Constant connectivity and remote work have created valuable new opportunities for digital enterprises but are also posing significant challenges for IT and security teams. With the traditional network perimeter all but dissolved, decision makers in the security sphere are in need of new access management strategies that can protect critical systems from bad actors while simultaneously supporting secure, seamless connectivity for users. This is no easy ask, but it can be accomplished with a new approach to authentication.
In a recent paper entitled, “The State of Zero Trust Security 2022: Assessing identity and access management maturity in global organizations,” Okta examines the access management requirements of modern enterprises.
The paper is built around the findings of a survey, commissioned by Okta and conducted by Pulse Q&A, in which 700 security decision makers were interviewed. These decision makers serve as directors, VPs or C-level executives and they come from a range of industries, with a focus on financial services, software, manufacturing, healthcare and government. Geographically, the survey respondents are based in North America, EMEA and APAC, or work at companies in the Forbes Global 2000.
In this blog we’ll look at the key findings of the report and especially how access management approaches and plans have changed over time. We will also consider where the industry is expected to be 12-18 months from now.
Zero Trust is Gaining Traction – Fast
The perimeter-based approach to cybersecurity aimed, quite simply, to keep attackers from accessing the corporate network. In today’s highly distributed work landscape, this is no longer an adequate defense, and the zero trust security model has emerged as a more effective approach to preventing modern cyber threats.
As you’ve likely heard, the zero trust methodology is based on the adage “never trust, always verify.” Practically speaking, this means that no user or device is to be inherently trusted; instead, strong authentication, continuous authorization, and the principle of least privilege create an environment in which identities are verified and re-verified in an ongoing process. The detection of unusual or anomalous behavior ideally alerts an admin and leads to a further security check or removal of access privileges.
According to the Okta report, recent years have witnessed a dramatic change in the way companies approach zero trust. In 2019, merely 16% had a defined zero trust initiative in place or were planning to start one. This year, only three years later, the number has climbed to a whopping 97% – or, basically everyone! Once derided as just a buzzword, zero trust access solutions have become a must-have component of a successful cybersecurity arsenal.
Source: “The State of Zero Trust Security 2022” whitepaper, Okta
Drilling down into the actual state of zero trust implementation reveals that the upcoming 18 months will be critical. While the percentage of companies that have already implemented a zero trust initiative more than doubled in the past year, from 24% to 55%, a significant 42% of companies plan to start their zero trust initiatives in the upcoming 12-18 months.
Security, IT, and OT teams across organizations starting their zero trust journeys must carefully choose which vendors to work with – and they will undoubtedly be bombarded with competing offerings and persuasion techniques. On this front, the Gartner® Market Guide for Zero Trust Network Access is a good place to get started.
Source: “The State of Zero Trust Security 2022” whitepaper, Okta
Data and Devices: The Highest Zero Trust Priority
So, what exactly should be included in a zero trust initiative? Forrester and the Cybersecurity and Infrastructure Security Agency (CISA) have advocated a zero trust framework that examines six requirements: data, devices, network, people, workloads and analytics.
Based on this framework, the Okta survey found that data, i.e the protection and isolation of data, and devices, i.e the protection of devices accessing resources, were the two most important priorities for organizations, garnering 75% and 71%of the respondents’ answers, respectively. Following closely behind are the network, with 67% of respondents, and people with 62%.
Source: “The State of Zero Trust Security 2022” whitepaper, Okta
There are many ways to ensure the enforcement and protection of each of these pillars. For example, choosing vendors that don’t store customer data and ensuring device health is always recommended.
How to Take Action and Adopt Identity-Based Zero Trust
Given that zero trust is more of a philosophy and a framework than a prescriptive plan, the question must be asked – how can organizations take action? To this end, Okta has devised a five-step plan to help companies implement a zero trust strategy. This plan can also help organizations identify where they are in the zero trust journey and how they compare to peers, enabling them to set priorities and milestones for the upcoming months and years.
