Companies have been increasingly implementing zero-trust architecture (ZTA), the IT security model that mandates strict identity check for each man and machine trying to access a network, regardless of whether the request comes from within or outside of the network perimeter.
Despite its introduction as early as in 2010 by John Kindervag, former Forrester Research analyst and now CTO at Palo Alto Networks, the adoption rate has only spiked in the past two years. A major reason: increased mobility in work, says an annual study by Duo Security.
The report said that a third of all work is now done on mobile devices, having analysed usage of nearly 24 million gadgets. The increased use of cloud applications and mobility has altered the concept of a network perimeter.
"Organisations now must support different types of users, including contractors, third-party vendors and remote workers who connect to their corporate network. In a growing number of cases, these users are leveraging their own devices, such as smartphones and tablets, to connect to applications and networks," said the report.
Traditional security architecture, which assumes that every user and device inside company walls is secure and therefore trusted by default, is redundant. As the access points to secured networks increase, organisations are clamping down with stricter policies to ensure only trusted devices and user access the network.
"The zero-trust model actually helps enterprises deal better with vulnerabilities and exposure from third-party suppliers. By verifying and validating all access, especially from endpoints that they can’t manage, organisations can protect themselves better than if they treated the third parties as ‘trusted insiders’," said Wendy Nather, head of advisory CISOs at Duo Security.
As user identity becomes crucial, there has been a shift in user authentication methods. "Organisations are increasingly adopting the use of biometric sensors to verify user identity, paving the way for a passwordless future. Close to 80 percent of mobile devices used in business have biometrics configured, a 10 percent increase over the past four years," said the report.
SMS multi-factor authentication is also losing its popularity, comprising only 2.8 percent of total Duo user authentication, said the report.
A major hindrance in the efficiency of ZTA is the existence of outdated software, from legacy systems to unpatched OS. However, out-of-date devices across all operating systems have dropped noticeably in the past year, making them less susceptible to malware and improving organisational security health, said the report.
User influence also plays a bigger role in tech updation, Nather pointed out.
"One standout example in the report is the Chrome vulnerability announcement, which prompted Duo customers to set a policy to disallow out-of-date Chrome browsers; this incentivised users to update to the patched version more promptly," she said.
Regulatory pressure to beef up data security and own up to the consequences of a breach is a catalyst for adopting ZTA, said Osborne Clarke partner Charlie Wedin.
"As companies scramble to improve security following the record intended fines announced by the ICO last week, zero-trust models may well become more common. Zero-trust controls would have prevented, or at least materially mitigated, various of the incidents we have advised on," he said.
However, the concept of completely abolishing trust has its share of critics too.
While ZTA is a defining base for security best practices, abolishing trust is not desirable, suggested Jakub Debski, chief product officer at ESET.
"There are times when trust is indispensable, as the cost of not trusting at all can be too high or prevents business operation. You are trusting chipsets or CPU vendors, your ISPs, operating system, software signed by a digital certificate, administrator of your network... or your security software. Everything can be eventually compromised, including human beings, and supply chain attacks are a reality. Zero-trust should be read therefore as ‘do not trust blindly’," he said.
Zero-trust models should be considered as a starting point to building trust and it should be adaptive trust based on business risks, says Joseph Carson, chief security scientist at Thyctotic.
"Zero-trust should not be the goal for companies as it creates friction and a negative experience for employees, especially at a time when we need to be making security a positive experience in the business. CISOs should only take those seriously who talk about helping employees do their job to be successful versus those who make employees less productive," he said.
Misconceptions about ZTA is still prevalent in the industry, observed Thad Mann, infrastructure and endpoint security director at Trustwave.
"I have spoken to a number of customers recently that have inquired about zero-trust architecture. Many incorrectly assume ZTA can be achieved quickly using a simple set of technologies," he said.
"Zero-trust should be considered a journey that will depend on a wide variety of technologies and governing processes working in concert to protect digital assets. A good starting point is to first focus on obtaining visibility across all data flows by implementing network and access controls. These controls should be integrated with an identity provider to add the context necessary for effectively protecting data as it transits corporate data centers, supply chain vendors or cloud services," Mann added.