What to Know About a Cybersecurity Strategy That Has Been Gaining Prominence

The recent attack on Israel brought cybersecurity to the forefront as the nation faces an onslaught of cyberattacks from hacking groups tied to Hamas, Russia and others. In addition, many leading cybersecurity firms have large footprints in the country. Globally, the rising severity and frequency of cyberattacks and data breaches indicate that current approaches to cybersecurity are ineffective against modern threats because they are focused on perimeter-based security.

In this article, we discuss Zero Trust, a cybersecurity strategy that has been gaining prominence. 

Zero Trust, not to be confused with Zero Knowledge, is also referred to as Zero Trust Architecture (ZTA) or perimeterless security. The main concept behind Zero Trust security is “never trust, always verify,” and this is in sharp contrast to traditional cybersecurity systems that assume once a user is inside a corporate network they can be trusted. Zero Trust is based on the following principles:

• Verify explicitly by always authenticating and authorizing based on all available data points. Eliminate implicit trust by continuously validating every state of a digital interaction.
• Use least privilege access for users – limit access with just-in-time and just-enough access policies.
• Assume that the network is already compromised. 

Zero Trust Architecture (ZTA) is a security concept and approach that assumes threats may exist both inside and outside a network. It doesn't trust anything or anyone by default, even if they are inside the network perimeter. Instead, it requires continuous verification of trust before granting access to resources. As more employees access corporate resources from outside the perimeter and applications are increasingly hosted on the public cloud, traditional perimeter-based security often fails to adequately protect, for example, here are just a few of the attacks so far in 2023.

• In January, San Francisco’s Bay Area Rapid Transit was hit by a ransomware attack and stolen data was posted online.
• In February TMX Finance Corporate Services was breached, exposing personal information for around 4.8 million, including social security numbers, passport numbers, and driver’s license numbers.
• A March breach of Managed Care of North America Insurance Company exposed private information on 8.92 million individuals.
• In May, PharMerica, a pharmacy service provider, experienced a breach that affected the personal information of 5.8. million people.
• In June, the Oregon Department of Transportation announced that it had been part of a global hack of the file transfer tool called MOVEit, which it used to send and receive data. The personal information for an estimated 3.5 million Oregon residents was exposed. The MOVEit breach also affected the Better Outcomes Registry & Network, which exposed the personal health information of approximately 3.4 million people. Microsoft’s (MSFT) healthcare technology company Nuance issued a breach notice on behalf of 13 healthcare organizations as a result of a MOVEit breach. Some estimates put the number of individual victims from the MOVEit breach at 60 million across over 2,000 organizations. 

Brief History of Zero Trust 

One of the earliest offerings came in 2009 with Alphabet’s (GOOG) Google Zero Trust architecture, referred to as BeyondCorp, which by 2021 evolved into BeyondCorp Enterprise. In 2010 the term “Zero Trust model” was used by Forrester Research analyst John Kindervag to denote stricter cybersecurity programs and access control within corporations. However, it didn’t become a prevalent model for nearly a decade, driven in large part by the growing use of mobile access points, IoT devices, cloud services and remote work options. 

In 2018, the paper SP 800-207 Zero Trust Architecture, published by cybersecurity researchers at the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellent (NCCoE) defined Zero Trust (ZT) and Zero Trust Architecture. The NIST defined Zero Trust as, “the term for an evolving set of cyber security paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.” Zero Trust Architecture (ZTA) was described as an enterprise's cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning and access policies. 

Zero Trust Becomes Mandatory

In January 2022, the federal government’s Office of Management and Budget released a memorandum that mandated a federal Zero Trust Architecture (ZTA) strategy, including specific cyber security standards and objectives, by the end of the fiscal year 2024. Also in January 2022, the Defense Information Systems Agency (DISA) awarded Booz Allen Hamilton a $6.8 million contract to implement a Thunderdome Prototype, which would become DISA’s Zero Trust security and network architecture. In July 2023, Booz Allen was awarded a production agreement for Thunderdome worth up to $1.86 billion.

Market for Zero Trust 

According to research firm Markets and Markets, the global Zero Trust security market will grow from $31.1 billion in 2023 to $67.9 billion by 2028, with an annual compound growth rate of 16.9%, driven by the rising threat of increasingly sophisticated and continually evolving cyberattacks. The rapid adoption of cloud technology and the digital transformation are increasing the attack surface for nefarious actors reducing the effectiveness of traditional perimeter security measures in a more mobile and interconnected world. More stringent regulatory compliance demands are adding to the pressure by increasing the potential costs of a breach. 

Coherent Market Insights estimates the ZTA market size at $29.0 billion in 2023, forecasting a compound annual growth rate of 16.7% to reach $85.4 billion by 2030. It predicts the largest market share to be in North America at 34.8% in 2022 with Asia-Pacific the fastest-growing region while Europe will maintain the number three spot and Latin America the fourth largest.

