The Cloud Security Alliance (CSA) on Monday released a new study that found some 77% of respondents are increasing their spend on zero trust over the next 12 months.

CSA’s study, released on the first full day of the RSA Conference, was based on responses from more than 800 IT and security professionals. The study polled the security pros on where zero trust falls as a priority within their organization and the top business and technical challenges they have encountered over the course of its implementation.

The study also found that 80% of C-level executives have zero trust as a priority for their organizations, and some 94% are in the process of implementing zero trust.

“The philosophy of zero trust has the potential to fundamentally reshape our approach to securing the technology we use across the board over the course of the next few years,” said Jim Reavis, the CSA’s chief executive officer. “Arriving at this destination requires greater clarity and a common understanding of zero-trust principles as well as articulating concise strategies and adopting the appropriate frameworks. This survey is data rich and should be carefully contemplated by the industry to identify the roadblocks and opportunities for pervasive zero-trust.”

Chris Olson, chief executive officer at The Media Trust, said CSA’s survey shows that private industry has followed in the footsteps of federal agencies — and that’s a good thing. Olson said zero trust has emerged as the best response to security threats from a range of sources: by strictly limiting network permissions even to trusted partners and employees, organizations can limit the reach and impact of insider threats, malicious actors, and vendors compromised by software supply chain breaches.

“Implementing a zero-trust architecture (ZTA) entails transformation and a radical change of mindset, so it remains to be seen whether most organizations are up for the challenge,” Olson said. “Ultimately, zero-trust only works if it’s applied consistently, and organizations that aim to adopt it should apply a zero-trust approach across all technology domains, including their digital ecosystem, apps and web services.”

Artur Kane, vice president of product at GoodAccess, added that hybrid and remote work have now firmly established themselves in the work patterns of companies all over the world. During the first COVID-19 lockdown, Kane said many businesses turned to remote access technologies (mostly VPN) to enable telework for their employees. As a permanent solution, Kane said simple remote access solutions fall short of the requirements modern companies have in their increasingly distributed and decentralized networks.

“Zero-trust technologies are ready for this world and combine encryption, strong identity-based authentication, network segmentation, threat blocking, device protection, monitoring and in case of cloud-delivered ones, even a global company connectivity,” Kane said. “Just as fast as the remote access to a perimeter-protected local network model is sinking into obsolescence, zero trust has turned from a somewhat realistic concept to a commodity in a very short time. In 2022, we are approaching the peak of the hype, and while zero-trust technologies are now generally available and simple to implement, we still have a few years until it becomes the default means for digital company online protection.”

Ratan Tipirneni, president and CEO of Tigera, said zero-trust security has become critical for protecting IT assets and workloads — it’s no wonder why it’s such a priority for CISOs. Tipirneni said by not granting implicit trust to anyone with access to the network, the organization can prevent insider threats of any kind — including malicious threats and careless or accidental damage — from risking the network and its assets.

“Zero trust is especially important for applications in the cloud,” Tipirneni said. “Cloud-native workloads are dynamic, distributed, and ephemeral and do not have fixed network addresses. Traditional methods such as network firewalls, which rely on fixed network addresses, are insufficient to specify access controls at a granular workload level. However, granular zero-trust workload access controls are essential for cloud-native application security and compliance. Without such controls, an advanced persistent threat can take control of a pod and exfiltrate data.”