Pulse Q&A surveyed 200 security leaders across the region to see where they reside on the journey towards a full Zero Trust security posture

(Photo by Paul ELLIS / AFP)

Zero trust security, identity reach critical mass in APAC outfits

The evolving landscape of cyber threats, in concert with the rise of hybrid work has led to organizations in the Asia Pacific (APAC) region finally adopting zero trust security measures on a broader scale, as they look to shield their data and assets more securely from threats both internal and external.

The growing adoption of the zero trust model is in contrast to the more traditional ‘perimeter’ security approach, with the shift being driven by the need to better protect internal systems and endpoints while reducing the risk of data exposure. Perimeter defense was more of a walled garden, cordoning off the company’s networks and systems from outside intrusions but paying precious little attention to vulnerabilities that originate from within, even as rapid upshoots of remote working, cloud adoption, and mobile devices entering the corporate environment mean that classical security measures were quickly becoming obsolete.

Internally, APAC businesses mostly relied on passwords to secure systems and applications, but the increasingly sophisticated threat types that have emerged (and continue to change) meant that password protection had grown too weak and unreliable. But the newest Okta survey conducted by Pulse Q&A, the State of Zero Trust Security in Asia Pacific 2022, found that while APAC organizations were the slowest region in the world to move toward passwordless identity and access management (IAM, with only 0.5% having implemented passwordless already, and a mere 10% planning to implement in the next year and a half) exactly half of APAC organizations surveyed had implemented a zero trust security initiative, a full 18 points more than that recorded in the 2021 report.

Zero trust security is based on the notion of “never trust, always verify” in that no user, device, asset, IP address or application should be trusted, even if it is connected to a managed corporate network – at least until the identity can be authenticated. Security-conscious enterprises worldwide have been increasingly taking up zero trust and more profound identity management, and now previously slow APAC companies are ramping up adoption, with the Okta report pointing out that 83% of regional respondents rate identity as important to their overall zero trust security strategy.

Data security, network and device protection still rank as the top cybersecurity focus for APAC enterprises, but growing recognition of how important an identity-oriented security model can be to the company is palpable. The growing need for cloud architecture privileged access will see IAM adoption double from 43.5% to 88% over the coming 18 months, according to the study, and automated protection for new and outgoing staff identity credentials is estimated to rise significantly from 22% to 76% within the same time frame.

Awareness of threat actors’ advanced capabilities to compromise the users, systems, and data has also sharply risen among APAC organizations, with three-quarters of respondents saying they prioritize security over the functions of other business-critical applications and resources – a stark contrast to businesses in other parts of the world. Over a third (38%) of APAC organizations that have yet to implement a zero trust security policy say they plan to do so within the next six to 12 months.

In 2021, more than two-thirds of APAC companies (76%) said they would increase their zero trust security investments either moderately or significantly, and the majority fulfilled that pledge in a clearer indication that the blanket security posture of more APAC organizations was becoming tighter. 82% reported a moderate or significant increase in zero trust spending in this year’s report.

Another challenging aspect is the global IT talent shortage that is beleaguering APAC outfits, with 31% citing that as an ongoing challenge to executing zero trust security, while 18% reported both a lack of awareness as well as a lack of stakeholder commitment to zero trust and IAM solutions.

Zero trust drastically slashes the risk of exposure, with access verification a continuous process and that strata of identity validation is applied to everything – from people to processes to the data as it travels from one aspect of the business to another, and regardless if the info is being retrieved, modified, or even deleted.

“By adopting zero trust security, organizations can position themselves to overcome the challenges presented by hybrid work – including mobile and remote working – by adopting an identity-centric approach to network and resource access rather than relying on outdated security models based on the traditional network perimeter,” commented Ben Goodman, the APAC SVP and General Manager at Okta. “Our research showed that while APAC organizations lagged behind their global counterparts in implementing Zero Trust Security, 98% of respondents recognized that identity was important or business-critical to that approach.”