A hologram with writing that says Zero Trust.
Image: Alexander/Adobe Stock

Ernest Hemingway said the best way to find out if you can trust someone is to trust them. This is terrible advice for network security, where zero trust, created nearly two decades ago by John Kindervag, has become a default for many organizations, particularly since the coronavirus pandemic and the advent of remote work.

Nevertheless, if zero trust constitutes an N-95 mask for malware and data exfiltration, companies are a bit slow to wear it. Gartner has released a report predicting that by 2026, only 10% of large enterprises will have a “mature and measurable zero-trust program in place.”

That percentage stands at less than 1% today, per the firm, which reported that while zero trust is top of mind for most organizations as a critical strategy to reduce risk, few organizations have actually completed zero-trust implementations.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Jump to:

A farewell to implicit trust

Many organizations established their infrastructure with implicit rather than explicit trust models to ease access and operations for workers and workloads, according to John Watts, VP Analyst at Gartner.

“The primary risk addressed by zero trust is to prevent attackers from taking advantage of implicit trust,” he said. “It helps limit the damage of attacks by better segmenting access so when an incident does occur, fewer resources and systems are affected. The damage caused by the infection of a vendor’s software installed within an environment can be contained to a smaller segment of trusted applications.”

He explained that implicit trust refers to workloads and devices extending too much trust for access by using limited factors — such as a request originating from a local IP address behind a perimeter firewall — when authorizing devices, workloads and accounts for access.

“Explicit trust refers to workloads and devices requiring more context (e.g., location, time, posture, successful multi-factor authentication) when authenticating and authorizing devices, workloads and accounts for access,” Watts said.

SEE: How a business email compromise attack exploited Microsoft’s multi-factor authentication (TechRepublic)

Have (or have not) a zero trust engine

Watts added that a working zero trust framework, including zero trust software, should be able to:

  • Identify and prevent scan and exploit attacks on internet facing applications and services intended for the extended workforce.
  • Prevent lateral movement of malware by limiting access to resources on a network rather than allowing open connections.
  • Deploy a risk and trust “engine” to control access.

Those engines are built on analytics parsing things like account activity, user authentication strength, device attributes and other parameters in near real time to calculate a risk score. If the risk score rises above a certain threshold, an action like isolating the device, forcing a second factor of authentication, or suspending a user’s account should kick in.

A moveable firewall

Zero trust implements many smaller perimeters around resources rather than one large perimeter, as with the traditional firewall model, but Watts noted zero trust is only one method of reducing risk. Scope is critically important in that not everything can be put behind a set of zero trust controls. For example, legacy systems such as mainframes or public facing applications for citizen and consumer usage are typically excluded from zero trust architectures.

Unfortunately, Gartner analysts also predicted that through 2026, more than half of cyberattacks will be aimed at areas that zero trust controls don’t cover and cannot mitigate, such as API threats.

Zero trust implementation is itself vulnerable to threats as well, such as insider attacks and account takeovers, per Watts, who said organizations must address this threat by implementing advanced analytics.

APIs: Islands in the threat stream

In a report last fall, the firm predicted that:

  • By 2025, less than 50% of enterprise APIs will be managed.
  • Through 2025, at least 70% of organizations will deploy specialized runtime protection only for the public-facing APIs they produce, leaving other APIs unmonitored and lacking API protection.
  • By 2026, 40% of organizations will select their web application and API protection provider based on advanced API protections and web application security features — up from less than 15% this year.

Finally, earlier this month, Gartner forecast that worldwide IT spending would hit $4.5 trillion in 2023, an increase of 2.4% from 2022, albeit down from the previous quarter’s forecast of 5.1% growth.

“While inflation continues to erode consumer purchasing power and drive device spending down, overall enterprise IT spending is expected to remain strong,” the firm reported.

You shouldn’t have to re-write “The Old Man and the Sea” to let staff know about new technologies, or changes to email security. Download these templates for making security alerts easy.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday