users onboard is important to the success of zero-trust efforts.

Road bumps ahead

To be sure, identity-first and zero-trust security are not something that can be set up overnight. For many organisations, these require a re-architecting of the network, segmenting it into various parts accessible by users with varying credentials.

At the same time, organisations need to set up a zero-trust policy that gives authorised users access to digital assets. This needs to be tested and monitored to see if performance is impacted, and if users are able to access their resources effectively and securely.

Here, organisations often run into a few familiar problems. The first of these involve the lack of skilled talent, which is a direct result of the global talent crunch.

According to the Okta study, 31% of Asia-Pacific organisations cited talent and skills shortages as a challenge, followed by a lack of stakeholder buy-in and lack of awareness of zero-trust security solutions (both cited by 18% of respondents).

There is also a fear of jeopardising user experience if upgrades are not executed well. With much emphasis being placed on online collaboration and team dynamics, the last thing an IT leader wants is to jeopardise the effectiveness of team members with a zero-trust setup that is too onerous or difficult to use.

What is needed is a security model that is agile, holistic and centred on identity. To get there, organisations have to carry out more testing, taking on the user feedback, monitoring, and analysing for signs of problems, such as login failures.

Organisations also need to educate the departments they work with to build consensus and establish the need to advance zero-trust initiatives. They need to look to their peers within other enterprises to find inspiration to help orchestrate their organisational approach.

Finding the right partner

With the talent crunch today, it becomes even more important to collaborate with well-established IAM and security experts who can deliver a solution to form the basis of a secure network for the long term.

To start, subject matter experts can help conduct an audit and identify areas for improvement to determine where an organisation is in terms of zero-trust maturity.

No two organisations are perfectly similar, but they can still turn to plug-and-play options from proven solutions in the market, instead of building solutions from scratch with limited in-house expertise. In other words, there is no need to start from the ground up.

Ultimately, what an organisation should seek to achieve with next-gen IAM and security is improving user experience while bolstering security for the future.

The disruptions caused by the pandemic presented organisations a challenge, as well as an opportunity to rethink how security should be set up in today’s modern enterprise. It reminded them the old model was not fit for purpose, certainly not for the long term.

Now, as post-pandemic hybrid workstyles and usage patterns become the new normal, security will be even more important to an organisation’s success.

Organisations that switch to zero-trust and identity-first security effectively will have a strong foundation that enables them to compete effectively in the digital economy, without being dragged back constantly by nagging security concerns.