“We’ve seen two years’ worth of digital transformation in two months,” said Microsoft CEO Satya Nadella, delivering the company’s quarterly earnings report to Wall Street in April 2020. The months that followed ushered in a decade of changes in digital transformation and corresponding security challenges.
“What we have witnessed over the past year is the dawn of the second wave of the digital transformation sweeping every company and every industry,” said Nadella, announcing the quarterly results in January 2021. “Building their own digital capability is the new currency driving every organization’s resilience and growth.”
The spike in remote work and online transactions forced businesses to get their act together. Instead of playing catch-up, infosecurity professionals started taking proactive measures to replace the existing perimeter-based security tools with Zero Trust architecture. But is the adaptation prohibitively expensive for start-ups and SMEs? Not necessarily, security industry leaders tell Cyber Express.
Why is Zero Trust important?
“In this new world, there is no longer a wall around a business’ sensitive assets, and nor are employees always on-site,” said Ben King, Chief Security Officer – EMEA at Okta.
“As organizations have become more flexible in supporting distributed, remote teams, they also had to change and increase their focus on security. Businesses have had no choice but to evolve the range of sophisticated solutions they use to protect identity in all contexts. This has led many s organizations to reduce or retire traditional perimeter-based security tools and implement a zero-trust architecture.”
The post-pandemic businesses need a security model that adapts to the complexity of the modern environment more effectively, embraces the mobile workforce, and protects people, devices, apps, and data wherever they are located. Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model verifies each request as though it originates from an open network.
“There are many notable examples of companies that have deployed zero trust models. Many vendors will advocate that their product offerings are adhering to zero trust, but as we know, implementing such an approach within an enterprise is not something you can fix solely with technology but instead with a broader set of principles,” said Raj Samani, Chief Scientist at MacAfee.
In the cloud, the safest thing to assume is that nothing is safe, a Microsoft spokesperson told Cyber Express. According to the spokesperson, businesses should base their Zero Trust architecture on three principles:
- Verify explicitly:
Validate any access request in its full context: the user account, the device, the network, the application, and the data being accessed
- Use least privileged access:
When we do grant access to someone, give only the minimum level of access the user needs to complete their task, and only for the amount of time they need it.
- Always assume breach:
It asserts that breaches do happen. As such, all systems should be ready to detect and remediate any attacks, and the security infrastructure must be designed to minimize the blast radius of any possible incident.
What businesses need Zero Trust the most?
With digital transformation covering all aspects of daily life, the spectrum of Zero Trust adaptation is growing by the day. Companies such as GitLab, MGM Studios, FedEx, public relations major Dentsu, and non-governmental organizations including the Norwegian Refugee Council are among the long list of domain leaders that have adopted Zero Trust.
A closer look at the activity profiles of the organizations that tend to prioritize Zero Trust more heavily shows these common characteristics: they have a complex user population; they store large amounts of sensitive data.
“In certain industries, zero-trust is more critical than ever, often driven by expectations from industry regulators. Justice and public safety organizations, for instance, face intensive regulatory compliance requirements. A zero-trust framework helps ensure these organizations meet advanced authentication demands,” said Ben King of Okta.
Similarly, security leaders in finance, public utilities, and manufacturing understand that it is crucial to be prepared because their industries are top targets for threat actors.
However, fewer professional services firms seem to recognize their risk level, with less than 40% confirming defined zero-trust initiatives, King said, citing Okta’s State of Zero Trust 2020 report. The size of the business and volume of the data rarely matter these days, he added, giving the example of healthcare organizations, which must adapt zero-trust initiatives both in their current and planned projects irrespective of their size.
Global research and advisory company Forrester list the rise of ransomware as one of the major reasons for Zero Trust adaptation among their clients. The publication of SP 800-207 Zero Trust architecture guidance by the National Institute of Standards and Technology (NIST) helped the move. However, it was the pandemic that boosted the adaptation numbers.
“Thousands of organizations got their first taste of Zero Trust during the Covid-19 pandemic. When workforces went nearly 100% remote, VPN infrastructure could not keep up and Zero Trust solutions stepped in to provide cloud-delivered secure remote access,” said David Holmes, senior research analyst at Forrester.
Forrester received hundreds of calls from clients who wanted the transition to Zero Trust during the pandemic. According to a Forrester research, federal agencies in the US and abroad are using NIST’s 800-207 publication as a go-ahead to start scoping more ZT.
Any change brings its own costs and inconveniences. Is the switch to Zero Trust architecture prohibitively expensive for start-ups and SMEs?
“Quite the opposite,” said Holmes. “Many start-ups are cloud-based and it’s easier to do ZT in the cloud. It’s actually the larger enterprises that are struggling to apply Zero Trust to heterogeneous, legacy environments.”
Adaptation is relatively easy if a five-step process is implemented, says a guidance note by Palo Alto Networks. The steps are:
- Define the protected surface:
The protected surface encompasses the critical data, application, assets, and services—DAAS—most valuable for your company to protect.
- Map the transaction flows:
Documenting how specific resources interact allows you to properly enforce controls and provides valuable context to ensure the controls help protect your data, rather than hindering your business.
