Your Organization’s Customized Zero Trust Segmentation Report

Thank you for taking Illumio’s Zero Trust Segmentation assessment. The goal of this assessment is to give you data driven insights about your organization’s progress toward achieving Zero Trust Segmentation, complete with recommendations specific to your current state.

SAVE A COPY OF YOUR REPORT RETAKE ASSESSMENT

Assessment and benchmark
research powered by ESG

Your Organization’s Data-First Leader Report

Thank you for taking HPE’s data-first leader assessment. Data is among your organization’s most valuable resources, which is why we’re passionate about helping organizations become data-first leaders as they use their data to innovate and out compete their peers.

Assessment and benchmark
research powered by ESG

Introduction

To power this assessment, we partnered with ESG to survey 1,000 of your peers across the globe. Based on this benchmark dataset, we identified 5 critical aspects of technologies needed to become a Pioneer on Zero Trust Segmentation. And the research validated that organizations with segmentation technologies that deliver these key capabilities enjoy dramatically improved security outcomes.

Below you will see how your organization compares to the market in general, as well as surveyed Pioneers on key questions. By working to close the gaps you see, your organization will move up the maturity curve so you can gain better visibility to network activity and traffic patterns in your environment, segment and protect your organization’s mission-critical digital assets, and limit the scope of inevitable security incidents to respond faster and keep incidents from becoming cyber disasters.

Your Zero Trust Segmentation Progress

Based on your responses your organization is

PIONEERING

Your organization has {{results}} of a possible 5 attributes of Zero Trust Segmentation Pioneer.

Congratulations, you are in an exclusive club of Pioneers—only 6% of your peers are this advanced! As a Pioneer, you likely recognize there is always an opportunity to improve. Below, you can access a customized report to find out if we spotted any areas to improve!

ESG’s research shows that Leaders outperform their peers in a number of ways:

Leaders more successfully advance zero trust; they are:

2.4x more likely to have a high degree of success with zero trust initiatives.

Leaders’ applications are more resilient; they are:

2.4x more likely to have not suffered a critical outage in the last 24 months due to an attack.

Able to restore service 68% faster when things go wrong (MTTR).

Achieving, on average, a $20.1M annual cost of downtime advantage.

Leaders achieve more comprehensive visibility across their environments; they are:

4.3x more likely to have comprehensive visibility into network traffic across their environment (i.e., cloud, on-prem, edge).

5x more likely to have comprehensive visibility into network traffic across app architectures (i.e., VMs, containers, microservices).

READ THE RESEARCH REPORT

What Data-first Leaders Achieve

Understanding the Zero Trust trend

What we asked: Where is your organization on its journey toward adopting Zero Trust principles broadly (i.e., a least-privilege philosophy for IT service and infrastructure access supported by continuous authentication, authorization, and risk evaluation for every request)?

Why it matters: Assume breach and segment to stop the spread. Zero trust as a broad concept has a lot of resonance in the market today, but it represents a major shift related to security incidents—a pivot from “if” they occur, to “when.” With controls in place to enable Zero Trust, organizations have peace of mind that when a bad actor gains access to an application or data they shouldn’t have access to, their ability to move laterally within the environment will be stifled by least-privilege policies. Zero Trust Segmentation is an ideal way to institute broad Zero Trust initiatives, as it creates separation between assets, ensuring that a cyber-criminals’ ability to navigate the network is stopped.

Where you stand: 99% of respondents we surveyed are at least interested in Zero Trust as a broad concept, though just 36% have implemented or begun to implement Zero Trust across their entire IT footprint. This tells us two things:

Zero trust represents a major change that has captured significant mind share among cybersecurity strategists.
While the concepts of Zero Trust have a lot of resonance with security practitioners, we are still in the early days of implementation.

Which of the following statements best reflects your organization’s adoption of a Zero Trust strategy? (Percent of respondents, N=1,017)

Organizations are investing heavily to make Zero Trust a reality

What we asked: How much of your organization’s investments in cybersecurity controls over the next year could generally be categorized as being made with an eye toward furthering Zero Trust initiatives?

