“What really makes a good zero trust program?”
In theory, it’s a straightforward question, right? Just Google it, and you’ll find constants that experts deem necessary; strong, adaptive authentication, continuous approval and authorization, secure and least-privilege access, maintaining accurate asset inventories (e.g. data, users, devices), restricting access to known vulnerable devices, requiring 2FA or MFA, and limiting what’s known as the “blast radius” in order to minimize impacts in the event of a breach. That’s all there, and it makes sense at a glance.
But, as with most things, there’s more to it than meets the eye.
Historically, zero trust-centric frameworks focused on solving the challenges that come with authentication, end points, network access security, etc. But for the authorizations company PlainID (and its team of experienced security technologists) are working hard to redesign enterprise authorizations and approaches to them, making it simpler as a whole.
Because, sad to say, committing fully to zero trust isn’t working for everyone.
Thus, with the redesign of this aspect of security as a whole, PlainID first needed to go out and check the pulse of the industry, so to speak; to check what hasn’t really been working, and what else can be assessed in full.
So, PlainID recently conducted a survey and has now released its findings.
Carried out by Censuswide (on behalf of PlainID), the survey questioned 200 total CISOs (Chief Information Security Officers) about their implementations of zero trust across a variety of U.S. and U.K. companies.
Here’s a long-story-short findings breakdown for y’all, fine readers:
- Firstly, apparently only 50% of CISOs actively consider thorough authorizations as part of the make-up for their zero trust programs. That isn’t, perhaps, what folks call “super encouraging” here, as approaches with zero trust have tried-and-true proven to benefit workforces. Without proper securities, this leaves greater room for attacks.
- Surveyees (31%) also responded with a shared sentiment in regard to walking the walk here; when actually implementing zero trust, it works but only 31% reported that they “currently have sufficient visibility and control over authorization policy management intended to enforce appropriate data access.” 45% pointed out the lack of sufficient technical resources, too (when it comes to optimizing zero trust authorization on large enterprise-wide scales).
So what I’m hearing (and, more importantly, what PlainID gathered) is that CISOs may have implemented a form of zero trust, but not all have the complete set of tools (nor the available on-staff expertise) to have true visibility and control, as zero trust entails. The question at the beginning of this article – i.e. “What really makes a good zero trust program?” – is more than being “sold” on its promise of secure ops. It’s, of course, about rigorous follow-through and helping organizations evolve with the times (and the kinds of attacks) to further optimize. Too many orgs have turned to “homegrown solutions” (40%) because they feel the cavernous gap in-between them and complete zero-trust success is too far to leap.
Still, there’s hope. The rewards of zero trust (as mentioned) abound, when the correctly allocated resources are committed to enforcing it in full. With the right framework, the data breaches that plague businesses can be removed and future attack severities can be mitigated, and compliance initiatives are further supported as a result. (Especially in cases of major data privacy and multi-cloud/hybrid cloud deployments.)
Cherry-picking with zero trust, it seems, is not enough in 2023. PlainID wants the total percentages of CISOs/CIOs that have “begun adopting” or “adopted parts of” that zero trust goodness to go way up. Risking operational restructurings still outweigh the risks associated with breaches; risks to data, to employees working capabilities, to an entire brand losing ground with the public due to lack of long-term security success.
“Zero trust must treat all identities as potential threats, and organizations must treat a zero trust architecture with the utmost seriousness when diving in,” said Oren Ohayon Harel, CEO and co-founder of PlainID. “While zero trust boosts higher levels of worker confidence, it's imperative to pair it with a comprehensive authorization framework so what works continues working, and what doesn’t is remedied”
Overall, PlainID says that enterprises today need continuous evaluation and validation across all tech stack interactions to mitigate data breach impacts and stay on top of what will work best tomorrow, not just what may have worked yesterday or today.
Edited by
Greg Tavarez
