A survey of 400 senior decision makers from mid-to-large-sized companies in the U.S. and Canada found that while 97% view adopting a zero-trust model as a priority, a full 90% continue to rely on virtual private networks (VPNs).
Conducted by Sapio Research on behalf of Banyan Security, the survey found more than half of respondents (53%) have begun to roll out zero-trust solutions, with another 44% still in the early planning stages.
The primary reasons for making the shift are secure remote access (48%), improving the end-user experience (34%) and eliminating exposure to VPN vulnerabilities (34%).
A full 82% also said they would likely implement zero-trust network access (ZTNA) if there was an easily deployable, inexpensive option. Nevertheless, nearly half of respondents (46%) also noted that modern, secure remote access is not a priority at this time.
Den Jones, chief security officer for Banyan Security, said the survey suggested that organizations are finding it challenging to quickly move away from VPNs even though they typically lack application-level access controls and more advanced integrated security capabilities.
As a result, more organizations will be looking to consume zero-trust security solutions as a cloud service managed on their behalf in large part because there is still a lot of confusion concerning what constitutes a zero-trust solution, noted Jones. There’s simply not enough understanding of the layers of security that need to be applied to achieve that goal, he added.
Nearly two-thirds of organizations (62%) also identified cost/budget constraints as the biggest barriers (62%) for VPN users to adopt ZTNA, with 30% of organizations using VPNs reporting it would be difficult to implement ZTNA infrastructure in their current security environment.
In fact, right now, the blind may be leading the blind because too many IT and cybersecurity professionals still view VPNs as enabling zero-trust; it’s already been shown many VPNs are highly vulnerable, said Jones.
Zero-trust IT, of course, is hardly a new idea. The challenge is achieving that goal using software versus trying to implement it by locking down hardware. The latter approach has already been tried with limited success. End users today expect IT and cybersecurity teams to be able to ensure security without adversely impacting their application experience. That’s a tall order for more internal IT organizations to achieve on their own. One of the primary benefits of shifting to the cloud is it enables organizations to rely more on the expertise of specialists to manage services on their behalf. A cloud service also provides the added value of checking the security posture of both applications and devices any time a remote user connects to a network, noted Jones.
It’s not clear at what rate the shift to zero-trust IT will accelerate the transition to the cloud. However, it’s hard to see how that might be accomplished in an age where end users are accessing applications running in the cloud or on-premises IT environments from almost anywhere. The days when cybersecurity and IT teams could expect the bulk of end users to be protected behind a network firewall are now all but over.