A common buzzword popular among IT and cybersecurity professionals over the last few years is zero trust, a security strategy designed to reduce risk by implementing granular controls over users and apps.
However, Gartner predicts that just 10% of large enterprises will have a mature and measurable zero-trust program in place by 2026, up from less than 1% today. The IT analyst firm says many organizations want to adopt those principles, but very few organizaitons have completed the scope of their zero trust implementations.
To move past the “hype” stage and make zero trust a reality in their organizations, chief information security officers (CISOs) and IT security leaders must first develop an effect zero-trust strategy that balances both security needs and business needs.
“It means starting with an organization’s strategy and defining a scope for zero-trust programs,” says John Watts, vice president analst at Gartner, in a statement. “Once the strategy is defined, CISOs and risk management leaders must start with identity – it is foundational to zero trust. They also need to improve not only technology, but the people and processes to build and manage those identities.”
However, organizations should avoid the thinking that adopting this security architecture solves every security problem, as Gartner predicts that more than half of cyberattacks will be aimed at areas where zero-trust controls can’t protect.
With enterprise attack surfaces expanding faster than network defenders can protect, attacks are quickly pivoting to other assets and vulnerabilities outside of the scop of zero trust architectures, says Jeremy D’Hoinne, a Gartner vice president analyst.
“This can take the form of scanning and exploiting of public-facing APIs or targeting employees through social engineering, bullying or exploiting flaws due to employees creating their own ‘bypass’ to avoid stringent zero-trust policies,” D’Hoinne says.
Gartner’s recommendations
Gartner recommends first defining a strategy and baseline identity processes and tools before embarking on a wider implementation program.
In addition, the firm urgers organizations to tailor fit their zero-trust strategy to the organization that aligns zero trust to threat mitigation. This should be done first with a smaller subset of people, devices and applications before rolling it out to the entire organization.
When purchasing new technology, it should first be evaluated for the vendor’s support of zero-trust capabilities. Be wary of vendors that say they deliver complete zero-trust solutions, Gartner says.
