Zero trust is on the lips of practically every enterprise security leader these days as they look to modernize their network security defenses. While zero trust initiatives are primarily pursued for the purposes of enabling fine grained secure access to network resources, the benefits extend far beyond just securing an organization’s network and its data.
Recently, we partnered with analyst firm Nemertes Research to conduct in-depth interviews with users across a range of industries who have already taken the first steps on their zero trust journey. The interviews may help security leaders better understand what motivates users to pursue a zero trust strategy in the first place, as well as to evaluate how these organizations are measuring the economic value that zero trust is delivering today.
To our surprise, what we discovered through this process was that while many of these organizations were initially motivated to prioritize zero trust because of a specific security problem they needed to solve, such as replacing their VPN or improving the security of their DevOps environment, the process also served as an enabling agent. As one user put it, “we deployed [zero trust] to solve one problem and discovered that it solves many others.”
What follows are four auxiliary benefits realized by a cross-section of businesses that have started on their zero trust journey.
Benefit #1: Enables digital transformation
Digital transformation has become something of a catchall for a variety of IT modernization priorities — whether it’s the shift to digitize inefficient, paper-bound processes or the adoption of digital technologies that streamline the user experience. For industries like manufacturing, replacing legacy-based equipment with smart, connected machines is one of the most powerful catalysts driving digital transformation today.
On first glance, it might seem there would be little overlap between a security framework like zero trust and a broad strategic initiative like digital transformation. But as these businesses ramp up these digitization efforts, they quickly realize that one of the unintended consequences of onboarding new partners or offering the convenience of mobile access to customers is that they increase the surface area for a potential attack.
Because the principles of least-privilege are baked into zero trust network access, organizations can provide access that enable authorized access to applications without introducing unnecessary risk. The companies interviewed in this study benchmarked the improvement of their digital transformation efforts at an average of 119%. As a security analyst at a publishing company said, “a software defined perimeter minimizes our surface of exposure to new partners as they come on board — you don't have to give the whole network to everyone.”
Benefit #2: Improved remote access
The global pandemic was a forcing function of the highest order for secure remote access as enterprises across the globe scrambled to connect a growing population of remote workers to protected network resources. Of the customers interviewed in the survey, companies had an average of 14% of employees working from home prior to COVID-19, and an average of 80% throughout the pandemic. While most predict a substantial return to the office, more than half (55%) of employees will continue working from home for the foreseeable future.
For the better part of the past two decades, VPNs have served as this trusted conduit. However, VPNs are increasingly viewed as not well equipped to meet the complexities of the modern network. This is the reason for VPN replacement remaining one of the top use cases for zero trust as today’s increasingly distributed enterprise permanently shifts to hybrid or remote work.
The companies surveyed also noted that improving remote access was a priority even before COVID-19 made it an imperative. These organizations were looking for a more resilient and automated solution that would streamline the provisioning process and ease the burden on their IT support teams who were spending too much of their time closing out service tickets related to access requests. Many of these customers also stated that making remote access secure and simple would confer a competitive advantage in an increasingly competitive job market, as they may be better positioned to recruit and retain employees who will demand greater flexibility in how and where they choose to work.
Benefit #3: Facilitates cloud migration
Gartner’s most recent forecast estimates an 18.4% increase in worldwide spending on public cloud services, totaling almost $305 billion in 2021. As enterprise Chief Information Officers look to further embrace cloud services, they must contend with a new set of challenges — from figuring out where its data and workloads will reside to how to dynamically establish permissions.
One challenge with many access control solutions is that they are designed to protect either on-premise or cloud-based resources, but not both. One major advantage of a software-defined zero trust approach is that it enables uniform protection, regardless of whether a resource is located in the cloud or on-premise — or if it moves from on-premise to the cloud or even when moving between multiple clouds.
Moving applications and data to the cloud — or multiple clouds — effectively turns all users into remote users — with some stark differences. Zero trust network access automatically scales with the enforcement points associated with cloud workloads, resulting in entitlements across multi-cloud environments without manual intervention.
Said the technology leader at a non-profit user, “a software defined approach provided a solid cloud migration assist in that it made it made it easy to segment cloud networks and assure access permissions were correct.”
Benefit #4: Streamlines operations
All participants reported improvements in operational efficiency across a number of quantifiable metrics. These include:
- Time to provision new users
- Staff count required to handle provisioning
- Trouble tickets related to login and application access
- Security incidents related to login and application access
- User login times
- Ability to handle multiple simultaneous users (scalability)
Operational performance was confirmed by a high-tech user’s response: the IT team was able to reduce provisioning time by 93.3% (from 30 days to half a day). Meanwhile, users saw login times decrease from 2 minutes to 30 seconds, and the help desk saw a reduction in trouble tickets from 100 per day to “basically none.”
It’s important to remember that zero trust is not a destination, but a journey. While companies might initially embrace it to improve their security posture, the process positions security professionals to solve an array of common business challenges.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.