Is enterprise cybersecurity a solved problem – or, at least, on its way to becoming one? Whether you are a seasoned IT security professional, a fresh recruit to the space, or simply a business decisionmaker who interacts with questions of security, the automatic answer to that question may be, simply, no.
But to play angel’s advocate for a moment, one could build a fairly compelling argument that, even while the headlines remain dominated by growing threats and costs, security is currently enjoying a real positive trend with powerful momentum behind it.
This positive trend is largely due to the uptick in Zero Trust Architecture deployment. While Zero Trust has been exerting a gravitational pull on cybersecurity thinking for well over a decade now, the last couple of years have seen it suddenly bloom from a future technology full of promise and potential to an active and ubiquitous component of security toolkits that is making a real difference.
Greater real-world experience of Zero Trust is delivering real-world data on its impact. To take just one example, a Forrester study (focusing specifically on the Zero Trust solutions being offered by Microsoft) found that the methodology delivers a 50% reduction in data breach likelihood and efficiency gains of at least 50% in multiple security workflows.
The latest edition of Okta’s annual State of Zero Trust Security report, meanwhile, confirmed another year-on-year leap in Zero Trust adoption: with 61% of respondents saying that their organization has defined a Zero Trust strategy, usage has doubled in just two years. Adding on the 35% of respondents with plans to implement in the near future, and that leaves just 4% of organizations so far holding back from or overlooking the Zero Trust opportunity.
The risk of Zero Trust overgrowth
In other words, while there may be clouds on the horizon around how emerging technologies could change the state of play, there is good reason to claim that the picture for organizational cybersecurity is rosier than it has been in some time.
Of course, another thing that cybersecurity professionals know by heart is that nothing should be taken for granted, and in this moment of positive progress it is worth asking how we can fully capitalize on the benefits that Zero Trust is delivering – and, indeed, what risks might lie in store for its continued adoption.
The widespread adoption of Zero Trust, which has been enabled by and is itself further encouraging a growth in vendor offerings around Zero Trust, is in fact itself one such risk factor.
While this may sound counterintuitive, it is not at all an uncommon phenomenon in technology. When a tool or method becomes popularized, and demand for it increases, more and more businesses enter the scene to meet that demand. This stimulates innovation through competition, of course, but it also means that many different interpretations of that technology are attempting to co-exist, in ways that can spell disaster if not addressed.
There is a simple, familiar example in how we connect devices together. When it became clear in the 1990s that computers and their peripherals would need to share information at much higher speeds, and that connecting and disconnecting devices would become a more frequent feature of daily life, many businesses and industry bodies developed new ways of achieving that. Anyone who was into technology at the time will clearly recall the confusion that resulted: not just USB and FireWire as competing interface formats, but also a range of wireless options being touted, alongside styles of plug unique to various equipment manufacturers, all demanding that the user keep track of various cables and drivers to keep everything ticking over.
Struggling to find the right lead for a digital camera was once an annoying, but ultimately harmless feature of life. When it comes to assuring cybersecurity, the outcomes of mismatched or confused definitions could be much more serious. Even if – as will often be the case – IT teams successfully implement Zero Trust in a way which securely bridges the gaps between different vendors’ offerings, that will be work which demands significant investment and intellectual overheads for a process which tends to be both critical and urgent.
Setting a standard for Zero Trust excellence
It took a long time to resolve the various confusions involved in connecting devices together, but while the story of how that happened is too long to relate here, the key ingredient was the gradual emergence of common standards which everyone can access, understand, and agree on.
For Zero Trust Architecture, analogous standards must be developed significantly more proactively and concertedly. That is now happening in the form of the Zero Trust Commandments and related documentation being developed by the Zero Trust Architecture Working Group, which is part of The Open Group.
The aim of the work is simple: providing normative definitions of key terms in Zero Trust, together with a set of principles (or commandments) that teams implementing Zero Trust can work toward, establishes a baseline understanding of what does and what does not constitute a Zero Trust approach.
This means that vendors have a clearer sense of what they are working towards when developing and marketing Zero Trust security tools. It means that businesses can start from a significantly more mature intellectual position in their decision-making about how and when to implement Zero Trust. Vitally, the common language it stipulates also makes it much easier for organizations to share insights and best practices around Zero Trust, raising standards across the board.
Even this will not, in the final analysis, make cybersecurity a solved problem. Indeed, the Zero Trust Commandments tells us to “assume failure and assume success” – that is, act as though breaches are inevitable in order to ensure that you are in a position to recover from them, and be prepared to recover when the opportunity arises.
Pursuing a true standard for Zero Trust will, however, serve to both solidify the very real security gains that have been made in recent years and build enterprises towards an even more holistically resilient position. To learn more about the work of ZTA Working Group, and to see how you can join and participate in these projects, please do visit our website.