Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Jim Barkdoll of Axiomatics looks at signs pointing to 2023 as The Year of Zero Trust and elaborates why it’s a “strong maybe” and not “yes.”
Though it isn’t new, Zero Trust is everywhere. From marketing campaigns to technical RFPs, it’s clear organizations understand the criticality of implementing a successful Zero Trust initiative. So does this mean 2023 will be the “Year of Zero Trust?” Not so fast. Though the concept has been around for some time, its move to a pragmatic initiative complete with actionable guidance around deployment is still relatively new.
At the same time, there are a number of market drivers creating more urgency for enterprises that have yet to deploy their Zero Trust project, or that are looking to scale a singular initiative across their business. Together with an expected increase in regulations that will mandate Zero Trust, these drivers will see an increase in new deployments as well as the maturation and scale of existing initiatives.
Evolving Threat Landscape Means There is No One “Zero Trust”
You’ll be hard-pressed to find a security vendor that doesn’t bill itself as a provider of a Zero Trust solution. The reason is that there is no singular solution. Rather, to implement Zero Trust properly and effectively, an organization needs a variety of solutions across their technology stack; preferably ones that work well together. Let’s use access control as an example. One of the key components of a Zero Trust access control strategy is the use of multi-factor authentication (MFA) to verify the requestor’s identity. But as with recent breaches at companies including Uber, hackers can get past authentication using techniques like verification fatigue, where a user is sent so many requests to verify their identity that they eventually give in and grant access. MFA is effective within a Zero Trust access control strategy if it is complemented with authorization and micro-segmentation, limiting the scope of access once it is granted.
Access isn’t the only area seeing a more sophisticated approach from hackers and other bad actors. From ransomware and malware to phishing and deep fakes, security threats leverage wherever they feel an organization is most vulnerable. Though there are vendors touting themselves as THE provider of a Zero Trust solution, the reality is a successful approach requires a variety of solutions addressing security throughout the solution stack. Zero Trust initiatives require a continuous approach Remember the days of using your token to sign in to a VPN, which unlocked everything you needed? Well, those days are well behind us. While security offerings continue to mature at a rapid rate, so do breaches and hacks. As a result, security can’t be a static consideration, rather, it requires a dynamic approach, with continuous, real-time analysis. This isn’t easy– it requires dedicated resources, an investment in the right solutions and time spent understanding and assessing events, alerts and requests.
Though this sounds like common sense, it’s human nature to want an endeavor like this to be easy, which has resulted in some organizations paying lip service to Zero Trust without doing the hard work. This may be why Gartner believes that “by 2026, ten percent of large enterprises will have a comprehensive, mature and measurable Zero Trust program in place, up from less than one percent today.” Though that growth is remarkable, it is still a long way from where we are today.
Regulations Will Drive Broader Adoption
As was the case with GDPR and data security, anticipated regulations mandating government agencies and/or private organizations to implement Zero Trust will be the catalyst driving broader adoption. In 2021, the U.S. Federal Government implemented an executive order recommending Zero Trust as necessary to defend the United States against threat actors. This mandated government agencies make a plan and take decisive action to implement a Zero Trust architecture, incorporating guidance laid out by the National Institute of Standards and Technology (NIST), which recommended looking at five pillars: identify, protect, detect, respond, and recover.
While this is a terrific step, we know national security can be compromised through private organizations as well. Indeed, the Colonial Pipeline breach brought that point home. With that in mind, it isn’t surprising that it is highly anticipated the U.S. government will go one step further in 2023, mandating a broader set of organizations implement Zero Trust. This move will see more organizations place a higher priority on their Zero Trust projects, moving them from the ‘nice to have’ category to the ‘critical project’ category.
All these drivers create what could be the perfect storm when it comes to Zero Trust initiatives in 2023. As a result, we can expect to see more organizations place emphasis (and budget!) on taking pragmatic steps toward an effective deployment of a Zero Trust initiative, be that at the access control level, a Zero Trust Network Architecture (ZTNA) project, or something else entirely.
- Is 2023 the “Year of Zero Trust?” Well, Maybe… - February 28, 2023
- It’s Time To Think Beyond IAM Solutions - January 24, 2022