As more organizations continue to support remote work and work from anywhere initiatives, the zero-trust network security model (ZTNA) is top of mind for many CISOs. The consensus is that it's time to abandon less secure traditional perimeter-based approaches and include zero-trust as part of a comprehensive cybersecurity strategy.
Fortinet recently surveyed 472 cybersecurity professionals and business leaders worldwide to learn how far along organizations are in their zero-trust journey. The findings from this report have implications for CISOs because even though many organizations may have a vision for the zero-trust security model, it's not necessarily being implemented effectively.
Based on the responses to the survey, we encourage CISOs working on zero-trust initiatives to consider these questions and how they relate to their own organizations.
One of the most positive findings in the survey is that respondents believe in the zero-trust philosophy. Further, a majority reported that they have a zero-trust and/or zero-trust network access strategy in development or in place. In fact, 40% report that their strategy is fully implemented.
That said, a far more troubling response was to the question regarding the gaps that still need to be addressed. More than half of the respondents still don't have the ability to authenticate users and devices on an ongoing basis and are struggling to monitor users post-authentication.
Because these functions are critical tenets of the zero-trust philosophy, we have to wonder exactly what type of zero-trust implementation these organizations have actually put in place. The lack of user and device authentication and monitoring indicates that some serious security issues still need to be addressed. Although the survey respondents may think they've implemented zero-trust, maybe they really haven't. At a minimum, their deployments are undoubtedly incomplete.
No matter how you look at it, the lack of security is a cause for concern. Those CISOs currently working on zero-trust initiatives should view this disconnect between strategy and reality as a cautionary tale. Literally having a false sense of security isn't doing anyone any favors, so take a close look at your implementation and plans. Are they complete?
For example, zero-trust is often associated with cloud applications, but if your organization isn't operating solely in the cloud, your users don't just need access to cloud applications but also to applications located at a data center or branch location. What’s more, zero-trust shouldn't just be for off-site workers; it should also provide protection for people located at the office or on the road. Everything should be secured with consistent policies and controls across all of the operating environments, especially across multiple clouds.
Selecting products that work well together reduces the likelihood of security gaps. And by assembling the necessary pieces of zero-trust security under the umbrella of a single platform, you can move forward with zero-trust strategies that work no matter where your users, devices, or resources may be located.
The second finding that has implications for CISOs is the relative difficulty respondents had in implementing their zero-trust initiatives. Many vendors make the process sound easy, but for many organizations, it's quite the opposite. Because while the survey respondents reported that they understand zero-trust concepts, more than 80% felt that implementing a zero-trust strategy across an extended network wasn't going to be easy. Further, a majority (60%) said they thought it would be moderately or very difficult, and another 21% said it would be extremely difficult.
Almost all of the survey respondents acknowledge the fact that zero-trust security solutions need to be integrated with their infrastructure, work across cloud and on-premises environments, and be secure at the application layer. But at the same time, they admit the importance of integration and report that finding a qualified vendor with a complete solution is a challenge.
Organizations must implement both zero-trust access (ZTA) and zero-trust network access (ZTNA) to identify and classify all of the users and devices that seek network and application access, assess their state of compliance with internal security policies, automatically assign them to zones of control, and continuously monitor them, both on and off the network. Overall, it's easier to use solutions and products that are integrated by design because they're simpler to deploy, configure, and maintain.
While zero-trust is not a cakewalk by any means, taking a platform approach to zero-trust does simplify matters. A cybersecurity mesh platform, for instance, is a collection of products designed and verified to work together and is more effective for complex solutions than trying to cobble together various point products. If you select a platform that has an open ecosystem, you can have a wide variety of vendors across the solution. But because they are all designed and tested to work together, your task of deploying that solution is much easier when using a platform.
The increase in breaches and ransomware is in the news constantly, and as intrusions continue to rise, organizations are looking for solutions. For this reason, CISOs should include zero-trust solutions in their strategies, but they should also make sure their plans reflect reality.