Zero Trust Adoption: Where Are Enterprises Today?
Gartner Analyst John Watts Says Enterprises Must Reassess Zero Trust StrategiesBefore generative AI took center stage, discussions in the security industry were primarily focused on zero trust and identity management. Today, many organizations that deploy zero trust may be "confused" as vendors resort to "overpromising and under-delivering" on zero trust solutions, said John Watts, vice president analyst at Gartner.
"The term 'zero trust' is too vague. What we recommend is you put a qualifier behind zero trust - zero trust strategy, zero trust architecture, a zero trust technology implementation - or a specific technology, like zero trust network access," Watts said at the Gartner Security and Risk Management Summit in Mumbai.
According to a July 2023 Gartner Hype Cycle report for Workload and Network Security, the zero trust strategy is projected to be five to 10 years away from reaching the Plateau of Productivity, when organizations will begin to witness productive gains from its adoption (see Image 1). In comparison, zero trust network access, or ZTNA, is projected to reach the Slope of Enlightenment, when organizations will begin to realize its value, in the next two to five years.
"ZTNA and microsegmentation are two technologies that are often deployed before the organization has a more formal strategy for zero trust," Watts said. "Many organizations are having to circle back on their zero trust tactical implementations and reassess their strategy. As a result of vendors overpromising and under-delivering, many organizations are resetting expectations and realizing they have work to do in 2024."
Watts said organizations will realize the ground realities as they plan to implement technologies and realize the benefits of zero trust.
"Zero trust means more complexity, not less. Maintaining a set of just-in-time least privileged access rules for different accounts and resources can be complex," he said.
Gartner defines zero trust as a security paradigm that replaces implicit trust with continuously assessed explicit risk/trust levels, based on identity and context supported by security infrastructure that adapts to risk-optimize the organization's security posture.
"The problem is that attackers abuse the implicit trust that we have in our IT systems. A recent Gartner survey found that 80% of organizations are in a planning strategy, piloting implementation phases for zero trust. And they're doing so because it is one way that they're addressing this implicit attack surface and trying to address the outbreak of ransomware or the way that attackers are able to use our implicit trust to gain access," Watts said.
Watts advised organizations to build zero trust into their existing security life cycles (see Image 2). He acknowledged that most organizations are not deploying zero trust at scale across their entire environment. To do this, they need to plan well so that "the right technologies are applied in the right places," he said.
"Don’t forget about planning for overhead on security engineering and operations teams."
The final piece, according to Watts, is implementing metrics to measure risk. This introduces a feedback loop into the overall strategy and planning, allowing adjustments to be made along the way.
While almost every security vendor pitches zero trust, it is important to check the "zero-trustiness" of a product, Watts said. CISOs and CIOs should ask three questions to the vendor:
- Does this product grant network access only after identity is established? This includes both user and device, and for networking, device is super-critical.
- Does this product limit network access only to necessary applications/resources?
- Does the product continuously and dynamically adjust access based on context and behavior, incorporating dynamic risk scoring based on device and user context to modify access rights in near real time?
The evolving landscape of security paradigms, particularly the rise of zero trust principles, underscores the dynamic nature of cybersecurity. The journey toward zero trust requires a multifaceted approach that goes beyond technological integration.