As people continue to shelter in place and work from home in response to COVID-19, the idea of a shifted security perimeter is now everyone’s reality. Many organizations were forced to quickly spin up remote work environments and security tools to enable business continuity during this time. And while we’ve seen a lot of rapid success, for many this short-term firefighting approach isn’t sustainable -- especially as technology and business leaders expect changes like expanded work from home policies to persist long after the crisis.
As you look to securely enable a long-term remote workforce, you need a security framework that can support you both today and in the future, keeping your people, your data, and your infrastructure safe. That’s where zero trust comes in.
What zero trust adoption looks like
Around the world, companies are collectively navigating the impacts of this pandemic—but that’s not all they have in common. Now, more than ever, organizations need to be able to ensure that the right people continuously have the right level of access, to the right resources, in the right context – whether they’re at home or if they’re preparing to return to the office.
Before the onset of COVID-19, organizations in various regions have kicked off their journeys to zero trust security by starting with identity, adopting tools and best practices like single sign-on and multi-factor authentication for internal and external users, as well as for API access. To get a clearer picture of this timely trend, we surveyed 500 security leaders in North America, Europe and the Middle East (EMEA), and Australia and New Zealand (ANZ) about their initiatives. These findings are available in our newly launched report, The State of Zero Trust Security in Global Organizations report.
Here’s what we learned:
Modern zero trust security has taken hold
When we dug into the data, one of the first trends we saw was that zero trust adoption is on the rise. Globally, 40% of companies are currently deploying projects that are aligned with a modern, zero trust approach to security. That includes 60% of North American organizations, 50% of ANZ ones, and 18% of EMEA-based businesses. In North America, we also saw a whopping 275% year-over-year growth in the number of organizations that have or plan to have a defined zero trust initiative in the next 12–18 months. Suffice to say, zero trust is here to stay. (Yes, I rhymed it.)
Curious about where your company sits on the identity zero trust maturity curve? Check out our assessment tool.
The API economy is driving an international shift in security
The API economy enables businesses to build off of existing technologies, share data, and streamline production. What’s important to remember is that APIs are currently a huge threat vector. In fact, by 2021, Gartner predicts that 90% of web-enabled applications will be threatened by exposed APIs instead of user interfaces.
While companies outside of North America may be slower in adopting identity tools for workers’ app access, they’re leading the charge in building API-based solutions like Open Banking and, as a result, in API security. In EMEA, 41% of companies and 30% in ANZ have implemented projects to secure API access respectively, compared to 26% in North America.
Access decisions are prioritizing device over network
Another interesting data point is around risk signals used in access decisions. The landscape for context-based access decisions is also changing globally: last year, 55% of respondents listed network as a top factor for determining login context—this year only 20% did.
Instead, across regions and industries, organizations are now increasing their focus on device posture—whether a device is known, managed, and/or verified—and physical location. In 2019, we saw 37% of respondents wanted devices to be known, 52% managed, and 51% verified. This year, those numbers have all grown to 58%, 56%, and 58% respectively. All this goes to show that we’re increasingly recognizing that people (and their devices) are the new perimeter.
We’re all in this together
Like most things in life, there’s no single silver bullet solution when it comes to zero trust. That’s why at Okta we work with a number of different integration partners to help our customers reach zero trust maturity. Forward-thinking businesses are turning to identity and access management (IAM) systems to serve as the foundation for their zero trust technology stack. Integrations with identity and security information and event management (SIEM) systems currently top the priority list, and in EMEA and ANZ, 76% of respondents have plans to adopt SIEM within the next 12 to 18 months, as well as 41% of respondents in North America. To top it off, this year, only 11% of companies say they aren’t prioritizing any new security integrations with IAM—down from 36% last year.
We’re all getting used to being part of a remote workforce, and that means that our companies are having to take on secure tools that make working remotely easier. And as we figure out what our new normal is, zero trust should be the North Star guiding the way.
To learn more about how zero trust is being adopted around the world, check out our The State of Zero Trust Security in Global Organizations report.