One of the biggest weaknesses in any environment is maintaining effective authentication and authorization controls.
As Filip Truta wrote in Mitigating the most common cloud vulnerabilities, he explains how the NSA detailed how access control weaknesses can enable attackers to can control of cloud resources. “Poor access control can be mitigated by enforcing strong authentication and authorization protocols, like: multi factor authentication with strong factors and regular re-authentication; limit access to and between cloud resources and implementing a Zero-Trust model; audit access logs for security concerns using automated tools; avoid leaking API keys by not including said keys in software version control systems,” the NSA said.
What is Zero Trust? Zero Trust is essentially an approach to security that enterprises (or any organization for that matter, really) shouldn’t trust that anything inside or outside its environment is not to be trusted automatically, users and systems need to be vetted before granting access. Sounds basic, and it is in reality, but because it’s basic doesn’t mean it’s easy.
According to a recent study from Pulse Secure, 72% of organizations hope to implement Zero Trust capabilities this year in their effort to curb increasing cybersecurity risks. The survey found that nearly half, or 47%, of those surveyed said they lack confidence implementing Zero Trust. The report is based on a survey conducted by Cybersecurity Insiders.
This progress report is based on over 400 cybersecurity decision-makers, who were asked how their organizations are implementing Zero Trust. The survey sought to capture key drivers, adoption levels, technologies used, investments made and perceived benefits.
Interestingly, the report found that Zero Trust access is finally moving from dream boards to implementation in more organizations, but nearly half of organizations are not confident in their ability to implement Zero Trust.
Of those surveyed, more than 40% says that they face challenges from vulnerable mobile and other at-risk devices, attacks from poorly secured partners, risks from privileged employees, and shadow IT. Additionally, 45% of respondents said they are concerned about access security to public clouds, while 43% cite bring your own device security issues, and over 70% said they hope to move further along with their identity and access management programs.
It turns out that there are good reasons for concern when it comes to the increased mobility. The survey found that increased mobility and the number of cloud services in use make it more challenging for security teams to protect enterprise applications and data.
For these reasons, the Zero Trust report found that nearly a third of cybersecurity professionals saw value in Zero Trust implementation to address hybrid IT security issues.
The survey also found that about a quarter of respondents said that their organizations will be adopting software defined perimeter to help improve security.
Of those considering software defined perimeter, 53% said they would need a hybrid IT deployment and 25% turn to software-as-a-service.
Key findings of the survey include:
- Nearly equal confidence and lack of confidence in applying Zero Trust model in their Secure Access architecture (53% have confidence, 47% are not confident);
- More than 50% of survey respondents cited data protection, breach prevention, and endpoint, IOT and insider threat reduction are key drivers for Zero Trust;
- Over 40% expressed privilege management, insecure partner access, cyberattacks, shadow IT risks, and vulnerable mobile and at-risk device resource access as top challenges to secure access to applications and resources;
- 45% are concerned public cloud application access security, and 43% with BYOD exposures;
- 70% of organizations plan to advance their identity and access management capabilities;
- 30% of organizations are seeking to simplify secure access delivery including enhancing user experience and optimizing administration and provisioning;
- 53% considering Software Defined Perimeter (SDP) would implement a hybrid IT deployment, with 25% adopting a SaaS implementation.
“Some organizations are hesitant to implement Zero Trust as SaaS because they might have legacy applications that will either delay, or prevent, cloud deployment. Others might have greater data protection obligations, where they are averse to having controls and other sensitive information leaving their premises, or they have a material investment in their datacenter infrastructure that meets their needs,” said Holger Schulze, founder and CEO of Cybersecurity Insiders.