Why it matters: As noted, Zero Trust represents a meaningful shift in security design philosophy. As with anything, major redesigns require resources to be made real. So, we wanted to get a more tangible measure of whether organizations are allocating investments to further their initiatives. What we learned is that approximately 39% of all security investments planned over the next 12 months are aimed at supporting the pivot to Zero Trust.

Where you stand: {{txt1}}

Approximately how much of your organization’s budgeted investments in cybersecurity controls for the next 12 months could be broadly considered supporting or furthering Zero Trust initiatives? (Percent of respondents, N=1,000)

Weighing the tradeoffs between ease of use and functionality

What we asked: When it comes to furthering Zero Trust initiatives, what does (or would) your organization most prioritize?

Why it matters: The goal of this question is to understand the possible trade offs your organization may make in adopting Zero Trust technologies. On one hand, adopting technologies with the best capabilities, even if they come with additional integration work, offers your organization the path to the greatest security efficacy. On the flip side, integrated platforms offer the greatest ease of deployment and use but may not be as effective in practice.

Where you stand: There is no “right” answer to this question, as the decision should ultimately be informed by your security team’s bandwidth and integration capabilities. However, respondents we surveyed displayed a clear preference for functionality before ease of use. If your organization prioritizes ease of integration and use over capabilities, it may be worth stress-testing that position to validate that it is in fact the optimal approach for your organization because 96% of your peers are opting to select solutions based on functionality first.

When it comes to furthering Zero Trust initiatives, what does your organization most prioritize? (Percent of respondents, N=1,000)

How do segmentation technologies fit into the Zero Trust puzzle?

What we asked: How important are segmentation technologies or practices to your organization when it comes to supporting your organization’s Zero Trust initiatives (or how important do you think they would be)?

Why it matters: Zero trust is not a solution, but a philosophy. With that in mind, the question is what technologies are needed to operationalize the philosophy. While there is no single Zero Trust “silver bullet,” segmentation technologies serve as the ideal foundation upon which to build a Zero Trust strategy. Dividing an enterprise and edge network into microsegments allows an organization to implement specific security policies and controls to those segments, verify identities, and establish trust for the individual resources you’re trying to protect.

Where you stand: Based on our research, the market clearly agrees with the premise put forward above. In total, 81% of respondents report segmentation technologies are either critical (30%) or important (51%) to supporting Zero Trust initiatives. {{txt2}}

How important are segmentation/microsegmentation technologies or practices to your organization when it comes to supporting your organization’s Zero Trust initiatives (or how important do you think they would be)? (Percent of respondents, N=1,000)

Breadth of segmentation

What we asked: At what stage is your organization in terms of using segmentation controls and policies to support Zero Trust initiatives?

Why it matters: Regardless of your organization’s opinion related to segmentation, what will ultimately determine its ability to achieve Zero Trust Segmentation is its usage. For example, our research showed that, on average, Zero Trust segmentation Pioneers have properly segmented 72% of their business applications. While this is a far cry from 100%, it shows that most applications have been segmented. In contrast, on average, Nascent organizations report just over half of their applications are properly segmented. There is a clear connection between breadth of segmentation and Zero Trust Segmentation leadership.

Where you stand: The correlation between breadth of segmentation deployment and Zero Trust Segmentation progress is evident in the chart below. While 73% of Pioneers report broad deployment, just 23% of their peers in the Nascent category report the same. {{txt3}}

At what stage is your organization in terms of using segmentation/microsegmentation controls and policies to support Zero Trust initiatives? (Percent of respondents)

Depth of segmentation capabilities

What we asked: Thinking about your organization’s segmentation tools and practices, how would you rate its ability to support each of the following?

Why it matters: Breadth of segmentation is one aspect of achieving Zero Trust Segmentation. But just as important are the capabilities of your organization’s segmentation solutions.

