Survey finds gaps in zero-trust implementation

Image courtesy of FLY:D

A Fortinet survey learned that while many organisations have a vision for zero-trust, that vision isn’t necessarily being translated into the solutions they’re able to put in place. And granting too much trust can have dire consequences.

In cybersecurity, zero-trust has been a contentious topic for years. Instead of assuming anyone or anything that has gained access to the network can be trusted, zero-trust assumes the opposite: nothing can be trusted anywhere, whether outside or inside the network perimeter.

According to IBM, the global average cost of a data breach is now 4.24 million USD. Thus, it is no surprise that more organisations are looking to shift from implicit trust to zero trust.

The gap between ideas and reality

Fortinet’s survey also found that organisations see the benefits of the zero-trust security model. When organisations were asked what they perceived as the most significant benefit of a zero-trust solution, 22% said, “security across the entire digital attack surface,” followed closely by “better user experience for remote work”.

Image courtesy of Fortinet

Not only do organisations believe in zero-trust, a vast majority of the respondents reported that they already have a zero-trust and/or ZTNA (zero-trust network access) strategy in place or in development. And 40% report that their strategy is fully implemented.

Image courtesy of Fortinet

But here’s where zero-trust ideas encounter problems: more than half of the respondents don’t have the ability to authenticate users and devices on an ongoing basis and are struggling to monitor users post-authentication.

Image courtesy of Fortinet

These functions are critical tenets of the zero-trust philosophy, which makes one wonder what type of zero-trust implementation these organisations actually have. It’s possible that although the survey respondents feel they have implemented zero trust, they may not truly have done so. Or perhaps, that they have incomplete deployments.

Either way, the resulting lack of security is concerning.

Maybe zero trust is harder than we thought

Interestingly, although respondents reported that they understand zero-trust concepts, more than 80% felt that implementing a zero-trust strategy across an extended network wasn’t going to be easy. Most of them (60%) report it would be moderately or very difficult, and another 21% said it would be extremely difficult.

Survey respondents almost universally acknowledged that it is vital for zero-trust security solutions to be integrated with their infrastructure, work across cloud and on-premises environments, and be secure at the application layer.

Image courtesy of Fortinet

However, even realising the importance of integration, the most prominent challenge that organisations report facing in building a zero-trust strategy is the lack of qualified vendors with a complete solution.

Image courtesy of Fortinet

Zero trust needs to happen

With more organisations supporting remote work and work-from-anywhere initiatives, zero-trust is not likely to go away. The more people work from anywhere, the less secure a traditional perimeter-based approach becomes. Because the zero-trust philosophy is about “securing work and learning everywhere,” it is a good way to secure hybrid working models and should be included as part of any comprehensive cybersecurity strategy.

An effective zero-trust solution requires elements designed to work together as an integrated system to prevent the types of security and management gaps that have challenged survey respondents.

Such an approach enables proactive, integrated, and context-aware security that automatically adapts to where users are, what device they are using, and what resources they are accessing.