One of the biggest weaknesses in any environment is maintaining effective authentication and authorization controls.
As Filip Truta wrote in Mitigating the most common cloud vulnerabilities, he explains how the NSA detailed how access control weaknesses can enable attackers to can control of cloud resources. “Poor access control can be mitigated by enforcing strong authentication and authorization protocols, like: multi factor authentication with strong factors and regular re-authentication; limit access to and between cloud resources and implementing a Zero-Trust model; audit access logs for security concerns using automated tools; avoid leaking API keys by not including said keys in software version control systems,” the NSA said.
What is Zero Trust? Zero Trust is essentially an approach to security that enterprises (or any organization for that matter, really) shouldn’t trust that anything inside or outside its environment is not to be trusted automatically, users and systems need to be vetted before granting access. Sounds basic, and it is in reality, but because it’s basic doesn’t mean it’s easy.
According to a recent study from Pulse Secure, 72% of organizations hope to implement Zero Trust capabilities this year in their effort to curb increasing cybersecurity risks. The survey found that nearly half, or 47%, of those surveyed said they lack confidence implementing Zero Trust. The report is based on a survey conducted by Cybersecurity Insiders.
This progress report is based on over 400 cybersecurity decision-makers, who were asked how their organizations are implementing Zero Trust. The survey sought to capture key drivers, adoption levels, technologies used, investments made and perceived benefits.
Interestingly, the report found that Zero Trust access is finally moving from dream boards to implementation in more organizations, but nearly half of organizations are not confident in their ability to implement Zero Trust.
Of those surveyed, more than 40% says that they face challenges from vulnerable mobile and other at-risk devices, attacks from poorly secured partners, risks from privileged employees, and shadow IT. Additionally, 45% of respondents said they are concerned about access security to public clouds, while 43% cite bring your own device security issues, and over 70% said they hope to move further along with their identity and access management programs.
It turns out that there are good reasons for concern when it comes to the increased mobility. The survey found that increased mobility and the number of cloud services in use make it more challenging for security teams to protect enterprise applications and data.
For these reasons, the Zero Trust report found that nearly a third of cybersecurity professionals saw value in Zero Trust implementation to address hybrid IT security issues.
The survey also found that about a quarter of respondents said that their organizations will be adopting software defined perimeter to help improve security.
Of those considering software defined perimeter, 53% said they would need a hybrid IT deployment and 25% turn to software-as-a-service.
Key findings of the survey include:
“Some organizations are hesitant to implement Zero Trust as SaaS because they might have legacy applications that will either delay, or prevent, cloud deployment. Others might have greater data protection obligations, where they are averse to having controls and other sensitive information leaving their premises, or they have a material investment in their datacenter infrastructure that meets their needs,” said Holger Schulze, founder and CEO of Cybersecurity Insiders.
George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.View all posts
Don’t miss out on exclusive content and exciting announcements!