Zero-trust implementations remain work in progress

Just one in 10 large enterprises are expected to have mature implementations of zero trust by 2026, a Gartner study has found, underscoring the challenges of adopting the security framework.

This was despite the fact that zero trust is top of mind for most organisations as a critical strategy to reduce risk. According to Gartner, less than 1% of large enterprises haven mature and measurable zero-trust programmes in place today.

Gartner defines zero trust as a security paradigm that explicitly identifies users and devices and grants them just the right amount of access so the business can operate with minimal friction while risks are reduced.

“Many organisations established their infrastructure with implicit rather than explicit trust models to ease access and operations for workers and workloads. Attackers abuse this implicit trust in infrastructure to establish malware and then move laterally to achieve their objectives,” said John Watts, vice-president analyst at Gartner.

“Zero trust is a shift in thinking to address these threats by requiring continuously assessed, explicitly calculated and adaptive trust between users, devices and resources,” he added.

For organisations to complete the scope of their zero-trust implementations, Gartner said it is critical that chief information security officers (CISOs) and risk management leaders develop an effective zero-trust strategy that balances the need for security with the need to run the business.

“It means starting with an organisation’s strategy and defining a scope for zero-trust programmes,” said Watts. “Once the strategy is defined, CISOs and risk management leaders must start with identity – it is foundational to zero trust. They also need to improve not only technology, but the people and processes to build and manage those identities.

“However, CISOs and risk management leaders should not assume that zero trust will eliminate cyber threats. Rather, zero trust reduces risk and limits impacts of an attack.”

Gartner analysts predict that through 2026, more than half of cyber attacks will be aimed at areas that zero-trust controls don’t cover and cannot mitigate.

“The enterprise attack surface is expanding faster, and attackers will quickly consider pivoting and targeting assets and vulnerabilities outside of the scope of zero-trust architectures [ZTAs],” said Jeremy D’Hoinne, vice-president analyst at Gartner.

“This can take the form of scanning and exploiting of public-facing APIs [application programming interfaces] or targeting employees through social engineering, bullying or exploiting flaws due to employees creating their own ‘bypass’ to avoid stringent zero-trust policies,” he added.

Gartner recommended organisations to implement zero trust to improve risk mitigation for the most critical assets first to achieve the greatest returns on their investments.

However, zero trust does not solve all security needs. CISOs and risk management leaders must also run a continuous threat exposure management programme to manage their exposure to threats beyond the scope of the ZTA, it added.

Michael Smith, chief technology officer of Neustar Security Services, called for organisations to review their current security technologies and mitigation plans amid increased demand for zero-trust measures.

“They will have to rapidly operationalise their investments to deliver time-to-value and keep up with the accelerated rate of change we are seeing throughout the cyber security industry – especially if they want to stay ahead of the more dangerous threats. All organisations should be committed to best current practices and know that they are responsible for their customers’ data,” he added.