Zero-trust becoming the next stage of security in a 'work-from-anywhere world'
Advisen
Zero-trust becoming the next stage of security in a 'work-from-anywhere world'
By Alex Zank, Advisen
While adoption of zero-trust security frameworks is still in the early stages, experts say it will likely become the “next level of cybersecurity maturity” due to shifting workplace technologies and growing cyber threats.
“I think if we fast-forward 24-36 months, the interest in zero-trust will have exponentially increased,” Paul Caron, head of cybersecurity, Americas at S-RM, recently told Advisen. “It’s almost like a few years back, when having an electric car seemed like a far stretch. Now we’re seeing them more common on the road. I think we’re going to see the same thing happen with zero-trust.”
A zero-trust framework requires all users to be authenticated, authorized, and continuously validated before gaining and keeping access to applications and data, regardless if those users are inside or outside the organization’s network. It also assumes there is no network “edge,” or endpoint. Caron compared the network edge of a traditional IT security framework to a castle wall, with a defined network boundary to protect everything inside it.
However, network endpoints are blurred in an age of remote workers and cloud technology. That’s driving more companies to take a closer look at zero-trust, said experts.
“One of the key tenets of zero-trust is continued verification, and that’s really a reflection of a cloud-first, work-from-anywhere world now,” Kapil Raina, vice president of zero-trust marketing at CrowdStrike, told Advisen.
Zero-trust has taken off particularly quickly in the Asia Pacific and Western Europe regions, Raina said. In the U.S., there’s strong interest from the health care and public sectors. Last year, the Biden Administration mandated federal agencies adopt a specific set of standards for zero-trust.
General Motors is moving to zero-trust from a virtual private network because VPN “is increasingly becoming not as effective from a security perspective,” Kevin Tierney, GM’s vice president of global cybersecurity, said during the Wall Street Journal’s recent virtual Cybersecurity Forum. “That is what I would be looking at, especially if you’re making major changes to your system and you want to ensure a robust connection to all your employees wherever they are,” he said.
Insurance considerations aren’t yet motivating companies to shift to zero-trust, according to Dan Burke, senior vice president and national cyber practice leader of Woodruff Sawyer. But the cybersecurity measures they already examine -- like multifactor authentication (MFA) or privileged access management – are components of zero-trust, Burke and others said.
"Looking three to five years down the road … in the way insurance is driving [MFA] and endpoint detection and response tools, I see insurance driving zero-trust environments,” Burke said. “But it’s got to be more cost efficient and it’s got to be easier to deploy across networks first."
Many organizations aren’t able to fully implement zero-trust due to lack of financial or technological resources, said experts. It’s the larger and more technology-driven companies that will likely adopt zero-trust frameworks first.
And many smaller and mid-size firms still need to adopt basic cyber resiliency practices.
“Moving to zero-trust is moving to the next level of cybersecurity maturity. But I think you have to walk before you run, and embracing those controls would really be the first step,” John Farley, managing director of cyber practice at Gallagher, told Advisen.
Farley said firms without MFA and other protections are challenged to even receive a quote from cyber insurers.
“When you think about the next level of cybersecurity requirements, if in fact zero-trust becomes the norm and a requirement, we’re going to see the middle market organizations continue to struggle there,” he said.
S-RM’s Caron said he expects it will become easier to adopt zero-trust as interest in it grows. He said a few years ago there were fewer players helping organizations adopt zero-trust frameworks. Now, “there’s a lot of entrants in the market that bring their own niche and bespoke manners of approaching it, and I think that’s what is causing more of the knowledge gap to be shortened.”
