Presented as the most promising and convincing cyber method, Zero Trust continues to appeal, but is not yet fully integrated within organizations. The reasons ? The relative lack of maturity of companies in changing their approach to cyber, as well as the absence of a legislative framework in this area. With the increase in ever more sophisticated cyberattacks, there is an urgent need to accelerate the implementation of Zero Trust within organizations.
Trying it is not (yet) adopting it
The history of Zero Trust, an approach consisting of reducing the “implicit trust” granted to users and activities carried out through the entity’s equipment, is not for the moment one of dazzling successes which almost automatically create everyone’s support. No, the story unfolding before our eyes is that of a paradox; on the one hand, we see that nearly 61% of global companies have implemented a Zero Trust initiative in 2023, according to Okta’s “State of Zero Trust 2023” report and on the other, the Gartner institute which notes in a study that only 1% of companies are mature in their adoption of the Zero Trust method. In other words, the desire is there, but the structure of companies, as well as their processes, are not adapted to its full integration.
The idea is therefore not to question the effectiveness of Zero Trust which, in many respects, is gradually asserting itself as the next step in modern cybersecurity strategies, but to understand that its thwarted and incomplete adoption will represent ultimately a problem in the protection of company systems. Especially with the massive use of teleworking and hybrid working in general, there is an increased need to adopt a security model that can operate effectively outside the traditional perimeters of the company.
Proceed block by block
Let’s be transparent, few companies can afford to carry out a global implementation of Zero Trust. “All in one” is a costly method that significantly disrupts processes and teams. At least, this approach is reserved for larger structures which have sufficient human and financial resources to carry out this type of project. We cannot help but see a form of logic in this as these companies are exposed to cyber risk. For other companies, they can only proceed in blocks. For many of them, the absence of an IT department and a legal department forces them to approach Zero Trust in this way, while respecting a form of coherence in the agenda of the blocks to be put in place.
There are numerous Zero Trust projects and, even if companies have already more or less put certain aspects of this method into practice, it is necessary to go further. Starting with strengthening access via affordable MFA (Multi-Factor Authentication) solutions or implementing a security policy based on the principle of least privilege, otherwise called SoD (Segregation of Duties). At the same time, it is recommended to opt for secure clouds, and more generally to outsource certain aspects of security to compensate for internal resource limitations. Finally, and this is one of the biggest challenges related to Zero Trust, the ability of companies to deploy network segmentation as well as microsegmentation is truly essential to isolate critical systems and limit the spread of threats.
A regulatory framework that is still timid
This is certainly one of the big black spots when we talk about the case of Zero Trust. As promising and effective as this method is, the companies most resistant to change and those whose cyber maturity is not very advanced will not risk changing everything if there is no real incentive. And by that, we mean significant progress on the regulatory level at national and European level. As it stands, Zero Trust is strongly recommended, but not obligatory.
Let’s not darken the picture, however, since the regulatory horizon now seems to be brightening, with the arrival of the new European directive NIS 2. In addition to the desire to deploy more coercive compliance for the companies concerned, as well as better collaboration on security policies, NIS 2 above all broadens its scope of application to affect more sectors of activity divided into two entities: essential entities and important entities.
Logically, the incentives will become stronger, and with them the need to transition more frankly towards Zero Trust. Of course, it is not a miracle solution and its effectiveness must not be uncorrelated with the vigilance of employees which remains, whatever the technology, the first protection. They still need to be properly made aware.