Fortinet report finds majority of companies implementing zero trust, though integration remains a struggle

Fortinet disclosed that the majority of organizations are actively implementing zero trust, but many still face integration challenges, as companies have deployed considerably more solutions as part of their zero-trust strategies since 2021. Almost half of the respondents reported significant challenges related to a lack of integration between zero-trust solutions deployed on-premises and in the cloud, which works towards keeping pace with cybercriminals and the ever-evolving threat landscape, organizations are adopting a zero-trust strategy. 

The report examines how organizations can be successful by using this strategy and solutions that are designed to span multiple environments, converge networking, security, and access, and use a single, integrated framework. 

“The status of zero-trust implementation changed surprisingly between the 2021 and 2023 surveys. In 2021, 40% of respondents indicated that their zero-trust strategy was fully implemented,” Fortinet wrote in its global 2023 State of Zero Trust report. “But in 2023, only 28% reported having a complete zero-trust solution in place. And only 36% of manufacturers claim to be fully implemented, perhaps due to their also having to deal with the integration of IT and operational technology (OT) networks. The number of respondents now reporting being in the process of implementation is 66%, up from 54% in the previous survey.”

The report identified that organizations of all sizes are working to implement zero-trust strategies. “Since the last survey in 2021, companies have deployed more solutions as part of their zero-trust strategies. The number of respondents that report being in the process of implementation is 66%, up from 54% in 2021. Companies are working to enable zero trust everywhere to minimize the impacts of a breach,” it said.

“Organizations continue to face challenges in implementing their zero-trust strategies. Although companies are moving forward, they still face challenges,” Fortinet reported. “Nearly half of respondents (48%) indicated that a lack of integration between the zero-trust solutions deployed on-premises and in the cloud is the most significant issue they need to address. Other reported challenges relate to end-to-end policy enforcement, application latency, and a lack of reliable information to help select and design a zero-trust solution.”

Fortinet also found that solutions must cover both on-premises and remote users with a consistent application access policy and success has been mixed. “Many companies need to secure access to applications both on-premises and outside of the network and nearly 40% of respondents report still hosting more than half of their applications on-premises. It’s notable that 75% also have encountered issues because of relying on cloud-only ZTNA,” it added.

“The consolidation of vendors and solution interoperability is crucial. Deploying solutions from multiple vendors has led to challenges such as the introduction of new security gaps and high operations costs,” Fortinet identified. “Larger companies in particular are looking to consolidate solutions to simplify operations and reduce overhead.”

It also found that SASE (secure access service edge) is a priority. “The top priorities for SASE solutions vary, but “security effectiveness” is the most significant, with 58% placing it in their top three priorities. According to 89% of respondents, SASE integration with their on-premises solutions is also very or extremely important,” the report added.

“The Fortinet 2023 State of Zero Trust Report shows that although more organizations are implementing a zero-trust strategy, they still face challenges related to integration,” John Maddison, executive vice president for products and CMO at Fortinet, said in a media statement. “To successfully implement zero trust, organizations need solutions that are designed to converge networking and security and have the ability to span multiple environments, such as Fortinet Universal ZTNA and Universal SASE.”

Despite claims that everything is moving to the cloud, most organizations still have a hybrid application and data strategy in place, Fortinet reported. “ZTNA needs to work no matter where applications and users are located, and respondents indicated that the top areas that a hybrid ZTNA strategy must cover include web applications (81%), on-premises users (76%), remote users (72%), on-premises applications (64%), and SaaS applications (51%).”

The report also pointed out that there are several reasons behind this shift in implementation status. The first is that the scope of zero-trust adoption has evolved. The initial impetus was to quickly and securely connect remote workers to applications. But the transition to a hybrid model where users move between on-premises and remote work and data and applications are divided between the cloud and data centers has expanded that objective. Data needs to be equally available regardless of the location of anything, which means more technologies are required than initially assumed. 

“Data flows initially thought to simply go from the user to the application and back have also changed. Workflows often span multiple environments in a single transaction, which has significantly complicated and enlarged implementation,” according to Fortinet. “Cloud solutions must seamlessly integrate with the on-premises network to detect and prevent the lateral movement of threats and the consistent enforcement of policy end to end.”

Another reason for the change in implementation is that some issues didn’t become apparent until several solutions were already in place, and the need for interoperability between isolated point solutions became essential, the report identified. 

Fortinet also highlighted that building and troubleshooting workarounds for tools that don’t natively work together can quickly consume a significant portion of IT resources. “Two of the biggest barriers are that 16% of organizations (24% among smaller companies) complain that insufficient information is available to select a zero-trust solution, and a quarter (24%) cite the lack of qualified vendors able to provide a complete solution, requiring them to cobble something together on their own. Only 4% cited a lack of human resources (down from 7%). Once it became clear that hybrid work wasn’t temporary, a more consistent and reliable solution was needed, and resources were made available,” it added. 

Notably, three-fourths of respondents report encountering issues with their hybrid workforce from relying on cloud-only ZTNA, Fortinet reported. “They need a Universal ZTNA solution that supports applications in the cloud and on-premises, with consistent features and polices across deployments and a per-user licensing model so protections (and licenses) can move seamlessly as work-from-anywhere (WFA) users move between their homes and on-premises offices.”

The report also identified that deploying solutions from multiple vendors has created new challenges for organizations, including the inadvertent introduction of security gaps and high operating costs due to vendor and solution sprawl. 

“According to the survey, 90% of organizations now rank vendor and solution consolidation as extremely or very important, and 88% feel the same way about the importance of solution interoperability,” Fortinet reported. “One outcome of this is that many organizations that believed they had fully implemented a zero-trust solution are now rethinking that conclusion. It’s clear that vendor and product consolidation and interoperability are crucially important to implementation.”

Nearly half of the respondents said that the top concerns are that new exploitable security gaps and vulnerabilities have been created because solutions do not interoperate and cannot communicate, Fortinet disclosed. “And 40% also report an inability to consistently apply and enforce policies. Related to these findings is the high cost of trying to keep a disjointed solution up and running, with 43% citing this problem as a top challenge. Other related challenges include poor user experience (39%), performance bottlenecks (36%), and increased management complexity (28%),” it added.

In March, the National Security Agency (NSA) published a Cybersecurity Information Sheet (CSI) that helps system operators mature identity, credential, and access management (ICAM) capabilities to mitigate certain cyber threat techniques. The initiative further discusses how these capabilities are integrated into a comprehensive zero trust framework while providing system owners and operators the ability to identify, resist, and respond to various cyber intrusion techniques.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.