There is a lot of “buzz” around zero trust these days, mostly for its ability to provide superior security outcomes. Done properly, a zero-trust framework can help reduce phishing and ransomware attacks, make it harder for attackers to move laterally and escalate privileges, and generally help reduce an organization’s overall attack surface via more granular controls over who can access apps and resources. Central to a proper zero-trust stance is authentication, as well as device trust (device identity and device security posture), which jointly help reduce the risk of lost or stolen credentials.
But as we discussed in a recent virtual roundtable with Banyan CTO Den Jones and 451 Research Principal Research Analyst Garrett Bekker, there is also a business angle to be considered that thus far has been underappreciated. For starters, zero trust can help with more effective work-from-home policies, in part by reducing reliance on legacy VPNs, offering more flexible access methods that support a greater number of remote/mobile workers with fewer resources.
In our view, one of the most critical benefits of zero trust is the potential to deliver a better user experience. For much of its history, user experience for most security products has been flat-out awful. The upshot is that users will often go to great lengths to get around them if possible. Poor UX has also held back adoption of many security products, with multifactor authentication (MFA) being an obvious example. For end users, if you have to do MFA for every single app and everything you touch, it’s a nuisance. For developers, app dev teams don’t want to have to configure their apps to use an identity provider (IDP) and enable MFA. It’s like being disciplined about going to the gym and eating your vegetables – everyone knows it’s good for you, but a lot of people can’t be bothered.
Another way that zero trust can help improve business outcomes is via reduced infrastructure complexity. Zero trust can be a simple overlay on existing networks, and allow for less reliance on VLAN- and subnet-based segmentation, 802.1X, NAC, IP whitelisting, perimeter firewalls, DNS changes, client-based legacy VPNs, etc. This means zero trust does a better job supporting special cases like temporary workers and teams, contractors and consultants, and BYOD policies that include both managed and unmanaged devices. Further, for companies that do a lot of acquisitions, M&A no longer requires reconfiguration of networks, switches, policies, etc. A single policy can cover on-premises or remote, private network and cloud scenarios.
A good zero-trust implementation can also help accelerate migration toward a more modern, cloud-based architecture for which a perimeter-based security model is less relevant. That, in turn, makes it much easier to roll out new business apps. A zero-trust approach can also enable passwordless access to any internal application or resource, thus improving the user login experience – which is still a nightmare for most people – as well as drastically cut down the number of password-related help-desk tickets and save time.
The bottom line is that while organizations might begrudgingly spend money on security products and services in general, reducing reliance on passwords and VPNs can help deliver security’s “holy grail” – improving both security and user experience for employees, partners and potentially customers.
Garrett Bekker III
Principal Research Analyst, Information Security at 451 Research, part of S&P Global Market Intelligence
@gabekker
10 Aug 2022 update: See additional supporting data points in the “Driving Superior Business Outcomes with Zero Trust” infographic.