Zero Trust Architecture Rises Across Industries

An Army cyber officer works from home.

Defense Dept. photo

Government agencies and businesses around the world are moving rapidly to adopt the cybersecurity practice zero trust, a change from just a few years ago, according to a new report.

Information technology company Okta recently released its annual global snapshot of zero trust implementation across industries and found that 72 percent of government organizations surveyed were already employing zero trust methods.

Across all industries, including healthcare and software, 55 percent of companies said they had zero trust initiatives, which is more than double the amount in the previous year’s survey.

Okta surveyed 700 security decision makers across “many” organizations and companies internationally for the report “The State of Zero Trust Security 2022.”

The company has released the whitepaper annually since 2019, and cybersecurity has drastically changed since then, said Sean Frazier, Okta’s federal chief security officer. Zero trust architecture — which mandates that even users known to a network be double-checked throughout their time on the network — is becoming more prevalent through identity- and access-based protections, he said.

Even though government agencies were ahead of the curve globally, the clock is ticking for the U.S. government. A May 2021 Biden administration executive order requires all federal entities to implement zero trust methodology by 2024. The administration followed up the order by issuing a zero trust reference architecture last fall.

The COVID-19 pandemic changed the threat landscape, explained Booz Allen Hamilton’s senior solution architect Imran Umar, who heads zero trust assessments at the consultant firm. Defense companies and agencies alike have praised the flexibility that working from home allows, but it also creates new opportunities for cyber attacks.

“Users are now sort of distributed. They’re not in some central location at a headquarters all working together,” which changes the threat vector, he said.

For example, employees working from home may introduce their own devices, which may not have a cyber-hardened connection to the main network.

“So taking into account all those different attributes — whether it’s the user identity, behavioral analytics and the combination of things like device health status — is very important, especially if you have a very large remote workforce,” he said.

But the shift is not just “a pandemic-related spike,” according to the Okta report. Frazier said he sees zero trust as the “inevitable” security of the future.

The Defense Department has been working to allow users to access any data securely from anywhere, and it is not alone in that regard, he said.

“The fire was lit under it from the pandemic,” he said.

As more users have been accessing systems remotely, cyber attacks based on impersonating a network user have also increased.

More than 80 percent of web app breaches last year resulted from credentials abuse, and stolen credentials were the No. 1 tactic used in ransomware attacks, according to Verizon’s “2022 Data Breach Investigations Report.”

While the U.S. government has mandates in place to transition to zero trust models, funding remains a concern, the report stated. Globally, more government organizations surveyed said their budget for zero trust initiatives increased in the past year. The Biden executive order is unfunded, although U.S. agencies could see dollars from the Technology Modernization Fund.

However, changing the way the government thinks about security is more important than investing in costly software and hardware, Frazier said.

“I always tell people that zero trust is more about a mindset shift and kind of a lifestyle choice than it really is about technology,” he said. “You’ve got to take the time — the investment really is mostly on the time — to figure out what is my path? What is my plan?”

Umar noted that most of the time organizations in the Defense Department have the tools they need to work in a zero trust environment, but they need a plan to integrate them.

“I think the biggest issue we have seen with this organization is not that they don’t have the tools and capability,” he said. “It’s that they’re siloed, and it’s the integration of those tools.”

Meanwhile, the Okta report found that while government organizations are making progress on zero trust, some organizations are behind in maturing protection measures such as single sign-on and multi-factor authentication.

The U.S. government used to rely heavily on smart cards for multi-factor authentication, Frazier said. The cards worked well for most of the workforce, but it was cost prohibitive to give all the workforce and users outside the organization — such as companies who work with the government — access to cards.

Because of the overreliance on smart cards, the private sector got ahead of federal agencies.

Single sign-on approaches had similar pitfalls. The government relied on public key infrastructure in the Federal Trust Bridge, a “cumbersome” and “not modern” trust method, Frazier noted.

“The government was kind of stuck with this big boat anchor of the stuff that they tried to do over the last 20 years,” he said.

Beyond complying with the federal mandate, zero trust adoption could also mean better information sharing practices with allies, added Booz Allen Hamilton’s Umar.

“It’s been challenging getting allies access to the data that you want to share with them, and a lot of those hurdles have mostly been because of the amount of time it takes to get them onboard into a specific network,” he said.

By moving to a zero trust practice and architecture, “sharing information with allies will become much more seamless,” he said.

Topics: Cybersecurity, Infotech