person typing at a laptop with many lock symbols hovering around them
Image: metamorworks, Getty Images/iStockphoto

As cyberattacks have increasingly threatened organizations, zero trust has become more of a go-to method for protecting sensitive data and assets. Zero trust lets you limit access on an as-needed basis, and with the promise of greater protection, it is on the radar for many organizations.

But adopting this type of security isn’t as easy as snapping your fingers. A report released Tuesday by security provider Banyan Security looks at the attitudes and intentions toward zero trust by IT and security professionals.

Security professionals see zero trust as a priority over VPNs

For its report IT and Security Attitudes Regarding Secure Remote Access, Banyan Security commissioned Sapio Research to survey 1,025 IT and security pros in the U.S. and Canada. The survey also elicited responses from 410 senior decision makers responsible for IT or security who were aware of both zero trust and VPNs.

With the shift to remote and hybrid work following the outbreak of the coronavirus pandemic, many organizations turned to VPNs to provide secure network access for remote workers. But VPNs have certain limitations and weaknesses. For that reason, zero trust is deemed a better alternative, promising tighter security, an easier user experience and better performance.

Why are security professionals slow to implement zero trust?

Among the IT and security pros surveyed, a full 97% see zero trust as a priority for their organization. However, only 14% are in the early stages of adopting a zero-trust model, while just 17% have actually started to roll it out. If many professionals consider zero trust a priority, why aren’t more of them implementing it?

SEE: Cybersecurity: Organizations face key obstacles in adopting zero trust (TechRepublic)

Complacence with existing security infrastructure

One impediment is that most security pros are fine with their existing technology. Some 92% of the respondents expressed confidence that their current remote access platform effectively protects their organization from unauthorized access.

Drilling down further, 92% of those surveyed said they’re satisfied with the admin experience for their existing remote access product, while 88% are fine with the end-user experience. Thus, if the present solution seems to be working, many security leaders believe there is no reason to change it.

Complex implementation processes

Another challenge on the road to zero trust is the process involved in setting it up. Among the respondents, 69% feel that implementing zero trust would be a large or very large undertaking. Further, some 30% of current VPN users believed it would be difficult to implement zero trust in their current environment.

Time and cost to implement zero trust

One more obstacle is time. Organizations that dived into zero trust took almost 12 months on average to implement it. Along with time is cost. Some 62% of those surveyed cited cost and budget restraints as a barrier to zero trust adoption.

Advice for implementing zero trust

Whether they intend to implement zero trust or stick with their current VPN technology, a full 93% of the respondents said they plan to enhance their existing solution this year or the following year. Those with an eye on zero trust pointed to several reasons for adopting it, including more secure remote access, an improved end-user experience and a reduction in VPN vulnerabilities.

For organizations that consider zero trust a priority but are concerned about the perceived obstacles in rolling it out, Banyan Security has some advice.

SEE: Zero trust leaders avert 5 cyber disasters per year on average (TechRepublic)

“When implementing a zero-trust infrastructure, the objective is to enable your workforce to securely and easily access the resources, applications and infrastructure they need in order to do their jobs,” Banyan Security CSO Den Jones told TechRepublic. “While this objective can have unlimited implications, I recommend staying grounded on tangible business outcomes.”

CISOs (chief information security officers) face challenges determining where to spend their limited budgets and therefore want to invest in areas that show results. As such, they often focus on investments that improve the workforce or are tied to a previous data breach, according to Jones. The trick is to make the case that zero trust is the right response to those scenarios.

Another tip toward zero trust implementation is to gradually roll it out by application or business group.

“You can focus on specific divisions or teams within the organization instead of affecting the entire business all at once,” Jones explained. “Over time, a well-functioning deployment would eventually have all applications and corporate resources tied to your zero-trust platform and would also result in all members of your workforce utilizing your zero-trust platform.”

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday