Most organizations surveyed by Banyan Security consider zero trust a priority, but many consider it difficult and expensive to implement.
As cyber-attacks increasingly threaten organizations, zero trust has increasingly become a go-to method for protecting sensitive data and assets. With zero trust, you can restrict access as needed, and with the promise of better protection, it’s on the radar for many organizations.
But adopting this type of security isn’t as easy as snapping your fingers. A report released Tuesday by security provider Banyan Security looks at the attitude and intentions of IT and security professionals towards zero trust.
Security professionals prioritize zero trust over VPNs
For his report IT and security attitudes towards secure remote access, Banyan Security commissioned Sapio Research to survey 1,025 IT and security professionals in the US and Canada. The survey also elicited responses from 410 senior decision-makers responsible for IT or security who were aware of both zero trust and VPNs.
With the shift to remote and hybrid work following the outbreak of the coronavirus pandemic, many organizations turned to VPNs to provide secure network access to remote workers. But VPNs have certain limitations and weaknesses. For that reason, zero trust is considered a better alternative, with better security, a simpler user experience, and better performance.
Why are security professionals slow to implement zero trust?
As many as 97% of IT and security professionals surveyed consider zero trust a priority for their organization. However, only 14% are in the early stages of adopting a zero-trust model, while only 17% have started to actually roll it out. If many professionals consider zero trust a priority, why aren’t more of them implementing it?
TO SEE: Cybersecurity: Organizations Face Major Barriers to Adopting Zero Trust (TechRepublic)
Complacency with existing security infrastructure
One hurdle is that most security professionals get along just fine with their existing technology. About 92% of respondents expressed confidence that their current remote access platform effectively protects their organization from unauthorized access.
Going further, 92% of respondents say they are satisfied with the admin experience for their existing remote access product, while 88% are satisfied with the end user experience. So if the current solution seems to work, many security leaders think there is no reason to change it.
Complex implementation processes
Another challenge on the road to zero trust is the process it takes to set it up. 69% of respondents believe that introducing zero trust would be a major or very large undertaking. Furthermore, about 30% of current VPN users believed it would be difficult to implement zero trust in their current environment.
Time and cost to implement zero trust
Another obstacle is time. Organizations that dived into zero trust took an average of nearly 12 months to implement. Along with time are costs. About 62% of those surveyed cited cost and budget constraints as a barrier to zero trust adoption.
Advice for implementing zero trust
Whether they plan to implement zero trust or stick with their current VPN technology, a whopping 93% of respondents said they plan to improve on their existing solution this year or next. Those with an eye on zero trust pointed to several reasons for using it, including more secure remote access, an improved end-user experience, and a reduction in VPN vulnerabilities.
For organizations that consider zero trust a priority, but are concerned about the perceived barriers to rollout, Banyan Security has some advice.
TO SEE: Zero trust leaders prevent an average of 5 cyber disasters per year (TechRepublic)
“When implementing a zero-trust infrastructure, the goal is to provide your workforce with secure and easy access to the resources, applications and infrastructure they need to do their jobs,” Banyan Security CSO Den Jones told TechRepublic. “While this goal can have limitless implications, I recommend sticking to tangible business outcomes.”
CISOs (chief information security officers) face challenges in determining what to spend their limited budgets on and therefore want to invest in areas that deliver results. As such, according to Jones, they often focus on investments that improve workforces or are related to a previous data breach. The trick is to show that zero trust is the right answer to those scenarios.
Another tip for a zero trust implementation is to roll it out gradually by application or business group.
“You can focus on specific divisions or teams within the organization instead of affecting the entire company at once,” explains Jones. “Over time, a well-functioning implementation would eventually connect all applications and company resources to your zero-trust platform and would also result in all members of your workforce using your zero-trust platform.”