Most organizations globally have implemented zero trust

The percentage of organizations worldwide that have implemented a zero-trust initiative has almost tripled in the past three years going from 24% in 2021 to 61% in 2023, according to data from Okta’s 2023 State of Zero Trust report. Companies with between 5,000 and 9,999 employees are more likely to have zero trust in place—three out of four— than those with 500 to 999 employees.

The report is based on responses from 860 information security decision-makers from North America (United States, Canada); EMEA (Denmark, Finland, France, Germany, Ireland, Netherlands, Norway, Sweden, United Kingdom); and APJ (Japan, Australia).

Those planning to implement a zero-trust security initiative in the next 18 months make up 35% of respondents and only 4% were neither planning nor had one in place. The North American region is leading in terms of initiatives already in place, but EMEA and APJ organizations are quickly gaining ground, and nearly all the holdouts in both regions plan to adopt a zero-trust initiative within the next 6 to 12 or 13 to 18 months.

Despite macroeconomic pressures forcing cost cutting, 80% of the respondents reported that their budgets for zero-trust security initiatives had increased over the previous year— 60% reported budget increases of between 1% and 24%, and another 20% increased by 25% or more.

Identity has become a big part of zero trust strategies with 51% of all respondents saying it is extremely important, a considerable increase from 2022’s 27%. Another 40% said it is somewhat important.

Identity begins to shift from IT to security

Identity and access management (IAM), which used to be owned by IT departments, has increasingly shifted to cybersecurity teams. This is backed by Okta’s research that found that 73% of security teams now owns IAM in North America and 50% in EMEA.

In APJ the change is slower, while 41% of organizations task security with managing IAM, another 56% of organizations have security either oversee identity or manage the technology, but not both. There are further signs of the growing importance of identity initiatives, with 34% of respondents using multi-factor authentication (MFA) for external users and 33% for in-house staff.

Across the four industries the report focused on, healthcare organizations are prioritizing MFA for external and internal users and connecting directories to cloud apps. In the public sector the priority is MFA for external users, secured access to APIs, and MFA for employees, in financial services MFA for employees first followed by MFA for external users, and privileged access management for cloud infrastructure, and in software the priorities are MFA for employees, secured access to APIs, and MFA for external users.

Security decision-makers’ focus

In the next 12 to 18 months decision makers will prioritize managing privileged access to cloud infrastructure (42%), securing access to APIs (42%) and implementing multi-factor authentication (MFA) for employees (42%). Furthermore, when it comes to protecting authentication, organizations are more likely to use MFA and single sign-on protection for servers and databases.

More than half of the C-suite respondents said this year that identity was extremely important to a zero-trust strategy, with another 40% declaring it somewhat important. A big shift from last year, when 26% of C-suite respondents declared identity as mission-critical.

IT leaders are integrating their IAM systems with mobile device management (MDM). SIEM, MDM, and endpoint protection are the top three “most important” systems to prioritize integrating directly with an IAM solution, according to the report.

“Low assurance” passwords are still the standard

Passwords remain the “stubborn standard” for authentication globally, “despite their low assurance, and are still used at more than half of the respondents’ organizations.” Security questions, which aren’t much better, are the second-most often used, globally and in EMEA and APJ, while they’ve taken the top spot in North America. The report also found other low assurance services in use including hardware OTP and SMS, voice, and email OTPs.

Factors deemed by the report as of medium-assurance like physical token OTPs and push authenticators are in use at fewer organizations (36% and 29%, respectively), and just 19% of organizations are using high-assurance factors like platform-based authenticators and biometrics. “We expect to see MFA continue its march to the mainstream, while increasing regulations will likely push industries like financial services and the public sector toward passwordless and other high-assurance phishing-resistant authentication factors,” found the report.