Long way to go for enterprises in implementing "zero trust" system to reduce cyber-risk
A recent study by Gartner predicts that about 10% of the world's large enterprises will have a mature and measurable cybersecurity system known as the "Zero-Trust Program" in place by 2026.
The study, titled "Predicts 2023: Zero Trust Moves Past Marketing Hype Into Reality", which was formally released on Friday, revealed that the majority of organisations view zero trust as a crucial risk-reduction strategy.
John Watts, Garner's vice president analyst, describes zero trust as a security paradigm that explicitly identifies users and devices and grants them just the right amount of access, allowing the business to operate with minimal friction while reducing risks.
“Zero trust is a shift in thinking to address these threats by requiring continuously assessed, explicitly calculated and adaptive trust between users, devices, and resources,” he noted.
Unfortunately, the study found out that very few businesses have actually finished implementing zero-trust.
According to Watts, many organisations built their infrastructure with implicit rather than explicit trust models to simplify access and operations for workers and workloads.
However, those models are insufficient in terms of safety.
Attackers take advantage of this implicit trust in infrastructure to establish malware and then move laterally to achieve their goals, he explained.
Watts suggested that chief information security officers (CISOs) and risk management leaders begin developing an effective zero-trust strategy that balances the need for security with the need to run the business.
The move will assist organisations in completing the scope of their zero-trust implementations.
He stated that once the strategy is established, CISOs and risk management leaders must begin with identity, which is the foundation of zero trust.
"They must also improve not only technology, but also the people and processes that are used to create and manage those identities," he added.
However, he cautioned CISOs and risk management executives against assuming that zero trust will eliminate cyber-threats. Rather, zero trust reduces the risk of an attack and its consequences.
According to the current progress, Gartner predicts that by 2026, 10% of large enterprises will have implemented a mature and measurable zero-trust programme, up from less than 1% today.
Meanwhile, Gartner analysts also forecast that through 2026, more than half of cyber-attacks will be aimed at areas that zero-trust controls don’t cover and cannot mitigate.
Jeremy D’Hoinne, VP Analyst at Gartner stated that attackers would quickly consider pivoting and targeting assets and vulnerabilities outside of the scope of zero-trust architectures.
This can include scanning and exploiting public-facing APIs, targeting employees via social engineering, bullying, or exploiting flaws caused by employees creating their own "bypass" to avoid stringent zero-trust policies, he explained.
Gartner said that organisations should implement zero trust to improve risk mitigation for the most critical assets first, as this is where the greatest return on risk mitigation will occur.
However, zero trust does not address all security concerns. CISOs and risk management leaders must also implement a continuous threat exposure management programme to improve inventory and optimise their exposure to threats beyond the scope of zero-trust architectures.