The zero trust security market is expected to register a CAGR of 18% during the forecast period (2021 - 2026). Cloud applications and the mobile workforce are redefining the security perimeter where employees are bringing their own devices and working remotely. Data is being accessed outside the corporate network and shared with external collaborators, such as partners and vendors. Corporate applications and data are moving from on-premises to hybrid and cloud environments, and organizations need a new security model that more effectively adapts to the complexity of the modern context, embraces the mobile workforce and protects people, devices, applications, and data wherever they are located which the core of the zero-trust security.
- The increasing activities of cybercriminals who are becoming successful at penetrating and moving laterally within the security perimeter are expected to drive the implementation of zero-trust security because organizations that rely solely on on-premises firewalls and VPNs lack the visibility, solution integration, and agility to deliver timely, end to end security coverage. As evidence, the rates of large-scale, multi-vector mega attacks are also growing, wreaking havoc on organizations and individuals worldwide. For instance, 1.76 billion records were leaked in January 2019 alone. Ransomware is expected to cost businesses and organizations USD 11.5 billion in 2019, and the global cost of online crime is expected to reach USD 6 trillion by 2021.
- A report suggests that 2019 had seen over a 50% increase in the number of breaches compared to the last four years. Ironically, these security breaches continue to rise even as companies invest record amounts of money and add more security tools to help prevent precisely that. An average large enterprise has over 100 security tools, while information security spending for 2019 was expected to exceed USD 125 billion. While traditional and outdated approaches to the security focus on bolting-on new security tools to secure the perimeter while trusting every resource inside, a new security model called zero trust does away with the concept of implicit trust.
- Zero trust is driven by the precepts of never trusting anything inside or outside the organization’s security perimeters. Instead, before access is granted, anything and everything that is attempting to connect to an organization’s systems must always be verified. With zero trust, the security team puts policies in place to validate every connection attempt and every device, and to intelligently limit access. In a zero trust model, every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before granting access. Everything from the user’s identity to the application’s hosting environment is used to prevent a breach.
- A survey conducted by Check Point Technologies Ltd in August 2019 reveals that there is broad adoption of the zero trust approach by security professionals across multiple industries. More than half of respondents (52%) noted that the organization has begun or had completed an implementation of the Zero Trust approach, with 18% planning to start application during the coming year. The security environment is becoming more complex than ever, with it never being more challenging to protect data, assets, and networks. An organization can be supremely equipped to bolster its security posture and boost the protection of its most critical data-related assets by implementing Zero Trust Security.
- The dynamic nature of COVID-19 has resulted in rapidly evolving shifts to the remote workforce. Given the access provided through remote connectivity, the newly minted remote workforce, and the potential for limited security reviews, attackers are likely to take advantage of weaknesses to gain internal network access. The zero trust security is emerging in recent years, which utilizes an identity provider to provide access to the applications and determines the authorization rights based on both the user and the device. Fundamental authorization rights include device and user identity checks to consider if the organization manages the device.
Key Market Trends
BFSI is Expected to Hold Significant Share
- The BFSI industry is frequently faced with sophisticated and persistent attacks, including malware, ransomware, social engineering and phishing attacks, fileless malware, rootkits, and injection attacks. Accenture estimates an average loss of USD 18 million per year at financial services institutions. Both zero-day attacks and ransomware are on the rise. Ransomware especially can negatively affect financial workflows, inflicting costly downtime, and further damaging business reputations. However, financial institutions are moving from zero trust security solutions to strengthen their security posture.
- In July 2019, a former Amazon employee was arrested and accused of carrying out a massive theft of 106 million Capital One records, one of the top ten banks of the United States. This included 140,000 Social Security numbers, one million Canadian Social Insurance numbers, and 80,000 bank account numbers, in addition to an undisclosed amount of information, such as people's names, addresses, credit scores, credit limits, and balances. It is forecasted that as the threats attacking financial services institutions become more complex and iterative, zero trust security solutions must evolve to meet these threats and also take advantage of the increased data and insights at hand.
- As major BFSI end users are shifting their on-premise infrastructure into cloud, they are increasingly adopting zero-trust security solutions. Players present in the market ecosystem are also focusing into cutting-edge technology-based solutions, which is further creating opportunities for the market segment. For instance, in October 2020, HashiCorp, the provider of multi-cloud infrastructure automation software, announced at HashiConfDigital, a new identity-based security and access offerings, to help enterprises solve modern security challenges as they transition to dynamic multi-cloud infrastructure.
- Large organizations, such as banks, deal with dispersed and widespread networks of data and applications accessed by employees, customers, and partners onsite or online, which makes protecting the perimeters more difficult. The zero trust security takes a more nuanced approach of managing access to the identities, data, and devices within the proverbial castle. So, whether an insider acts maliciously or carelessly, or veiled attackers make it through the organization's walls, automatic access to data is not a given.
- Open banking is being widely deployed, which is an initiative that allows third-party financial services companies to access users' banking data through the use of APIs. Open banking increases risk by multiplying the interconnectivity between banks, providers, partners, vendors, and customers, and this interconnectivity introduces systemic risk. Banks need to approach security differently to ensure the protection of systems, data, and customers. Perimeter defenses are entirely insufficient to respond to this new type of systemic risk, and the risk is mitigated with the usage of a zero trust security model.
North America is Expected to Hold Major Share
- North America is a primary hub for all the major organizations across the world. The expansion of the various end-user industries and the increasing security perimeter are driving the demand for zero-trust security in the region. The risks of attacks that can impact the market vary from individuals and corporates to the governments. Thus, securing the data has become a priority in the region. Moreover, cyberattacks in the North American region, especially in the United States, are rising rapidly. They have reached an all-time high, primarily owing to the rapidly increasing number of connected devices in the region.
