Zscaler Inc, the leader in cloud security, found that more than 90% of IT leaders who have started their migration to the cloud have implemented, are implementing, or are planning to implement a zero trust security architecture to secure their users, workloads and IoT/OT.
Supporting the mass migration to zero trust to secure internet users and the cloud, more than two thirds (68%) of IT leaders believe that secure cloud transformation is not possible with legacy network security infrastructures. Neither do they believe that ZTNA has clear and viable advantages over traditional firewalls and VPNs for remote access to applications.
What were the key findings of the report?
This is according to The State of Zero Trust Transformation 2023 report by Zscaler, which draws on a global study of over 1,900 surveyed senior IT decision makers at organisations around the world, which have already started migrating applications and services to the cloud.
Zscaler’s research report shows that against a backdrop of rapid digital transformation, IT leaders globally believe zero trust – built on the principle that no user, device or application should be inherently trusted – is the ideal framework for securing all enterprise users, workloads and IoT/OT environments in a highly distributed cloud and mobile-centric world.
Approached from a holistic IT perspective by experts, zero trust has the potential to unlock business opportunities across the overall digitisation process, from driving increased innovation to supporting better employee engagement, or delivering tangible cost efficiencies.
- More than 90% of organisations migrating to the cloud have implemented, are implementing, or are in the process to implement a zero trust architecture
- Only 22% of global IT decision-makers claim to be ‘fully confident’ their organisation is leveraging the potential of their cloud infrastructure, presenting an opportunity for zero trust
- 68% agree that secure cloud transformation is not possible with legacy network security infrastructures or that Zero Trust Network Access (ZTNA) has clear advantages over legacy firewalls and VPNs
- ZTNA is the top priority for zero trust investments over the next 12 months – indicating the importance of remote access for the hybrid workplace
- Globally, only 19% of organisations have a hybrid work specific zero trust-based infrastructure in place, while 50% are in the process of implementing or are planning a zero trust-based hybrid strategy.
- 52% said implementation of Zero Trust architecture would help tackle inconsistent access experiences for on-premise and cloud-based applications and data, and 46% said it would tackle productivity loss due to network access issues.
What are the leading cloud concerns?
IT leaders globally identified security, access and complexity as the top cloud concerns, creating a clear case for zero trust security architecture to overcome these hurdles. When asked about legacy network and security infrastructures, 54% of industry leaders indicated that they believed VPNs or perimeter-based firewalls are both ineffective at protecting consumers against cyber attacks and are providing poor visibility into application traffic and attacks.
This further validates the findings that state 68% of them agree that secure cloud transformation is impossible with legacy network security infrastructure or that ZTNA has clear advantages over traditional firewalls and VPNs for secure remote access to critical applications.
Why is there a lack of confidence in cloud infrastructure?
While progress on zero trust security architecture is strong, Zscaler has found that around the world only 22% of organisations are fully confident that they are leveraging the full potential of their cloud infrastructure, so while organisations have made solid initial steps on their cloud journey, there is a massive opportunity to capitalise on the benefits of the cloud.
Regionally, results vary with 42% of organisations in the Americas confident in the use of their cloud infrastructure, compared to 14% of organisations across EMEA and 24% in APAC. While India (55%) and Brazil (51%) lead on a country level followed by the United States (41%) and Mexico (36%), European and Asian countries are reportedly less confident: in Europe, Sweden (21%) and the UK (19%) lead followed by Australia (17%), Japan (17%) and Singapore (16%).
These particular countries from Europe are the ones lagging behind: The Netherlands with (14%) and Italy (12%), both France and Spain at (11%) and then lastly Germany with (9%). This chasm between the most progressive country being more than six times confident than the most laggering country shows the varying confidence levels of the cloud by region and further presents an opportunity for more intensive education and closing of the skills gap.
