Australian companies are investing heavily as they dive headfirst into zero trust – but most still have only the vaguest idea of what they are doing, according to new figures suggesting we have a long way to go before benefiting from the biggest change to security in years.

Fully 84 per cent of ANZ companies said they have prioritised zero trust, a recent Okta survey found, with 85 per cent expecting to implement zero trust within the next 12 to 18 months – up dramatically from just 50 per cent a year ago.

That’s a resounding vote of confidence in a security tool that was barely on the radar before the COVID-19 pandemic hit – but with just 5 per cent of companies actually implementing zero trust and most of those still at the bottom of Okta’s Zero Trust maturity curve, we still have a lot to learn.

But what is zero trust, actually?

Pretend for a moment that you’re not stuck working from your kitchen table, and think of the security at your office building.

You probably have an ID card that lets you into the front door or through the lobby turnstiles with a tap. Wave to the security guards, tap, and you’re through.

You might never have to prove your identity again for the rest of the day – and while there might be the occasional security camera monitoring public spaces, by and large your employer trusts you to do the right thing while you’re inside.

That’s how the conventional model of password security works – and it’s easy to see why it is so vulnerable. All it takes is for a criminal to steal your ID card while you’re away, and they can slip into the company completely undetected.

To thwart this, many companies have implemented physical security that relies on your tapping that card continually throughout the day.

Getting in the lift? Tap.

Going into a work area? Tap.

Logging onto your computer? Tap.

Going into a locked meeting room? Tap.

Going to the loo? Tap.

You get the idea. This is a zero-trust model – in which your employer has given you a tool to prove your identity, but makes you use it regularly throughout the day to make sure everyone inside the building is supposed to be there.

Any person, application, or device that can’t present the right credentials when requested is immediately flagged as hostile, until proven otherwise – hence the name ‘zero trust’.

It’s important to note that the digital equivalents of that ID card – encrypted digital certificates – aren’t only issued to people; they are also used to identify smartphones, tablets and IoT devices as well as individual applications requesting network access.

The end of the VPN

Companies have long used virtual private network (VPN) tools to help employees log onto the company network via encrypted connection, usually with just a user ID and password.

Faced with the COVID-era shift to remote work, security executives leaned on VPNs until cybercriminals began stealing users’ credentials and it became clear just how problematic the old strategy was.

Most people are terrible at using strong passwords, use the same password for all of their applications, and write them on sticky notes attached to their monitors.

This got worse in the remote-work world, where users suddenly had to make passwords for Zoom, Microsoft Teams, and a dozen other cloud apps.

Since many people use the same password for those systems as for their business applications, major breaches of users’ Zoom passwords actually facilitated major breaches of every company application those employees use.

Cybercriminals have been harvesting access credentials in their billions, and publishing them online in massive free-for-alls that have enabled one major security breach after another.

Enter zero trust, which has become a light at the end of a long, dark tunnel of cybersecurity attacks that have challenged security professionals like never before over the past 18 months.

Zero trust in the cloud

By 2023, Gartner believes, 60 per cent of companies will have moved from using VPNs to a ZTNA (Zero Trust Network Architecture) that reaches from one edge of the business to the other.

But it isn’t only gaining ground amongst cyber security professionals because it’s better than passwords.

With half of the world’s knowledge workers expected to be working remotely by year’s end and companies running more of their applications in the cloud than ever, zero trust has become the only way to control access across today’s far more complex, distributed networks.

Recent research from security firm Thales, which included 750 security professionals across the APAC region and 2,600 worldwide, found fears about these new environments are widespread.

Yet despite 83 per cent saying they are worried about the security implications of remote access, 61 per cent admitted that they don’t have any kind of access management solution deployed – and 46 per cent said their security infrastructure was “not prepared” to cope with the challenges of a COVID pandemic.

They are prime candidates for zero trust – and if you’re among them, it’s time to start figuring out how you can benefit from the biggest change to security in years.