Tech research and consulting firm Gartner Inc. predicted that more than half of cyber threats would target vulnerabilities that zero trust controls do not cover or cannot mitigate due to the expanding enterprise attack surface.
Unlike the traditional network security that focuses on perimeter security, the zero trust security model explicitly identifies users and devices and grants them enough access to operate with minimal friction and risk.
Despite its effectiveness and the current marketing hype, Gartner warned that zero trust uptake was slow, and threat actors were shifting focus to areas beyond zero trust coverage.
Sluggish zero trust adoption
Gartner found that although most organizations were considering zero trust, only a few had complete zero-trust implementations.
Despite the slow uptake, the number of organizations with mature zero trust programs will increase tenfold within three years.
Gartner predicted that 10% of large enterprises will have a mature and measurable zero trust program in place by 2026 from the current 1%.
The slow adoption is despite the support boost by the US presidential executive order on cybersecurity that required federal agencies to reduce the attack surface by adopting the explicit access authorization strategy.
“From my experience, I have yet to meet large enterprises who do not have a zero trust initiative of some sort,’” said John Yun, Vice President, Product Strategy at ColorTokens. “I think the bigger question is how you define mature zero trust implementation. It is common for organizations to implement zero trust in multiple stages.”
Evidently, most organizations still consider the strategy critical for reducing the attack surface, which could accelerate future adoption.
“Zero trust addresses a number of weaknesses presented by placing too much trust in an identity or a particular computer,” said Hallenbeck. “Done well and done consistently, it can provide a huge leap in overall risk reduction.”
Threat actors will expand the attack surface beyond zero trust coverage
According to Jeremy D’Hoinne, the VP Analyst at Gartner, attackers would shift their attention to areas barely covered by zero trust, such as public-facing APIs, social engineering, or vulnerabilities created by employees attempting to bypass stringent zero-trust policies.
According to Steve Hahn, Executive VP at BullWall, other methods that hackers could use to bypass zero trust protections include:
Exploiting vulnerabilities in software and hardware
Using stolen or compromised credentials
Conducting spear-phishing campaigns targeted at specific individuals
Gaining physical access to devices and network infrastructure
Using malware or other malicious software to gain access to systems and data
“Information security is a cat and mouse game,” said Christopher Hallenbeck, CISO, Americas at Tanium. “You’ll ideally improve security in one or more areas which after a while will cause attackers to identify new avenues of attack.”
Progressively reducing the attack surface through zero trust
Gartner recommends that “chief information security officers (CISOs) chief information security officers (CISOs) and risk management leaders start by developing an effective zero-trust strategy which balances the need for security with the need to run the business.”
Additionally, organizations should implement zero trust first to secure the most critical assets with the greatest return on risk mitigation first.
Next, organizations should run continuous threat exposure management (CTEM) to create an inventory of the attack surface and optimize their models for threats beyond the scope of zero trust architectures.
“It means starting with an organization’s strategy and defining a scope for zero trust programs,” Watts explained.
“Once the strategy is defined, CISOs and risk management leaders must start with identity – it is foundational to zero trust. They also need to improve not only technology, but the people and processes to build and manage those identities.”
However, many organizations’ infrastructure was conceived with implicit trust in mind, thus complicating Zero Trust adoption, which is likely to cause disruptions for which many organizations are unprepared.
Zero trust cannot address all security risks
Gartner acknowledged that zero trust is not the silver bullet that solves all organizations’ security needs.
“However, CISOs and risk management leaders should not assume that zero trust will eliminate cyberthreats. Rather, zero trust reduces risk and limits impacts of an attack,” said John Watts, VP Analyst at Gartner.
“The lateral movement is extremely difficult to detect without a zero trust solution since, by design, it is stealthy and can span days or weeks between movements to evade detection,” said Yun. “Since zero trust, by its nature, does not assume trust simply whether inside the network or not, can enforce only business approved movement or connections.”
According to Hahn, zero trust alone cannot stop attacks. In addition to technical solutions, organizations should regularly conduct security awareness training and monitor and assess their systems for compromise.