We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Cloud adoption continues to grow and accelerate across a diverse range of environments.
But despite – or perhaps because of – this, IT and security leaders are not confident in their organization’s ability to ensure secure cloud access. Further compounding this is the fact that traditional tools are falling far behind increasingly complex and ever-evolving cybersecurity risks.
One solution to this confluence of factors: zero-trust network access (ZTNA). This strategic approach to cybersecurity seeks to eliminate implicit trust by continuously validating every stage of digital interaction.
“Clearly what’s showing up time and again is that traditional legacy security tools are not working,” said Jawahar Sivasankaran, president and chief operating officer of Appgate, which today released the findings of a study examining pain points around securing cloud environments and the benefits of ZTNA.
“Traditional tools are no longer adequate to mitigate against modern threats that we are seeing,” Sivasankaran said. “There’s a clear need to move toward a zero-trust approach.”
A new study, “Global Study on Zero Trust Security for the Cloud,” conducted by Ponemon Institute on behalf of Appgate, surveyed nearly 1,500 IT decision makers and security professionals worldwide. Respondents’ organizations represented a diverse mix of public and private cloud and on-premises infrastructure, as well as varying container adoption rates and cloud IT and data processing.
Notably, the survey indicates that there are many motivators for cloud transformation, but organizations still face numerous barriers in securing cloud environments.
Top identified motivators include increasing efficiency (65%), reducing costs (53%), improving security (48%) and shortening deployment timelines (47%).
On the other hand, top barriers identified by respondents include:
- Network monitoring/visibility (48%).
- In-house expertise (45%).
- Increased attack vectors (38%).
- Siloed security solutions (36%).
The survey also found that 60% of IT and security leaders are not confident in their organization’s ability to ensure secure cloud access. Furthermore, 62% of respondents said that traditional perimeter-based security solutions are no longer adequate to mitigate the risk of threats like ransomware, distributed denial of service (DDoS) attacks, insider threats and man-in-the-middle attacks.
And while cloud-native development practices continue to grow over the next three years, 90% of respondents will have adopted devops and 87% will have adopted containers – yet modern security practices aren’t as widespread.
For instance, only 42% of respondents can confidently segment their environments and apply the principle of least privilege, while just around a third of organizations have no collaboration between IT security and devops — ultimately presenting a significant risk, according to Sivasankaran.
“There are a plethora of security technologies for the cloud,” he said. “What this is highlighting is the low level of confidence that organizations have in these technologies.”
- Just 33% of respondents are confident their IT organization knows all the cloud computing applications, platforms or infrastructure services that are currently in use.
- More than half of respondents cite account takeover or credential theft (59%) and third-party access risks (58%) as top threats to their cloud infrastructure.
- Security practices identified as being the most important to achieving secure cloud access are enforcing least privilege access (62%); evaluating identity, device posture and contextual risk as authentication criteria (56%); having a consistent view of all network traffic across IT environments (53%); and cloaking servers, workloads and data to prevent visibility and access until the user or resource is authenticated (51%).
Trusting in security
According to Markets and Markets, the global zero-trust security market size is expected to reach $60.7 billion by 2027, representing a compound annual growth rate (CAGR) of more than 17% from 2022 (when it was valued at $27.4 billion). There have also been many high-profile calls to action in the area – such as a mandate from the U.S. White House that federal agencies meet a series of zero-trust security requirements by 2024.
Still, the survey appears to indicate that zero-trust security may be dismissed by some as a buzzword or a trendy concept.
For instance, more than half (53%) of respondents that don’t plan to adopt zero trust said they believe that the term is “just about marketing.” Still, many of those same respondents highlight ZTNA capabilities as being essential to protecting cloud resources. This, Sivasankaran noted, points to confusion around what “zero trust” actually means.
At its simplest definition, zero trust works to secure organizations by eliminating implicit trust and continuously validating every stage of digital interaction. This applies to networks, people, devices, workloads and data, Sivasankaran explained.
He identified the key concepts of zero trust as being secure access;, identity-centricity, and least privileged-based access models that only grant access to what users truly need.
From a network perspective, this means:
- Evaluating identity rather than just IP addresses.
- Dynamically adjusting entitlements and privileges in near real time.
- Isolating critical systems with “fine-grained microsegmentation.”
From a people perspective, it means:
- Verifying identity based on user context, device security posture and risk exposure.
- Only permitting access to approved resources to reduce attack surface.
- Streamlining onboarding.
- Simplifying policy management and reducing complexity for admins.
From a device perspective:
- Using device security posture as criteria for access.
- Keeping unmanned and hard-to-patch devices isolated.
- Enhancing secure access with endpoint-protection data.
- Dynamically adjusting entitlements based on risk level.
From a workload perspective:
- Preventing lateral movement with the principle of least privilege.
- Automating security to scale with elastic workloads.
- Deploying multifactor authentication to legacy apps without refactoring.
- Using available metadata to dynamically grant entitlements/auto-provision or deprovision access.
- Mitigating data loss via policy enforcement and device ring-fencing.
- Establishing local and bidirectional firewalls that segment critical data across any IT environment.
- Establishing granular policies to control access and ingress and egress traffic.
- Segmenting data via microperimeters.
Ultimately, Sivasankaran said, “the key for customers is to focus on zero trust as a framework, a principle; not as a product.”
It is essential, he added, to provide for remote access, enterprise access, cloud access, and IoT access. “You want to make sure customers and organizations are getting access to the right data so that they can make quick decisions.”
Zero trust done right
As Sivasankaran said, adopting zero trust doesn’t just help organizations safeguard their hybrid cloud environments, it actually enables – and even accelerates – cloud transformation initiatives.
Survey respondents identified the top benefits of adopting ZTNA as:
- Increased productivity of the IT security team (65%)
- Stronger authentication using identity and risk posture (61%)
- Increased productivity for devops (58%)
- Greater network visibility and automation capabilities (58%)
“When done right, zero trust can drive meaningful efficiency and innovation across the entire IT ecosystem for both the security and business sides of an organization,” Sivasankaran said, “rather than just being an add-on security tool.”
Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, agreed and described organizations as being at a crossroads: They understand that legacy security solutions “aren’t cutting it in the cloud,” but they also have growing needs when it comes to mitigating risk.
“Zero trust can help address such challenges,” he said, “while also offering benefits beyond cloud security, particularly around increased productivity and efficiency for IT teams and end users alike.”