Gartner predicts that the percentage of large enterprises with a mature and measurable zero-trust program in place will rise from 1% at the start of 2023 to 10% by 2026.

Zero Trust Benefits 

Zero Trust Architecture provides a wide range of benefits:

• Adaptability: It is better suited than traditional perimeter-based security for modern, dynamic IT environments that include cloud-based services, remote work, and mobile devices. While Zero Trust Architecture results in a higher overall level of security, it is also able to reduce security complexity and operational overhead.
• Continuous Monitoring: ZTA emphasizes continuous monitoring of user and device behavior, enabling suspicious activity to be detected and responded to in real time, again reducing opportunities for nefarious actors.
• Least Privilege Access: ZTA enforces the principle of least privilege, which reduces the attack surface by limiting access only to what is necessary for a user or device to perform their specific tasks, limiting opportunities for nefarious actors.
• User-Centric: By focusing on the identity and trustworthiness of users and devices, ZTA’s user-centric approach versus a network-centric strategy, is more effective in today's distributed and remote work environments.
• Micro-Segmentation: By segmenting networks into smaller, isolated zones, attackers have a much harder time moving laterally within a network.
• Compliance and Regulations: ZTA helps organizations meet regulatory requirements by providing better control and monitoring of data access, which is crucial for compliance.

Zero Trust Providers 

Zero Trust security cannot be implemented through the purchase of one product, but rather it is incrementally implemented through a combination of solutions and processes that are all based on Zero Trust principles. Therefore, Zero Trust solutions include a range of offerings that authenticate user access, segment and manage access to data, and continuously monitor network activity. These are some of the publicly traded companies offering Zero Trust solutions. 

• Check Point Software Technologies (CHKP) is a pure-play cybersecurity provider with around 50% of its revenue coming from Europe, the Middle East, and Africa and is based in Tel Aviv, Israel. Around 60% of its office space and 42% of its employees were in Israel as of 2022. Its wide suite of solutions supports Zero Trust Architecture and was just named a leader in the Forrester Wave^TM Zero Trust Platform Provides Q3 2023 report.
• Cloudflare (NET) earlier this month announced that it helped lead the disclosure of a new novel zero-day vulnerability, dubbed HTTP/2 Rapid Reset which gave attackers the ability to generate attacks larger than ever experienced before. The company developed a technology to automatically block any attack leveraging Rapid Reset for its customers.
• CrowdStrike (CRWD) recently formed a Zero Trust Alliance with Okta (OKTA), Netskope, and ProofPoint. Earlier this month the company announced a partnership with Box (BOX) to improve cloud data security.
• CyberArk (CYBR) has nearly an estimated 71% of its long-lived assets (expected lifespan over one year) in Israel and a high percentage of its people. Earlier this month it announced that it has been named a Leader in The Forrester Wave™: Privileged Identity Management, Q4 2023, receiving the highest possible score in 16 criteria.
• Fortinet (FTNT) has managed to grow its EPS by around 40% a year over the past three years while its pre-tax income has grown from 3.4% of revenue in 2016, to 14.1% in 2018, and 21.6% in 2022, but did miss on revenue and billings in the June quarter.
• Microsoft with Zero Trust deployment plan with Microsoft 365 and Zero Trust for Microsoft Azure. The offerings include identity management, threat detection, and response, secure remote access, and cloud-based data protection.
• Okta is a cloud-native security company focused on identity and access management that enables the implementation of Zero Trust Architecture. Shares have outperformed the S&P 500 by around 10% so far this year. The company also has a new set of capabilities it is launching called Okta AI which will include predictive AI to identify possible threats earlier, a Policy Recommender that will propose security configuration based on similar use cases across Okta’s over 18,000 customer base, and a new Identity Threat Protection product that will deliver real-time detection and response for identity-based threats.
• Palo Alto Networks’ (PANW) Zero Trust Architecture works to verify and validate users and devices before granting access and includes micro-segmentation, multi-factor authentication, threat prevention, and detection. Several of Palo Alto Network’s acquisitions have been based in Israel and has roughly 12% of its long-lived assets in Israel. Raymond James estimates that around 7% of the company’s employees are in Israel.
• ZScaler (ZS) Offers a cloud-native Zero Trust Architecture that protects access to data and applications. The company maintains R&D operations in Israel. 

There are several private companies offering Zero Trust solutions such as NordLayer, Axis Security (global access management), Morphisec (proactive endpoint protection platform), Tigera (network security and continuous compliance for Kubernetes platforms), Sepio Systems (hardware access control platform), MobileIron (mobile-centric verification), Silverfort (authentication platform).

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

In This Story

CHKP NET CRWD OKTA CYBR FTNT PANW ZS

Other Topics

Investing Companies Technology Stocks