While at the first glance security appears to stand in the way of realising the full potential of the cloud, the motivations behind cloud migration suggest a more fundamental barrier in how IT leaders view the cloud. IT leaders globally cited a few issues which include; data privacy concerns, the challenges to securing data in the cloud, and the challenges of scaling network security as among the top barriers to embracing the cloud’s full and vast potential.
However, when asked about the main factors driving digital transformation initiatives in their organisations, the top three factors were cost reduction, managing cyber risk, and facilitating emerging technologies like 5G and Edge computing, suggesting there may still be a distinct lack of understanding around how to fully capitalise on its broader business benefits.
How does the hybrid working model mix with zero trust?
Global IT leaders surveyed in Zscaler’s research report predicted that in the next 12 months, their organisations’ employee base will continue to be fully embracing the different work style options available to them, split between full-time office workers (38%), fully remote workers (35%) and hybrid workers (27%). However, the research report also found that organisations may still be unequipped to handle the ever-evolving mix of hybrid working requirements.
Around the world, only 19% of organizations indicated that a hybrid work specific zero trust-based infrastructure is already in place, suggesting that organisations are not fully ready to handle the security of this highly distributed working environment on a broad scale. Next to those who have already updated their infrastructure, a further 50% of organisations are in the process of implementing or are planning to implement a zero trust-based hybrid strategy.
Employee user experience was mentioned as the top reason for implementing a zero trust-based hybrid work infrastructure. More than half (52%) agreed that implementation would help tackle inconsistent access experiences for on-premise and cloud-based applications and data, 46% that it would tackle productivity loss due to network access issues, and 39% that zero trust security would allow employees to access applications and data from personal devices.
These views reflect the wider challenge beyond security that hybrid working presents around access, experience and performance, and the role that zero trust security plays in response.
Does zero trust have the potential to be business enabler?
In line with the motivations behind cloud migration, Zscaler found that focus on wider strategic outcomes is missing from how organisations are planning emerging technological initiatives. Asked about the single most challenging aspect of implementing emerging tech projects, 30% cited adequate security, followed by budget requirements for further digitisation (23%). However, only 19% cited dependency on strategic business decisions as a challenge.
While budget concerns are natural, focus on securing the network while ignoring strategic business alignment suggests organisations are keen on security without a full understanding of its business benefit, and that zero trust itself is not yet understood as a business enabler.
“State of zero trust transformation within organisations today is promising – implementation rates are strong,” said Nathan Howe, Vice President of Emerging Tech, 5G at Zscaler.
“Organisations could be more ambitious. There’s an incredible opportunity for IT leaders to educate business decision-makers on zero trust as a high-value business driver, especially as they grapple with providing a new class of hybrid workplace or production environment reliant on a range of emerging technologies, such as IoT and OT, 5G and even the metaverse.”
“A zero trust platform has the power to redesign business and organisational infrastructure requirements: to become a true business driver that doesn’t just enable the hybrid working model employees are demanding, but also enable the organizations to become fully digitised, benefiting from agility, efficiency and future-proofed infrastructure.” Nathan Howe added.
How can organisations capitalise on zero trust?
- Not all zero trust offerings are created equal: It’s important to implement true zero trust architecture built on this principle; no user or application is inherently trusted. It starts with validating user identity along with business policy enforcement based on contextual data to provide users, devices and workloads direct access to applications and resources – never the corporate network. This eliminates the attack surface so threats can’t gain access to the corporate network and move laterally thus improving the security posture.
- Zero trust as an enabler of transformation and business outcomes: With increased levels of security, visibility and control, leverage holistic zero trust-based architecture to remove the complexity from IT operations allowing organizations to focus on gaining improved business outcomes as part of their digital transformation initiatives to remain competitive.
- Zero trust security for the boardroom: To align with business strategies, CIOs and CISOs should leverage the findings to help dispel fear, uncertainty, and doubt around what zero trust means and to promote its full business impact with the key industry decision makers.
- Zero trust-enabled infrastructures as foundation for the future: Emerging technologies need to be looked at as a competitive business advantage with rewards and zero trust will support the secure and performant connectivity requirements of any emerging trends.