At its heart Zero Trust Segmentation should strive to give the organizations key capabilities:
Visibility – you can’t protect what you can’t see, and today’s IT environments are a complex mix of cloud-hosted, on-premises-resident, microservices-based, and monolithic workloads. You need visibility into the network patterns in all cases to achieve Zero Trust Segmentation
Containment – when attacks happen, and they will, the ability to pivot quickly to response and prevent attackers from moving laterally and infecting additional systems is critical. This requires integrations with SIEM and SOAR tools to plug into existing workflows, as well as technology guardrails (like port blocking) that can block this movement.
Environmental separation – A critical in moving from reactive to proactive is ensuring that unrelated environments are separated (such as development from production)

To measure and organizations’ ability to deliver on the promise of Zero Trust Segmentation, this assessment looks at several key capabilities:

Integration with SIEM and SOAR tools: Teams rely on their SIEM and SOAR tools for insights from across their entire security posture. To make insights from segmentation tools like where attempted attacks are in progress, what machines are acting suspiciously, and if your segmentation is secure, tight integration is critical.
Separation of test and dev from production environments: Enforcing a boundary between development and production environments helps secure your mission-critical production data. However, development environments often leverage production systems for management and essential data center services. The solution is to ensure an enforcement boundary is present and to add policy-based exceptions based on the topology of network communications.
The ability to block ports to stop the spread of attacks: Serious malware and ransomware attacks typically follow a similar pattern. Generally, the attacker is not able to gain direct access to “crown jewel” databases and applications. Rather, the attacker gains a foothold on an unprotected system, generally something of low business value. The attacker then moves to a more high-value target before launching the attack. By properly segmenting applications, organizations can stop this behavior.
Consistent enforcement across cloud and data center environments: Today’s IT infrastructure environments are complex, being comprised of bare-metal servers, VMs, and containers running in a variety of locations from the core data center, the edge, and in a variety of CSPs. To secure the environment effectively and efficiently, organizations need controls that can span those many environments and infrastructure types and do so in a consistent manner. Consistent enforcement across different application architectures: Similarly, organizations’ application portfolios are varied from microservices-based cloud-native applications to legacy monolithically architected applications. Again, consistency and completeness of coverage are key to maximizing security effectiveness.

Where you stand: {{txt4}}

Thinking about your organization’s segmentation/microsegmentation tools and practices, how would you rate its ability to support each of the following? (Percent of respondents)

Decision point: dedicated microsegmentation tools versus features in a platform

Who your organization purchases security controls from

What we asked: Which of the following statements do you most agree with regarding the use of purpose-built microsegmentation tools (i.e., tools that are not part of a larger solution platform) to support Zero Trust initiatives?

Why it matters: As with Zero Trust technologies generally, when it comes to segmentation technologies, organizations can choose to invest in solutions with a segmentation feature or dedicated/standalone solutions. While Illumio has a point of view on this, we look to the data to gauge the prevailing wisdom in the market. And what’s clear from the data is that Pioneers—those enjoying the most benefit and driving the most results from their Zero Trust initiatives—are the most likely to advocate most strongly for dedicated tools.

Where you stand: 75% of Zero Trust Segmentation Pioneers say that dedicated microsegmentation tools are critical to support Zero Trust. {{txt5}}

With which of the following statements do you most agree with regarding the use of purpose-built microsegmentation tools (i.e., tools that are not part of a larger solution platform) to support Zero Trust initiative? (Percent of respondents)

The Bigger Truth

We hope this assessment, and the research that underpins it, has helped you better understand the state of the market with respect to cloud-native security maturity and your organization’s progress towards becoming a leader. As a cohort, leaders have identified the key security capabilities to embed into their cloud-native development processes:

It is increasingly business-critical: Today, 11% of respondents tell us most/all of their cloud-native applications are business-critical. Looking ahead 12 months, 40% of respondents expect the same proportion to be business-critical.
It is more effective: Despite the fact that leaders have a much broader attack surface (managing 3.7x as many cloud-native applications in production), they suffer from 31% fewer security incidents. Leaders have found a better, and more scalable, way to secure their environments.
It enables what developers care about, agility: Leaders, while being better protected, have also driven greater speed into their development environments and are 2.6x more likely than less mature organizations to push code to production environments multiple times per day.