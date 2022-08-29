Chris Niggel, Regional CSO, Americas at Okta

The central tenet of the Zero Trust security model is “never trust, always verify” — and while there may be a range of methods to accomplish that mantra, the key is identity and access management (IAM). There’s no denying the importance of having a Zero Trust security strategy in place; implementing that strategy is another story.

New data from Okta indicates that identity’s role in an organization’s march toward a Zero Trust security posture is growing across the industry. However, it also cautions that more work is needed as third-party risks loom and adoption of important identity-based aspects remain.

For the fourth annual State of Zero Trust Security report, Okta surveyed 700 security leaders across the globe to assess where they are on their Zero Trust journey. Security decision-makers reported moving into more of an execution mode as compared to 2021, recognizing the critical role identity plays in their approach to Zero Trust. Since the release of Okta’s 2021 State of Zero Trust Security report last year, the percentage of companies with a defined Zero Trust initiative already underway has more than doubled — from 24% to 55%.

The new report shows that 80% of all organizations consider identity to be important to their overall Zero Trust security strategy, and an additional 19% go so far as to call identity business critical. That’s a full 99% of organizations naming identity as a major factor in their Zero Trust strategy.

The criticality of identity

Identity’s critical role in Zero Trust also enables improved user experiences; two outcomes that have historically been at odds with one another. As remote and hybrid work has become the de facto norm, security leaders’ focus has shifted.

At the start of the global pandemic, many organizations leaned harder into usability. They had no choice but to ensure that their newly remote workforces could easily access the tools and assets they needed to drive business results. In 2022, though, organizations began to flip the script, and a majority of organizations declared security to be a slightly higher priority than usability.

Why is the balance tipping in favor of security?

Companies that now have firmly established remote and hybrid work practices are already leveraging pandemic-era investments in usability, and may be catching up on some security debt. But increasingly, companies are also realizing that stronger security and better usability aren’t necessarily at odds anymore. By prioritizing stronger security measures, they may gain improved usability at the same time.

Where security leaders are focusing their identity-first attention

Okta’s report categorizes security leaders on a maturity curve of enterprise adoption with five phases.

Phase 1

Organizations at the beginning of their cloud transformation are either trying to anticipate the challenges of cloud adoption or already experiencing them. Such challenges include disconnected directories, a sprawled and growing risk surface, and an increasing incidence of identity-based attacks.

Okta’s report reveals that more than 70% of respondents worldwide have already advanced past phase 1, implementing multi-factor authentication (MFA) for employees and connecting employee directories to cloud apps.

Phase 2

In Phase 2, organizations are typically expanding their cloud environments and adoption, trying to lean into the efficiency and scalability of cloud, while simultaneously trying to secure and simplify user access so their remote or hybrid workforces can stay safe and productive.

When it comes to Phase 2 initiatives, the majority of respondents (nearly 80%) have extended single sign-on (SSO) for their employees, but just 38% of respondents said their companies have extended MFA to external users — authorized contractors, suppliers, and business partners.

Phase 3

Companies have developed processes and business imperatives around dynamic and remote work, and need tools to confidently extend appropriate 24/7 access to enterprise assets for a complex global workforce while remaining compliant with regulatory requirements. Meeting these challenges means extending and expanding their IAM efforts beyond their employees and legacy network to accommodate a growing world of external users and an expanding cloud or multi-cloud infrastructure.

This is currently where many organizations are aspirational as opposed to actively executing, with automated provisioning and deprovisioning for employees occurring in less than 40% of organizations and in just 15% of organizations for external users.

Phase 4

Organizations in the elevated Phase 4 are looking to consolidate their cloud wins by completing their digital transformation. This means intelligently consolidating or deprecating outdated legacy tech as necessary, and protecting key custom applications that may represent security weak points.

Evolution in the fourth phase of Zero Trust adoption suggests different prioritization across security leaders. The rise of remote work and the sophistication of user group sensitivity is illustrated in nearly half of organizations deploying multiple factors across user groups, while API access management implementation is over 50% for organizations.

Phase 5

Organizations in this phase have the basics of identity-first Zero Trust security in place, and can confidently leverage this real-time situational awareness to inform access decisions, and change existing decisions based on continuously updating information. They’re able to focus on making enterprise access safer through edge security, and easier by extending user-friendly passwordless access to all enterprise assets.

Where we go next

Zero Trust is not a single technology, nor is it an end-state. Security leaders are recognizing the vitality of adopting an identity-centric approach, but as technology and the security landscape evolves, their work in maximizing usability and security simultaneously will be constantly changing.

To view the full Okta State of Zero Trust Security Report, visit Okta.