Ride the Lightning

Just 35% of IT Pros Say They are ‘Very Familiar’ With Zero Trust

April 5, 2022

SC Media reported on March 31 that, despite all the hype surrounding zero trust over the last few years, research from CyberRisk Alliance (CRA) Business Intelligence, based on 300 responses from IT and security decision-makers and influencers ,found that most security pros still find zero trust a vague concept.

The CRA research, sponsored by Attivo Networks and HP Wolf Security, reports that only 35% of respondents believe they are very familiar with zero trust and are knowledgeable about the framework and controls. The remaining two-thirds say they have just a modest understanding of zero trust with limited knowledge about the concepts and controls.

CRA researchers say deployment has been slowed by an ongoing struggle to fully comprehend the elements that embody zero trust and how to architect. Heightened threats have made respondents open to the basic zero-trust concept as a tool to adopts, although organizations will find implementation challenging without the knowledge, budget, management support and prioritization focus.

 According to the CRA research, at least in the near-term, management support and budget limitations are hindering zero-trust adoption. The primary barriers for organizations that have yet to adopt zero-trust programs are lack of management support (26%) and budget limitations (23%). Other issues among non-adopters include the following: lack of prioritization (15%), lack of knowledge (13%), and lack of qualified staff to implement (10%).

 As part of the research, CRA set up a “Champions” segment of 70 responding companies that had sufficient budget, met the technical qualifications, had management support and knowledge of zero trust, and knowledge on how to implement zero trust.

CRA reports that 64% of the “Champions” group use the NIST Cybersecurity Framework and another 50% use the NIST SP 800-207 Zero-Trust Architecture Model. The top components of the group’s zero-trust models and strategies included the following: identity and access management (86%); data protection (84%); cloud security controls (84%); network controls (80); and endpoint controls/host instruction prevention (77%).

The top areas where “Champions” apply zero-trust processes include: cloud apps and services (86%); network operations (80%); data center (77%); and the security operations center (70%). The top applications where zero trust gets applied include: web and cloud applications (89%); databases and other data center applications (82%); mission critical servers such as DNS and web servers (82%); and critical OT/IT applications (80%).

When deploying a zero-trust architecture into existing environments, NIST recommends enterprises consider starting small and expanding. NIST Special Publication 800-207 details how enterprises should look for ideal situations to introduce zero-trust processes and how the move to zero trust can take place one step at a time. NIST says enterprises need to make sure that the common elements of the program, such as identity management, device management and event logging are flexible enough to operate in the zero-trust and non-zero-trust security environments. Organizations must also look to zero-trust tools that will interface their APIs with existing systems and security tools.

If you think that sounds complicated, it sure as heck is. I am convinced that many law firms are likely to be afraid of Zero Trust and the complications that might ensue if they don’t get it right.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson