Organisations that assume no user or device can be trusted and combine this approach with next-generation access (NGA) tools report greater business confidence, reduced risk and lower security costs.
That is a key finding of a study by Forrester Consulting commissioned by NGA provider Centrify.
NGA combines identity as a service , enterprise mobility management (EMM) and privileged access management (PAM) to provide highly-controlled access to applications, endpoints and infrastructure.
The technology is designed to recognise every device, know every user, limit access and privilege intelligently, and enable policies to learn and adapt.
The study found that organisations using NGA technology are twice as confident about introducing new business models and customer experiences.
The study, involving more than 300 IT decision-makers in North America and the UK, showed that 67% of all enterprise resources are exposed to access-related risk, and that a zero trust security approach is the best strategy to control access to enterprise resources.
Two-thirds of those using NGA techologies were more confident in adopting mobile working models, 44% were more confident in securing DevOps environments, and they reported bottom-line benefits of mitigating overall risk by 37% and reducing security costs by 31%.
According to Forrester, 58% of global enterprises have experienced a breach in the past 12 months. Security leaders are scrambling to defend every entry point, the study report said, but traditional approaches to security, based on keeping out the “bad guys” and letting in the “good guys” have proven ineffective.
“Mobile proliferation, reliance on outsourced partners and cloud technologies, and the regular occurrence of internal attacks mean that there is, in fact, no such thing as a trusted user,” the report said.
In response, many security leaders are turning to zero trust approaches that completely remove trust from the equation, shunning the traditional “trust but verify” approach and replacing it with a “never trust, always verify” mandate, the report said.
Tom Kemp, CEO of Centrify, said: “The dissolving network perimeter is causing a complete rethink in how we approach security, taking into account a new enterprise reality defined by the cloud, mobility, and increasing demands for agility.
“This study reveals that two-thirds of enterprise resources are exposed to access-related risk, largely because organisations are approaching security in a way that no longer works and with solutions that are ineffective.”
To enforce user access, a zero trust strategy requires that an organisation’s security must have the capability to:Verify the identity of every user through a combination of identity governance, single sign-on and multifactor authentication (MFA) to eliminate the risk of credential compromise. Validate every device with mobile device management to enforce secure policy, with local administrator privilege management to eliminate local admin compromise, and with device identity management to ensure that only trusted devices are allowed to access resources. Limit access and privilege using privileged access management to ensure a user has just enough access and only the necessary privileges to perform their job at any given time. Continually learn and adapt using behaviour-based analytics and privileged access auditing/monitoring to automatically improve and personalise access policies.