By 2026, 10% of large enterprises will have a mature and measurable zero-trust programme in place, up from less than 1% today, predicts Gartner, a technological research and consulting firm.

Although zero trust is top of mind for most organisations as a critical strategy to reduce risk, few organisations have actually completed zero-trust implementations.

Gartner defines zero trust as a security paradigm that explicitly identifies users and devices and grants them just the right amount of access so the business can operate with minimal friction while risks are reduced.

Implicit trust models

“Many organisations established their infrastructure with implicit rather than explicit trust models to ease access and operations for workers and workloads. Attackers abuse this implicit trust in infrastructure to establish malware and then move laterally to achieve their objectives,” said John Watts, VP Analyst at Gartner. “Zero trust is a shift in thinking to address these threats by requiring continuously assessed, explicitly calculated and adaptive trust between users, devices and resources.”

To help organisations complete the scope of their zero-trust implementations, it is critical that chief information security officers (CISOs) and risk management leaders start by developing an effective zero-trust strategy which balances the need for security with the need to run the business.

“It means starting with an organisation’s strategy and defining a scope for zero-trust programmes,” said Watts. “Once the strategy is defined, CISOs and risk management leaders must start with identity - it is foundational to zero trust. They also need to improve not only technology, but the people and processes to build and manage those identities.

Cyberthreats

“However, CISOs and risk management leaders should not assume that zero trust will eliminate cyberthreats. Rather, zero trust reduces risk and limits impacts of an attack.”

Gartner analysts predict that through 2026, more than half of cyberattacks will be aimed at areas that zero- trust controls don’t cover and cannot mitigate.

“The enterprise attack surface is expanding faster and attackers will quickly consider pivoting and targeting assets and vulnerabilities outside of the scope of zero-trust architectures (ZTAs),” said Jeremy D’Hoinne, VP Analyst at Gartner.” This can take the form of scanning and exploiting of public-facing APIs or targeting employees through social engineering, bullying or exploiting flaws due to employees creating their own “bypass” to avoid stringent zero-trust policies.”

Risk mitigation

Gartner recommends that organisations implement zero trust to improve risk mitigation for the most critical assets first, as this is where the greatest return on risk mitigation will occur. However, zero trust does not solve all security needs. CISOs and risk management leaders must also run a continuous threat exposure management (CTEM) programme to better inventory and optimise their exposure to threats beyond the scope of ZTA.

Copyright 2022 Al Hilal Publishing and Marketing Group Provided by SyndiGate Media Inc. (Syndigate.info).