Companies of all sizes have realized that to thrive in the digital economy, their systems, services, and employees need to be securely connected. And with today’s growing distributed workforce, they know that relying on the corporate network perimeter isn’t a viable security strategy.
What is Zero Trust?
At its core, the concept of Zero Trust is simple: there should no longer be a trusted internal network and an untrusted external network. Instead, all network traffic needs to be considered untrusted, and organizations should operate on the principle that every single user or device that wants access to their data needs to be verified. Only then can information and infrastructure be as protected as possible.
Zero Trust was originally coined by Forrester Research analyst John Kindervag over a decade ago. But as organizations, workforces, and networks become increasingly distributed, it has never been more applicable than it is at this moment—and it will continue to be the security strategy of choice for the foreseeable future.
Identity and Access Maturity Curve
In many ways, a company’s position on the maturity curve parallels its progress towards Zero Trust, which is why Okta conducted a survey of 200 small and medium-sized organizations employing anywhere from one to 1,250 people to see where they stand on a range of IAM initiatives. Respondents answered a questionnaire on their current practices and future plans.
The results show commendable foresight on the part of SMBs, as many of them were making secure distributed workforces a priority well before the global pandemic forced everyone to stay at home. Nevertheless, there’s still lots of room for improvement—and that’s even more true now, considering the monumental shifts that have recently transformed how employees live and work.
Breaking down the IAM maturity curve
Okta’s identity and access maturity curve classifies organizations in four potential stages.
Stage 0: Fragmented Identity
Stage 0 is when companies may be bringing cloud technologies into the mix for the first time. This truly is the start of the journey, as the on-prem and cloud infrastructure they presently have isn’t yet integrated with an IAM platform.
Stage 1: Unified Identity and Access Management
It doesn’t take much to advance to Stage 1, but it makes a huge difference: once organizations invest in IAM solutions such as single sign-on (SSO) and multi-factor authentication (MFA), they can cut down on poor password hygiene and enhance user and app security. At the same time, they’re putting preliminary but necessary authentication systems
in place to make sure users are who they say they are. 96% of SMBs have already implemented SSO for their internal teams, and 93% are protecting their people with MFA.
Stage 2: Contextual Access
Stage 2 marks an important shift in a company’s IAM strategy. That’s because this is the phase where more granular, context-based factors may be implemented in the MFA process, allowing admins to grant access to users based on a variety of factors, including device posture or location, as well as network.
This is also the stage where security measures may be applied to APIs as well, which is critical: Gartner predicts that by 2021, 90% of web-enabled applications will have a greater attack surface due to exposed APIs, and by 2022, they will be among the greatest causes of data breaches.
Stage 3: Adaptive Workforce
Once an organization achieves Stage 3, they have nearly everything they need for Zero Trust security. This includes robust cloud architecture in which risk-based authentication policies proactively and automatically screen access requests—and login experiences that are more frictionless than ever thanks to the elimination of passwords through tokens, biometrics, email magic links, factor sequencing, and WebAuthn-related methods. The move towards passwordless authentication is still an emerging trend (75% of SMBs surveyed plan to go passwordless in the next 12 to 18 months)—one that can significantly enhance an organization’s Zero Trust security model.
Laying the foundations for a Zero Trust security model
When it comes to integrating IAM with security architecture, 65% of small and medium-sized businesses are prioritizing security information and event management (SIEM), which is also a focus for their enterprise counterparts. But SMBs are also placing more of an emphasis on privileged access management (PAM), with 75% citing it as a top tool.
Looking to the near future, SMBs’ adoption strategies prominently feature access management at the edge, with 52% looking to cloud access security brokers (CASB) and endpoint protection. This is not surprising, and speaks to the continuing need for companies to accommodate the demands of a distributed workforce.
There’s one area in particular where small and medium-sized organizations stand out: for nearly 90% of respondents, security has either complete or partial ownership over identity tools, adoption, and strategy. They understand that IAM is so much more than a process for IT to streamline access and monitor user activity—instead, it’s a core piece of the Zero Trust security model.
The top Zero Trust challenges for SMBs
For organizations of all sectors and sizes, some of the biggest barriers to Zero Trust are the costs of adoption and the availability of talent. 48% of SMBs organizations see cost as an obstacle, and 51% are concerned about talent. However, technology gaps are a greater challenge for this segment, with 65% lacking the basic infrastructure they need to build a stronger stack, likely because many small and medium-sized businesses haven’t been able to make the same investments in IAM as their larger counterparts.