The zero-trust approach to security promises to reduce threats and make successful attacks less damaging, but companies should not expect that implementing zero-trust principles will be easy or prevent most attacks, business intelligence firm Gartner said this week.
While interest in zero-trust architectures is high, only about 1% of organizations currently have a mature program that meets the definition of zero trust. The firm also estimates that only a 10th of all organizations will create a mature zero-trust framework by 2026, and by that time, those measures will end up only blocking or minimizing the impact of about half of all attacks.
Even so, moving from 1% to 10% is significant progress, says John Watts, vice president analyst at Gartner.
“That’s a relatively large increase,” he says. “[Ten percent] may seem low, but at the same time, right now, when we talk to clients, and we look at other industry data points, it doesn’t seem like there are many large organizations you can point to that have a mature and measurable zero-trust program.”
Zero-trust initiatives continue to be an aspirational goal for companies and their cybersecurity teams, with 80% of executives indicating that the strategy is a top priority and 77% increasing their budget for implementation, according to a 2022 survey published by the Cloud Security Alliance in June. A separate report published by Microsoft in 2021 found that 96% of security leaders considered zero trust critical to their success — and 76% were “in the process” of implementing a zero-trust initiative.
Turning Zero Trust Into Action
As companies mull their paths forward, they should recognize that getting to a comprehensive zero-trust architecture is not easy and will take time, says Christopher Hallenbeck, CISO for the Americas at Tanium, a provider of converged endpoint management.
“The process of migrating to zero trust can seem overwhelming, and it often causes paralysis,” he says. “I’m surprised the [forecasted] number is as high as 10%. While many organizations have zero-trust aspirations, few have made holistic changes to fully embrace it.”
It can also be confusing, given the widespread use of “zero trust” in the marketing of cybersecurity products and services.
In a prior Insights report, Gartner pushed back against the overzealous use of the term. Neil MacDonald, a distinguished vice president and analyst at the firm, said that zero trust requires that the degree of trust granted to users and devices need be explicitly granted, continuously calculated, and then adapted to allow the right amount of access only for as long as necessary.
“Zero trust is a way of thinking, not a specific technology or architecture,” he said. “It’s really about zero implicit trust, as that’s what we want to get rid of.”
While the notion of removing implicit trust from enterprise computing infrastructure is a good one, the architecture is difficult and time-consuming to implement and does not solve all problems, the analyst firm stated as part of this week’s post.
As such, organizations need to move to integrating zero-trust initiatives into specific pieces of their operations, Hallenbeck notes.
“You need to configure each system to bring it under zero trust and should prioritize those systems holding the most sensitive information,” he says. “It all comes down to knowing what you have in order to form a plan.”
Know the Limits of Zero Trust
Indeed, knowing the scope and limits of zero trust is critical, Gartner’s Watts says. The architecture and technologies used in zero-trust implementations are good for blocking lateral movement and containing the impact of an initial breach. However, companies should not expect a zero-trust service to prevent compromises of consumer-facing systems.
Anything that’s intended for consumer consumption and exposed to the Internet, where anybody can find and try to use the service, is not a candidate for zero trust and not in scope for a company’s initiatives, Watts says. Attackers are already starting to bypass some identity and authentication techniques, such as last year’s compromise of Rockstar Games through spear-phishing and an internal collaboration platform. They will continued to find entry points that are not controlled by zero-trust protections, or they will focus on the weakness of zero trust, he says.
The firm, in fact, predicts that by 2026, zero trust will not be able to prevent more than half of all cyberattacks.
Still, adopting zero-trust frameworks will eventually pay off, Tanium’s Hallenbeck says. A company with a mature zero-trust program knows “what systems [they] have and where data lives,” he says. In that way, even if an attacker bypasses a zero-trust protection, the organization can limit the damage by limiting the attacker’s access to internal systems and data.
“We’re just starting to move past this phase, from where every vendor tells you they can solve all your zero-trust problems, and into the space where organizations now are implementing more zero-trust controls,” Watts says. “They’re facing a reality of both good and bad, right? And it’s not all good, and it’s not all bad.”