Nearly all (98%) the C-level executives surveyed identify identities as an important or business critical component in their zero trust plan. According to Okta, “ensuring that each person always has the right level of access to the right resource at the right time has never been more important for security, management, compliance, and many other core business concerns… But there is now a growing consensus among organizations around the world that an identity-first approach to Zero Trust lets organizations fully leverage IAM, by integrating it with other critical security solutions, into a powerful central control point for intelligently governing access among users, devices, data, and networks.”
The five stages of the Okta plan are:
Traditional: Organizations that have just started their cloud transformation. Projects include connecting employee directories to cloud apps and implementing MFA.
Emerging: Organizations that are expanding their cloud adoption while helping their remote and hybrid workforces securely and simply access organizational resources. Projects include MFA for external users, SSO, enabling self-services factor resets and automated application provisioning.
Maturing: Organizations that have developed processes for remote work and are in search of tools to provide a global workforce with 24/7 access and answer compliance requirements. Projects include extending SSO to external users, building policy requirements for SSO, enabling PAM to the cloud and integrating threat feeds into SIEM tools.
Elevated: Organizations that are in the final stages of completing their digital transformation by deprecating outdated legacy tech and protecting security weak points in custom applications. Projects include utilizing authentication across user groups, adding secure access to APIs, implementing context-based policies, deploying tools for modernizing legacy applications and utilizing security orchestration to enable dynamic threat response.
Evolved: Organizations that have zero trust security in place and leverage it for access decision making. Projects include deploying passwordless access and data layer decision making based on user and device posture. Access and security are constantly refined and updated.
So, where do most organizations stand along the five-stage journey? According to the report, more than 70% have completed phase 1, and another 24% plan to do so in the upcoming 12-18 months. In other words, nearly all companies expect to implement MFA and connect their employees’ directories to cloud apps by the end of 2023.
After this, the picture gets less rosy. While 78% of companies have implemented SSO for employees, a key component of phase 2, only 38% have implemented MFA for external users and only 29% plan to do so in the upcoming months. It seems that despite the growing risk of supply chain attacks, organizations are not rushing to adopt security controls that can help mitigate them.
The better news is that roughly half of organizations have implemented most measures up to stage 4, and in the coming 12-18 months approximately 80% of the remaining companies expect to do so. The real drop off comes at stage 5, the evolved stage. In most cases this stage isn’t even a part of organizations’ plans. More specifically, only 2% report being at stage 5, and just another 13% have plans to reach it.
Source: “The State of Zero Trust Security 2022” whitepaper, Okta
What these numbers ultimately reveal is that while most organizations (97%) are zero trust-oriented, implementation is uneven and what complete adoption even means can vary widely. Reasons for this could include budgets, internal politics and priorities, and internal knowledge of what needs to be done next.
The State of SSO and MFA
Diving a bit deeper into the first two stages of their zero trust implementation plan, which include SSO and MFA implementation, Okta asked respondents which resources these authentication methods have been extended to. Unsurprisingly, internal and SaaS applications lead the charge, with 74% and 75% implementation, respectively. In the upcoming 12-18 months, the percentage is expected to grow to approximately 100%.
Servers and databases are next in line, with more than half of respondents stating they’ve implemented SSO/MFA on them. However, legacy applications, such as SAP and the various technologies that keep OT systems running, are nearly or not at all protected with MFA. This is one key area where Cyolo can add value to an existing Okta deployment.
Source: “The State of Zero Trust Security 2022” whitepaper, Okta
Authentication and Access Management Insights
When it comes to authentication, passwords remain the most common factor – but change may be on the way. Okta notes that “the percentage of companies that still use passwords to verify internal and external users has dropped ten percentage points, to 84% this year; in the same time span, usage of the higher-assurance factor push authentication has increased more than 20 percentage points.”
The move away from passwords as a primary authentication factor is not surprising, given that a passwordless approach is considered more secure and less prone to manual errors.
Source: “The State of Zero Trust Security 2022” whitepaper, Okta
Next Steps for Security Decision Makers
Implementing the zero trust framework starts with taking an identity-first approach to access management, across the cloud and all edges. Strengthening authentication factors, adding MFA for all users and to all systems, and securing remote workers are important steps along the journey. Ultimately, zero trust adopted fully and correctly means security, usability and productivity are no longer at odds and in fact reinforce one another.
Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.
