Organizations must quickly adopt the zero trust mindset of "never trust, always verify" to mitigate the spread of breaches, limit access, and prevent lateral movement, according to an Illumio report.
Today, a new report from microsegmentation platform Illumio, revealed how organizations approach and incorporate zero trust (ZT) into business and cybersecurity strategies, as everyone moves deeper into the second half of the new business normal, under COVID-19 restrictions.
Illumio collaborated with Virtual Intelligence Briefing and surveyed 461 IT and security professionals from a cross-section of mid- to large-sized companies, with 57% from companies with more than 1,500 employees.
Most IT and security professionals think of zero trust as an important part of their cybersecurity approach, yet many still have a long way to go in implementing their plans. Illumio's report highlighted how far along organizations are in a zero trust journey--while it advised where they need to be.
As the coronavirus pandemic continues, with many employees still working from home (WFH), organizations continue to deal with the uncertainty amid rampant cyber threats.
Nearly 50% of IT leaders polled said ZT was "critical" to organizational security and only 2% deemed it nonessential for their enterprise.
Only 19% of respondents who said ZT was "extremely" or "very important" to their security have fully or widely implemented a zero trust plan, but more than 25% have begun their zero trust planning or deployment process. All but 9% of leaders surveyed are, in some way, working toward achieving zero trust.
Making a quick and dramatic switch from in-office to WFH was taxing on the enterprise's IT departments. Companies had to shift massive amounts of data and adopt new tech to allow employees to effectively WFH, but a host of heretofore ignored or unseen endpoint security issues were also now moved center stage. Zero trust reached the endpoint.
Company leaders polled said security priority is given to issues of breached, reused, or weak passwords, and they also said they invested in identity-oriented tools.
Barriers (such as budgets and team sizes) to deployment do not evolve, as threats and technologies do. There isn't a single product or solution to achieve ZT, but the security leaders polled weighed in on how they successfully implemented ZT into their organization.
Solutions with a lower barrier to entry, like multi-factor authentication (MFA) and single sign-on (SSO) have been widely adopted. And yet:
32% of respondents adopted campus-wide segmentation
30% have incorporated software-defined perimeter (SDP) technologies
26% leverage micro-segmentation (a key zero trust technology to prevent an attacker's lateral movement)
Ideally, a security team's dream is to achieve and maintain zero trust security, in which both inside or outside of the network no one is trusted by default. Everyone attempting to get access to the network resources needed to provide verification.
Every endpoint should be a zero trust endpoint
Businesses quickly learned (after numerous and devastating cyberattacks) that there is a critical need to invest in endpoint security tools to effectively stop threats from finding ways to successfully execute on endpoints. Illumio conducted a survey at the end of June and found that 59% of respondents with more than 5,000 employees "feel that their endpoint security will miss between 1% and 10% of malware."
During the next six months, 23% of organizations plan to implement MFA and 18% plan to deploy SSO.
After the next six months, most respondents said they will implement microsegmentation and SDP to pave the way for zero trust adoption at scale and 51% said they will deploy microsegmentation as a primary zero trust control, citing its effectiveness and importance in preventing high-profile breaches as it stops the lateral movement.
As is the case with many security initiatives, deploying ZT is "easier said than done," lamented the report, since many respondents were still in the planning phase.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)