Forrester offers guidance on getting zero trust right and achieving security goals

Forrester offers guidance on getting zero trust right and achieving security goals

Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.

Tighter budgets, a near-record level of projects to be done with a smaller staff and a rising number of malware-free attacks are a few of the many challenges taking the security team’s time away from zero trust. CISOs tell VentureBeat that consolidating their tech stacks to improve visibility, reduce costs and make progress on zero-trust frameworks is the highest priority. However, finding the time to progress on them is one of their most significant challenges.  

Forrester’s recent Security and Risk Forum tailored its agenda to what CISOs need the most: guidance on managing global risks while continuing to progress on enterprise security initiatives, including zero trust. 

The keynote, Securing the Future: Geopolitical Risk Will Redefine Security Strategies for the Next Decade, provided practical, prescriptive guidance to CISOs, security and risk management professionals on how they could achieve their highest priority goal. For example, speaking about zero trust, Allie Mellen, a senior analyst at Forrester, advised security leaders to “focus on the low-hanging fruit early on privileged accounts, device hygiene, enforcing strong passwords and in the longer term, leverage a zero-trust strategy to protect devices, protect users, protect networks.” 

How enterprises are making zero trust work

Forrester devoted an entire track of the forum to zero trust, providing five sessions that spanned endpoint security, IT security, artificial intelligence (AI) and machine learning’s (ML’s) use in detection and response, vulnerability management, and zero trust edge (ZTE). Keynotes also provided insights into how enterprises progress on these five dimensions, with a strong focus on ZTE.  


Intelligent Security Summit

Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.

Register Now

Two of the most valuable sessions were the panel discussion, Take a Zero-Trust Approach to Threat Prevention, Detection, and Response, hosted by Laura Koetzle, VP and group director at Forrester, and Rethinking How to Secure the Anywhere-Work Endpoint, presented by Paddy Harrington, a senior analyst at Forrester. Both provided the following insights into how enterprises are making zero trust work:

Get senior business leaders involved early and up to speed on zero trust fast. Forrester’s analysts and industry leaders on panels agreed that zero trust is a concept senior management can quickly equate to reducing risk and increasing revenue. CEOs and senior management teams aren’t nearly as interested in talking about common vulnerabilities and exposures (CVEs) as they are about how securing every identity and endpoint against more malicious attacks reduces risks and can help drive revenue. 

Jeff Pollard, VP and principal analyst at Forrester, advised security leaders to “imagine a scenario where you can sit down with the CFO and instead of talking business cases, you talk at-risk revenue, churn and retention rates.” Jeff continued, closing his keynote by saying, “But the thing that I most want you to take away from this entire session is not only that cybersecurity is a core competency, but the other way to say that is cybersecurity is part of the cost of doing business.”

Quantifying cyber risks to drive zero-trust adoption further. Enterprise business leaders and CISOs use cyber-risk quantification to prioritize risks, costs and returns of competing cybersecurity projects. As zero trust is often promoted to senior management as infrastructure modernization, cyber-risk quantification is often used to optimize the framework’s budget and spending plans. Enterprises are also using these techniques to gain more accurate valuations of merger and acquisition opportunities.

CISOs often use cyber-risk quantification as a data-driven approach to increase business leaders’ confidence in zero-trust initiatives and funding. It’s proving effective for managing the trade-offs of investing in zero trust’s core elements, including multifactor authorization (MFA), identity access management (IAM) and microsegmentation, for example. In addition, many organizations use cyber-risk quantification to cost out and prioritize their multicloud and hybrid cloud security spending.   

Prioritize identities as the most at-risk security perimeter now. Forrester’s analysts and industry panelists at the forum agree that identities are the most popular attack vector bad actors are targeting in organizations. Bad actors aim to gain access to IAM, privileged access management (PAM) and Active Directory to create multiple identities and control corporate networks. 

During his keynote at CrowdStrike’s Fal.Con event, cofounder and CEO George Kurtz says his company’s internal data found that “80% of the attacks, or the compromises that we see, use some sort of some form of identity, credential theft.” 

Multicloud infrastructure requires more IAM security than hyperscaler native modules provide. AWS, Google Cloud Platform, Microsoft Azure, Alibaba AliCloud, IBM and Oracle are the leading hyperscalers used across enterprises today. Each has an IAM module optimized just for their platform. Forrester’s analysts cautioned against relying on a hyperscaler’s unique IAM module across a multicloud infrastructure. Instead, they advised organizations to consider cloud-based IAM and PAM platforms that can scale across multiple hyperscalers. The goal is to close multicloud gaps cyberattackers search for to exploit, gain access and move laterally across cloud networks. 

Enterprises are opting for cloud-based PAM platforms over on-premises systems for the agility, customization and flexibility they provide. CISOs’ need for consolidating their tech stacks is also driving the convergence of IAM and PAM platforms, with a projected 70% of new access management, governance, administration and privileged access deployments being on cloud platforms.

MFA and passwordless authentication are where CISOs go for a quick win. MFA was mentioned over a dozen times in the zero-trust sessions and is considered the cornerstone of zero-trust frameworks. Forrester’s analysts recommended adding a what-you-are (biometric), what-you-have (token), and what-you-do (behavioral biometric) factor to MFA configurations.

According to analyst presentations and panelist insights, passwordless authentication is also gaining adoption and entering the mainstream. Forrester has long predicted that passwordless authentication would reach mainstream adoption, given how effective it’s proven to be in stopping privileged access abuse. Leading passwordless authentication providers include Microsoft Azure Active Directory (Azure AD), OneLogin Workforce Identity, Ivanti, Thales SafeNet Trusted Access, and others. 

Ivanti’s Zero Sign-On (ZSO) approach to combining passwordless authentication and zero trust on its unified endpoint management (UEM) platform relies on biometrics, including Apple’s Face ID, as the secondary authentication factor. Enterprises are using Ivanti’s ZSO to provide least-privileged access for their employees, who are using it to secure access to personal and shared corporate accounts, data and systems.

The majority of 2023 CISO budgets reflect an increase in endpoint security spending 

More organizations are evaluating extended detection and response (XDR), and 62% of security leaders plan to increase their spending on endpoint detection and response (EDR) and XDR in 2023. Just 26% are staying at their current budget levels in this category. During the event, Forrester provided survey results of security leaders’ spending plans for EDR/XDR and mobile security in 2023. 

XDR platforms have the potential to consolidate tech stacks while integrating across current and legacy data sources using APIs and open architecture. All vendors are attempting to better aggregate and analyze telemetry data in real time on their XDR platforms. Leading XDR platform vendors include CrowdStrike, Microsoft, Palo Alto Networks, TEHTRIS and Trend Micro. XDR is seeing such strong interest that most EDR vendors have planned it on their roadmaps or have already launched a solution.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.