- Architect a Zero Trust network:
Once you’ve defined the protected surface and mapped flows relative to the needs of your business, you can map out the Zero Trust architecture, starting with a next-generation firewall.
- Create the Zero Trust policy:
- Use the “Kipling Method” to define the following:
- Who should be accessing a resource?
- What application is being used to access a resource inside the protected surface?
- When is the resource being accessed?
- Where is the packet destination?
- Why is this packet trying to access this resource within the protected surface?
- How is the packet accessing the protected surface via a specific application?
- Monitor and maintain the network:
Since Zero Trust is an iterative process, inspecting and logging all traffic will provide valuable insights into how to improve the network over time.
Who are the major players in zero-trust?
Forrester’s ZTX Ecosystem report ranks 15 Zero Trust platform providers, including major players such as Microsoft, Google, Cisco and Palo Alto and some smaller vendors such as Ionic and Guardicore.
The list includes the likes of Twingate, AppGate SDP, Zscaler Private Access, Pulse SDP, Wandera, Proofpoint Meta (formerly Meta Networks), and Trustgrid Software-Defined Perimeter.
In a move that is expected to fuel Zero Trust adaptation among smaller businesses, Google recently threw open the doors of its Zero-Trust product offering, BeyondCorp Enterprise, which extends and replaces BeyondCorp Remote Access.
Security industry leaders Check Point, Citrix, CrowdStrike, Jamf, Lookout, McAfee, Palo Alto Networks, Symantec, Tanium, and VMware have joined Google as members of BeyondCorp Alliance, which intends to popularize Zero Trust architecture.
Who are the investors?
The latest Zero Trust Access Providers list by Forrester has over 30 vendors, many of whom are recent start-ups.
“Private equity is backing many of these start-ups,” said Holmes of Forrester. They’re investing not just because Zero Trust has become the de facto security strategy, but also because the increase in remote workforce is making these technologies critical.”
The opportunity was spotted by investors, particularly private equity firms, way before the pandemic.
“To date, the security focus for most corporates has been erecting firewalls around the perimeter of their network. However, this model has increasingly come under attack, calling for a new paradigm wherein the concept of trust in a security context is dramatically altered,” David Milroy, Partner at UK-based private equity Maven, wrote in 2019,
“In a Zero Trust framework, trust is viewed as a vulnerability with all users treated equally, in contrast to traditional security where users inside a network are deemed to be more trustworthy than those outside of the corporate firewall… Faced with the spectre of ever more sophisticated attacks, businesses will continue to invest in preventative measures that fuel the cybersecurity ecosystem and, as a result, will create attractive opportunities for investors.”
Mergers were clear indicators of the trend
Cisco acquired Duo Security for $2.35 billion in cash in 2018, with Duo CEO and co-founder Dug Song and the team joining Cisco’s networking and security business. Proofpoint announced in May 2019 its agreement to buy zero trust network access provider Meta Networks for $111 million in cash and approximately $9 million in stocks.
The US-based software company Ping Identity in November 2020 announced its acquisition of Edinburgh-based Zero Trust tech start-up Symphonic Software for an undisclosed amount. Marven, which was invested in Symphonic, made a 2.9x money multiple returns and 90% internal rate of return (IRR) for investors in under two years from the deal.
Zero Trust business Appgate in February announced a merger with Newtown Lane Marketing and an investment of up to $100 million from “a leading alternative investment manager”. The investment valued the company at $1 billion.
Appgate was formed after Cyxtera Technologies spun off its cybersecurity business into a separate company in 2019. Going by the indications, investment firm BC Partners, which created Cyxtera after investing $2.8 billion in 2017, has made a killing from the latest deal. The investment firm will hold 50% of the post-merger entity.
The Zero Trust cybersecurity market is expected to reach $38 billion by 2025, according to an analysis by Adroit Market Research.
“The zero-trust security market has solid competition among the early established and new players. Also, to capture a competitive advantage over the other industry, many players are aiming for potential markets by forming collaboration and partnerships, agreements, mergers & acquisitions, acquiring new start-ups and other companies, and escalating their business presence,” it said.
A study by Enterprise Management Associates (EMA) says that 60% of IT buyers accelerated the implementation of zero-trust policies and technology during the COVD lockdown and unlocking period.
“According to Ponemon Institute’s most recent Cost of a Data Breach report, a “mega-breach” of 1 million records could cost a company $42 million, while a loss of 50 million records costs an estimated $388 million. The huge rise in large data breaches, which make headlines around the world, has made zero-trust the next big investment opportunity,” said Okta’s Ben King.
“More and more organizations are realizing the need to adopt a zero-trust framework and stay on top of the latest security advancements to protect their customers, employees, and shareholders from the headaches and costs of a breach. London, as a financial hub, is breeding the perfect marketplace for zero-trust vendors to thrive,” he added.
Microsoft research from 2020 found that considering the growth in remote work, 51% of business leaders are speeding up the deployment of Zero Trust capabilities.
“As people begin returning to the office or hybrid-remote scenarios, we believe Zero Trust architecture will still eventually become the industry standard, which means everyone is on a Zero Trust journey. That reality is reflected in data, such as numbers that show how 94% of companies reported that they are in the process of deploying new Zero Trust capabilities to some extent,” said the Microsoft spokesperson.