Introducing Okta's Identity Adoption Model for Zero Trust

While the term “Zero Trust” is ubiquitous enough to feel like a buzzword, adoption of the security framework is not as widespread as you might think. 

The security industry has been discussing the reality of the shifting perimeter for nearly two decades, with origins back to the Jericho Forum, an international group working to define and promote de-perimeterization. But it has only been within the past 5-10 years that organizations have started prioritizing security strategy and technology has seen enough innovation to support the implementation of these new strategies.

While people may still argue that "Zero Trust" is indeed a buzzword, the principles at its core — “never trust, always verify”—ring true for any organization looking to strengthen its security posture. If you are a CISO or security leader in the “buzzword” camp, it may be time to change your mind. In our recent State of Zero Trust report, where we surveyed over 800 security leaders, 97% of organizations claimed either to have a Zero Trust strategy in place or a plan to implement one within the coming months. 

But even those companies with a plan often find implementation challenging. In the hundreds (if not thousands) of conversations we’ve had with customers about security, it’s become clear that organizations are looking for direction and a framework to follow as they begin implementing Zero Trust. Organizations can choose from a variety of frameworks to help them through this journey, such as NIST, CISA, and NCCoE. However, many organizations are still stuck on where to begin.

Across the board, the most effective Zero Trust frameworks center on Identity. As a recent Forrester report on modern Zero Trust explains: “People and processes come first. Zero Trust is transformational in how we secure organizations, allowing security to go from being an ‘in your face’ work obstacle to being a transparent operation. Zero Trust adoption evolves processes so that security is an easy choice for users and changes the way the organization conducts business beyond the perimeter.”

Perimeter-based security was not built for dynamic, cloud-driven environments, and hence is failing to evolve and adapt to modern security needs. As organizations realign their security strategies, it’s essential to move on from stopgap measures and invest in transformative security approaches that help protect IT assets in perimeter-less environments.

Identity-powered security recognizes that understanding the Identity of users and their devices is foundational to securing access to an organization’s most critical resources. Whether it’s an employee, a contractor, an endpoint, or a server, every entity within an organization needs to be authenticated into systems and gain authorization to perform actions.

Taking an Identity-first security approach — with a focus IAM — marks a significant departure from security’s traditional role as a cost center and opens doors for security teams to act as business drivers within an organization. This strategy, in turn, promotes rapid and agile adoption of technology across an organization while reducing risk.

To truly tackle threats, organizations must understand who is accessing their networks and data and what devices they are using. If you’re currently implementing a Zero Trust framework, are hoping to do so soon, or are still skeptical, this blog series is for you. To help organizations navigate the intricacies involved, we’ve created an Identity adoption framework. 

This model includes five stages of Identity adoption for Zero Trust:

Each blog post in this series will dive into a different phase of Identity adoption, including common issues, key considerations for new projects, and the benefits of implementation. We’ll also share more findings from our State of Zero Trust report for context on what other organizations are doing. If you’d like to see where your peers are in their Zero Trust journeys, check it out now.