What drives companies to adopt a 'zero trust' approach to cybersecurity?

• No users or devices are to be trusted under the "zero trust" model of security.
• The global zero trust security market is expected to reach $52 billion by 2026.
• The growth of target-based cyber attacks and the increasing regulations for data protection and information security are driving the growth.

Anything can be compromised, so don't trust anyone in cyber security.

The zero trust model of security, which involves continuously verifying users and devices, is gaining popularity among organizations seeking to prevent breaches and stay ahead of bad actors.

Amidst the ongoing conflict in Ukraine, global tensions, and the persistent threat of Russian-backed hackers, the need for a robust cyber security strategy has never been more urgent.

The term "zero trust" has been interpreted differently by vendors as they try to capitalize on its popularity. However, the definition provided by the National Institute of Standards and Technology (NIST) is widely accepted: "Zero trust refers to a set of evolving cybersecurity paradigms that shift the focus from network-based perimeters to user, asset, and resource protection. It assumes that no implicit trust is granted to assets or user accounts based solely on their physical or network location."

In the age of remote/hybrid work, cloud services, and ubiquitous mobile devices, authentication and authorization have become increasingly important for cybersecurity teams to perform before granting access to any digital resources.

Growth in the market

The global zero trust security market is projected to grow from $19.6 billion in 2020 to $51.6 billion by 2026, driven by the increasing frequency of target-based cyber attacks and regulations for data protection and information security.

Cybercriminals with a targeted objective focus on end-point devices, networks, cloud-based applications, and other IT infrastructure components to steal critical information, resulting in business disruptions, intellectual property theft, financial loss, and the loss of sensitive customer information, according to a report.

The federal government is pushing for a zero-trust approach to cybersecurity, with a mandate from the Office of Management and Budget for agencies to adopt a zero-trust architecture strategy by the end of fiscal year 2024.

The initiative aims to strengthen the government's defenses against advanced and persistent threat campaigns that target federal technology infrastructure, endanger public safety and privacy, harm the American economy, and undermine trust in government, according to OMB.

In the current threat environment, conventional perimeter-based defenses are no longer sufficient to protect critical systems and data, as stated in the memorandum. Adopting a zero trust approach to security can provide a secure architecture for this new environment.

In January, Booz Allen Hamilton received a $6.8 million contract from the U.S. Defense Information Systems Agency (DISA) to develop Thunderdome Prototype, a zero trust security platform that aligns with a May 2021 executive order from the White House aimed at enhancing the nation's cybersecurity.

The agency will implement DISA's Zero Trust Reference Architecture, published in March 2020, through a six-month effort. This will involve deploying technologies such as secure access service edge (SASE) and software-defined wide area networks (SD-WAN).

Thunderdome will incorporate enhanced cyber security focused on data protection and integrate with existing endpoint and identity management initiatives as part of the zero trust effort.

Thunderdome will greatly aid in defending and safeguarding systems against advanced adversaries, modernize the agency's cyber security infrastructure, and improve user access to cloud-hosted applications, according to DISA. By deploying Thunderdome as a new security model, the DoD aims to achieve its objectives of integrating network and security solutions in the cloud and enhancing the protection of end-user devices, as stated by DISA.

According to David Holmes, a senior analyst at Forrester Research, there are three key trends underway with zero trust, aside from the recent government actions.

Organizations are enhancing their identity management strategies, which are crucial to the zero trust architecture, by implementing technologies such as identity and access management, multi-factor authentication, and single sign-on.

During the pandemic, organizations shifted from VPN access to zero trust network access (ZTNA) for enhanced performance, as stated by Holmes after speaking with 43 ZTNA-using organizations, of which 26 confirmed the migration from VPN.

Zero trust security measures, including microsegmentation, are gaining popularity among organizations as they seek to improve the security of their local networks.

Use cases for zero trust

Zero trust security is being adopted by organizations for two primary reasons, according to Holmes. One is to implement a comprehensive zero trust strategy, while the other is to address specific security issues, such as access, with zero trust.

To effectively create a roadmap, the first group should first conduct a zero trust gap analysis and prioritize subprojects such as identity and access management, multi-factor authentication, single sign-on, ZTNA, and microsegmentation, advises Holmes.

To tackle specific, practical issues, Holmes recommends that businesses ensure their zero trust implementations are executed and that the outdated systems they replace are permanently removed.

To avoid confusion, Holmes advises that when deploying VPNs, it's important to ensure that they are also deprecated. Similarly, when deploying microsegmentation projects, it's crucial to put them into enforcement mode rather than just alerting mode.

It appears that zero trust will remain a prominent cyber security approach in the future.