- Now more than ever, the US government has focused on proactive cybersecurity measures. The country's proposed budget for the fiscal year 2020, the federal cybersecurity budget would increase to USD 17.4 billion, up from USD 16.6 billion in 2019. Within cybersecurity spending, one of the areas the federal government is eyeing is the concept of zero trust security due in part to recent reports from the Defense Innovation Board and the American Council for Technology-Industry Advisory Council. Federal IT environments are complicated, and as the government takes a closer look, they will see in many cases they're already notionally on a path to zero trust security.
- Moreover, according to a survey by FedScoop, nearly half of US federal government agencies, including the Agriculture Department and the Marine Corps, are adopting zero trust security. While the adoption is increasing, consistent implementation and monitoring are critical for zero trust security to succeed, which will lead to an increase in the approval of the solutions. Many municipalities in the United States have recorded ransomware attacks, which have cost these companies a substantial recovery. For instance, Baltimore spent over USD 18.2 million in regaining its access to its connected systems. Also, 23 towns in Texas and two towns in Florida faced system lockdown due to ransomware, which provides a need to use zero trust security solutions.
- The regional market ecosystem has also observed a significant number of merger-acquisition transactions, which is further boosting the market growth. For instance, in September 2020, CrowdStrike Holdings, Inc., a provider of cloud-delivered endpoint and cloud workload protection, has announced that it has agreed to acquire Preempt Security, a provider of Zero Trust and conditional access technology for real-time access control and threat prevention. Together, CrowdStrike and Preempt will provide a modern Zero Trust security architecture and threat protection to keep enterprise users, endpoints, and data safe from modern attacks, without compromising productivity or the user experience.
- The autonomous breach protection provider, Cynet, in its recently published State of Breach Protection 2020 Report, has mentioned that over 25% of security alerts are left unattended daily in the United States. The company has surveyed over 1,500 cybersecurity professionals for the same, and around 77% of the responding organizations stated that 20%-60% of the security alerts are left unattended due to their systems' capacity limits. Zero trust security could be implemented in such cases establishing new perimeters around sensitive and critical data. These perimeters include traditional prevention technology, such as network firewalls and network access controls, as well as authentication, logging, and controls at the identity, application, and data layers.
The zero trust security market primarily comprises multiple domestic and international players in quite a fragmented and highly competitive environment. The market poses high barriers to entry for new players as they are already various established players in the market. Technological advancements in the market are also bringing sustainable competitive advantage to the companies, and the market is also witnessing multiple partnerships and mergers.
- April 2020 - Google made available BeyondCorp Remote Access, marking its first commercial product based on the zero-trust approach to network security that Google pioneered and has used internally for almost a decade. The cloud-based service lets employees access internal web apps from most devices, and any location, without a traditional remote-access virtual private network (VPN).
- February 2020 - BlackBerry Limited launched the BlackBerry Spark platform with the addition of a unified endpoint security layer, which can simultaneously work with the company's centralized endpoint management to deliver zero trust security. BlackBerry Spark platform leverages AI, machine learning, and automation to offer improved cyber threat prevention and remediation and provides visibility across desktop, mobile, server, and IoT endpoints.
- The market estimate (ME) sheet in Excel format
- 3 months of analyst support
This product will be delivered within 2 business days.
Table of Contents
1.2 Scope of the Study
4.2 Industry Attractiveness - Porter's Five Force Analysis
4.2.1 Bargaining Power of Suppliers
4.2.2 Bargaining Power of Buyers
4.2.3 Threat of New Entrants
4.2.4 Threat of Substitutes
4.2.5 Intensity of Competitive Rivalry
4.3 Market Drivers
4.3.1 Increasing Number of Data Breaches
4.3.2 Security Perimeter of an Organization not Being Limited to Workplace
4.4 Market Restraints
4.4.1 Legacy applications, infrastructure, and operating systems not likely to adopt zero trust model
4.5 Technology Snapshot
4.5.1 Zero Trust Networks
4.5.2 Zero Trust Devices
4.5.3 Zero Trust Data
4.5.4 Zero Trust Identities
4.5.5 Zero Trust Applications (Visibility and Analytics)
4.6 Industry Value Chain Analysis
5.2 Organization Size
5.2.1 Small and medium Enterprises
5.2.2 Large Enterprises
5.3 End User Industry
5.3.1 IT and Telecom
5.3.5 Energy and Power
5.3.8 Other End-user Industries
5.4.1 North America
5.4.3 Asia Pacific
5.4.4 Rest of the World
6.1.1 Cisco Systems Inc.
6.1.2 Palo Alto Networks Inc.
6.1.3 Vmware Inc.
6.1.4 Broadcom Inc. (Symantec Corporation)
6.1.5 Microsoft Corporation
6.1.6 IBM Corporation
6.1.7 Google Inc.
6.1.8 Check Point Software Technologies Ltd
6.1.9 Blackberry Limited
6.1.10 Akamai Technologies Inc.
6.1.11 Centrify Corporation
6.1.12 Okta Inc.
6.1.13 Fortinet Inc.
6.1.14 Sophos Group PLC
6.1.15 Cyxtera Technologies Inc.
A selection of companies mentioned in this report includes:
- Cisco Systems Inc.
- Palo Alto Networks Inc.
- Vmware Inc.
- Broadcom Inc. (Symantec Corporation)
- Microsoft Corporation
- IBM Corporation
- Google Inc.
- Check Point Software Technologies Ltd
- Blackberry Limited
- Akamai Technologies Inc.
- Centrify Corporation
- Okta Inc.
- Fortinet Inc.
- Sophos Group PLC
- Cyxtera Technologies Inc.