The ever-escalating threat landscape has brought the industry to coalesce around a zero-trust architecture (ZTA). The idea of an environment where authentication and authorization are explicitly verified and only least privilege access gets granted, while systems are designed to minimize breach impact via segmented networks has become so widely accepted that the Biden administration specified a ZTA in its May 2021 executive order.
However, while a ZTA offers a powerful tool to secure today’s complex IT environments and reduce the attack surface, widespread deployment has been slow, according to CRA Business Intelligence’s September 2022 survey of 216 security and IT leaders.
The promised benefits of a ZTA are numerous — including continuous protection for users, data and assets and the ability to proactively manage identities and threats, consistently enforce security policies, and detect and respond to threats faster — but most respondents from the CRA survey still say their organizations have yet to transition to a zero-trust framework to improve cybersecurity.
Here are some important takeaways from the CRA survey:
- Zero trust is yet to be widely embraced by organizations as a standard framework for cybersecurity. At the time of this study, only 1 out of 4 respondents reported their organization has implemented zero-trust, although 30% are in the planning/evaluation stage and another 35% say they are considering it.
- Remote workforces and data protection are driving current and future zero-trust adoption for most respondents. The largest proportions of current and future zero-trust adopters reported their top primary drivers are to provide improved security for their remote workforces (60%) and data protection (59%). Also, roughly half of all respondents said increasingly higher security risks (50%) and the increase in ransomware threats and attacks (45%) have compelled their organizations to implement a zero-trust architecture. Specific industry security requirements are also driving zero- trust adoption. For example, regulatory requirements — a motivator for 33% overall, was considered a primary driver for 65% in the financial services sector and 42% at high-tech companies.
- The largest share of zero-trust adopters (83%) indicated they implement zero-trust for verifying identity: attributes that describe an agency user or entity. Zero-trust is also commonly used for securing devices and endpoints (70%) and internal, wireless, or internet network/environments (64%). This differs slightly for those considering or planning zero trust: nearly 3 of out 4 (71%) said they are considering or planning to implement it to help safeguard devices and endpoints, followed by network/environment (61%) and identity (60%).
- Based on respondents’ comments overall, implementing zero trust is perceived as a significant undertaking by zero-trust adopters and non-adopters alike. Technical execution was frequently identified as a struggle for organizations implementing zero trust, as is the impact of zero trust on end-user friction and productivity. Among those who said their organization is not using, planning, or considering a zero-trust model, nearly 1 in 4 (23%) believed it would be too difficult to transition to a full zero-trust security model, while the same proportion said they didn’t have the budget to support it. However, the two main barriers indicated by nearly 1 in 3 respondents (31%) are the lack of knowledge about zero trust and not getting buy-in from their senior management.
On a more positive note, slightly more than half (55%) of all respondents can be characterized as “zero-trust champions” based on their status of implementing zero trust and their perception of its overall importance. Champions are typically from large organizations with sizable IT teams. They believe a zero-trust model is either a very important (54%) or extremely important (43%) component of their organization’s overall cybersecurity strategy. Most of those in this segment (65%) are driven by data protection as their top motivator for zero trust, and the majority (83%) of them who currently implement zero trust do so to verify identity.
