Despite all the hype surrounding zero trust over the past few years, those in the industry might reasonably expect that most organizations would have implemented by now, or at least be in the advanced stages of doing so.
However, research from CyberRisk Alliance Business Intelligence based on 300 responses from IT and security decision-makers and influencers found that most security pros still find zero trust a vague concept. The CRA research, which was sponsored by Attivo Networks and HP Wolf Security, reports that only 35% of respondents believe they are very familiar with zero trust and are knowledgeable about the framework and controls. The remaining two-thirds say they have just a modest understanding of zero trust with limited knowledge about the concepts and controls.
CRA researchers say deployment has been slowed by an ongoing struggle to fully comprehend the elements that embody zero trust and how to put all the pieces together. But the increased threat landscape finds respondents open to the basic zero-trust concept in giving them a fighting chance against stealthy attackers in the coming months, although organizations will find implementation challenging without the knowledge, budget, management support and prioritization focus.
According to the CRA research, at least in the near-term, management support and budget limitations are hindering zero-trust adoption. The primary barriers for organizations that have yet to adopt zero-trust programs are lack of management support (26%) and budget limitations (23%). Other issues among non-adopters include the following: lack of prioritization (15%), lack of knowledge (13%), and lack of qualified staff to implement (10%).
What’s driving implementation? Follow the leaders
As part of the research, CRA set up a “Champions” segment of 70 responding companies that had sufficient budget, met the technical qualifications, had management support and knowledge of zero trust, and knowledge on how to implement zero trust.
CRA found that 64% of the “Champions” group use the NIST Cybersecurity Framework and another 50% use the NIST SP 800-207 Zero-Trust Architecture Model. The top components of the group’s zero-trust models and strategies included the following: identity and access management (86%); data protection (84%); cloud security controls (84%); network controls (80); and endpoint controls/host instruction prevention (77%).
The top areas where “Champions” apply zero-trust processes include: cloud apps and services (86%); network operations (80%); data center (77%); and the security operations center (70%). The top applications where zero trust gets applies include: web and cloud applications (89%); databases and other data center applications (82%); mission critical servers such as DNS and web servers (82%); and critical OT/IT applications (80%).
When deploying a zero-trust architecture into existing environments, NIST recommends enterprises consider starting small and expanding. NIST Special Publication 800-207 details how enterprises should look for ideal situations to introduce zero-trust processes and how the move to zero trust can take place one step at a time. NIST says enterprises need to make sure that the common elements of the program, such as identity management, device management and event logging are flexible enough to operate in the zero-trust and non-zero-trust security environments. Organizations must also look to zero-trust tools that will interface their APIs with existing systems and security tools.