Zero Trust needs to be proven in 2024

Making the transition to a zero-trust IT architecture has been a journey for most organizations that began with more awareness beginning in 2021 followed by implementation efforts in production environments that largely began in 2023. Heading into 2024, a lot of organizations that have embraced zero-trust IT will need to demonstrate they’ve achieved, at the very least, some milestones. The trouble is there are no real zero-trust standards so it may be difficult to define a set of metrics that would validate whether any specific capability has been both achieved and is being maintained.

In the absence of any standards, it’s probable more organizations will need to rely more on third-party evaluations to, at the very least, validate their zero-trust initiatives. For example, Veterans Cybersecurity Group, a provider of cybersecurity training services for Federal agencies, has established a Zero Trust Proving Ground (ZTPG) to test and evaluate initiatives. Any organization that is hoping to leverage its zero-trust efforts to lower its cybersecurity insurance premiums is likely to require similar validations.

Theoretically, zero-trust architectures are at their core based on being able to authenticate individual users, machines, and even software components of an application. Many organizations today are focused on moving beyond passwords to identify who is accessing what services, but not nearly as many are as focused yet on assigning identities to individual machines and applications. As important as it is to move beyond passwords that are easily stolen, it’s only the first step toward putting a zero-trust IT environment in place that requires cybersecurity teams to integrate multiple technologies. There is no such thing as a completely turnkey zero-trust IT platform.

However, the more modern an IT platform is, the more likely it is to have incorporated zero-trust principles, so there is no doubt infrastructure upgrades and application updates are required. The biggest challenge is not so much managing that transition as much as it is getting IT and cybersecurity teams on the same page as to what qualifies to be considered a zero-trust platform or application.

It's now only a matter of time before zero-trust architecture becomes a mandate as regulations become increasingly stringent. A recent survey of 800 information security decision-makers conducted by Okta, a provider of identity and access management platforms, found that 61% of respondents worked for organizations that have implemented a zero-trust IT initiative, with another 35% planning to do so soon. A full 80% said budgets for these initiatives increased year over year, with 20% reporting spending increased by 25% or more. That suggests that despite ongoing economic headwinds many organizations continue to prioritize these initiatives within the context of their overall IT strategy.

Of course, zero-trust initiatives, one way or another, will be put to the test. Cybercriminals are, after all, closely monitoring these efforts. Many organizations will undoubtedly experience a fair amount of trial and error as cybercriminals adjust their tactics and techniques. In that regard, cybersecurity will remain a game of cat-and-mouse. It’s just that the odds should hopefully be tipped a little more in favor of the cat rather than the mice that will always outnumber them.