Half of zero trust programmes risk failure

CISOs consider zero trust a hot security ticket, but organisations run the risk of leaving gaps in their security infrastructure.

  • 1 year ago Posted in

PlainID has published the findings of its CISO Zero Trust Insight survey. The study, which questioned 200 CISOs and CIOs, revealed that the majority of respondents are on the road to implementing a zero trust framework in an effort to increase their overall security risk posture. However, only 50% said that authorisation makes up their zero trust programme - potentially exposing their infrastructure to threat actors. 

 

Robust security cannot begin without first implementing Authentication 

Historically, a zero trust framework was focused on solving the challenges associated with authentication, end point and network access security. However, identity related breaches have increased exponentially, and the convergence of identity and access management with traditional security has accelerated the need for new technical capabilities for enterprise authorisation and access controls. 

 

Authorisation is a broad and complex challenge requiring a solution that can provide a multitude of capabilities such as policy management, governance, control and policy enforcement across a disparate computing environment. Ultimately, to provide the most secure digital end user experience, authorisation policies must allow for risk-based decision making in real time. This extends the zero trust philosophy from time of authentication through to the final access point and target data set. 

 

The survey results reflected that only 31% of respondents said they have sufficient visibility and control over authorisation policies intended to enforce appropriate data access. Additionally, 45% of respondents indicated a lack of sufficient technical resources as a challenge in optimising enterprise authorisation and access control. Essentially, organisations may have implemented a form of zero trust but they do not have the complete tool set or the on-staff expertise and knowledge to have true visibility and control of their network.  

 

Building without the right expertise can create gaps in your security - Buy vs Build 

Organisations are finding themselves building their own homegrown solutions, which can appear cost effective. However, this leaves gaps within the overall security posture if not developed, deployed, and maintained properly – resulting in higher operational costs and enterprise risk over time.  

 

In response to the survey, 41% of respondents said they use homegrown solutions (OPA-based) to authorise identities. Moreover, 40% of respondents also said they use a homegrown solution (fully custom) to authorise identities. Without true zero trust, organisations run the risk of leaving gaps in their security infrastructure. Security must remain a fluid and ever-evolving technology as cyber adversaries will repeatedly re-strategise and evolve to breach organisations and when there is a will, there is a way. Next generation authorisation can be the differentiator between a headache for security teams and a full-blown breach. It is never a discussion of if but when hence why having homegrown solutions that are not built with the evolved threat landscape in mind and without the technical staff capable of maintaining, there may be a false layer of confidence that could lead to a betrayal of trust from partners and customers when their data is stolen.  

 

As the demand for risk-based authorisation and identity aware security rises, the deficiencies of legacy homegrown authorisation engines are exposed. The demands from business stakeholders to keep pace with digital initiatives, while ensuring the highest levels of security and user experience, is driving change to adopt next generation enterprise authorisation solutions. 

 

Security threats are a guarantee and are constantly evolving 

Implementing an end to end zero trust architecture is a strategy that requires building a reference architecture that seeks to harden every threat vector possible. The next frontier is addressing the portion of the user journey post authentication, and beyond the borders of network access security. Next generation authorisation is poised to provide identity aware security at every layer of an enterprise computing infrastructure, while also providing central policy visibility, manageability, and policy governance. 

 

“Zero trust must treat all identities as potential threats. While zero trust boosts higher levels of confidence, it's imperative to pair it with a comprehensive authorisation framework,” said Oren Ohayon Harel, CEO and co-founder of PlainID. “Enterprises today need continuous evaluation and validation across all tech stack interaction to mitigate data breach impacts”.  

Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security...
Talent and training partner, mthree, which supports major global tech, banking, and business...
Cloud-native organisations to gain full understanding over every identity in the cloud, secured...
MSSPs identify regulatory compliance as additional factor as organisations seek to shift...
Orange Business (Norway), a global leader in digital services, has selected ARMO’s advanced...
Gigamon and Exclusive Networks have expanded their existing distribution partnership, broadening...
Trustwave and Cybereason have announced a definitive merger agreement offering a comprehensive and...
FortiDLP’s unified approach to data protection enables enterprise organizations to anticipate and...