Despite an increasing number of dollars budgeted annually for IT security in enterprises around the globe, breaches and security incidents continue to rise. In fact, a recent Forrester study found two-thirds of organizations experienced an average of five or more security breaches in the past two years.
This disconnect means security is failing its basic mission, according to Tom Kemp, CEO of Centrify.
“Despite spending almost $90 billon on security, the pace and number of breaches are actually outstripping the investment in it,” says Kemp. “It’s almost like the definition of insanity, we’re doing the same thing over and over again and expecting a different result.”
As catastrophic data breaches become more common, the need for organizations to consider new approaches is escalating, he says. That’s why Kemp and Centrify are pushing for a groundswell change in the way security approaches protection. At a new event, SecurIT: The Zero Trust Summit, held this month in San Francisco, attendees got a crash course in the concept of Zero Trust and how the approach enables technologies with the goal of improving enterprise security. Zero Trust is a recognized framework, developed by Forrester Research and also promoted by Google as BeyondCorp, whereby an organization doesn’t trust anything inside or outside the organization, and instead verifies anything and everything before granting access.
The approach works, says advocates, because today’s leading attack vector is weak or compromised credentials. According to the 2018 Global State of Information Security Survey conducted by CIO, CSO and PwC, the number one source of security incidents is current employees. Hackers are no longer using sophisticated technology to breach organizations, but rather are seeking to use the path of least resistance – identity – to gain access to sensitive data and privileged credentials.
“If you look at the threats out there, and look at data from the Verizon Breach Report, they say that 80% of breaches have to do with compromised credentials,” says Bill Mann, SVP, Products & Chief Product Officer, Centrify.
The Forrester study, commissioned by Centrify in 2017, found that hackers compromised more than one billion identities in 2016.
“This clearly indicates that traditional approaches are flat out not working in this age of access,” says Kemp in response to the findings.
Investing in new technologies to address security appears to be falling flat, says Chase Cunningham, Principal Analyst, Forrester Research.
“People buy technology and Frankenstein it together and think if they keep throwing tech at the issue they will get it right. The reality of it is, when I ask them ‘What is your strategy?’ most of them don’t even have an answer.”
Kris Howitt, Director, Information Security Architecture, Live Nation Entertainment, shared his organization’s experience with using a Zero Trust model strategy with SecureIT attendees and says Live Nation has found it to be a flexible model that can be appropriate for a range of business sizes.
“Zero Trust is a framework that can work for anybody, but it definitely works well and is adaptable and scales up for large-sized businesses like ours,” says Howitt.
More information about the Zero Trust Security model can be found at Centrify.com.