Gartner: Zero trust is an important strategy for reducing risk, however few companies have actually implemented zero trust to date.
Gartner analysts predict that by 2026, more than half of cyberattacks will target areas that are not covered by zero-trust controls and cannot be mitigated. They define zero trust as a security paradigm that explicitly identifies users and devices and grants them the defined level of access, thereby reducing risk.
“Many organizations have set up their infrastructure with implicit rather than explicit trust models to make it easier for employees and workloads to access and operate. Attackers abuse this implicit trust in infrastructure to inject malware and then move laterally to achieve their goals,” said John Watts, analyst at Gartner. “Zero Trust is a shift in thinking to address these threats by requiring continuously assessed, explicitly calculated and adaptive trust between users, devices and resources.”
Defining frameworks for zero trust programs
To help organizations complete the scope of their zero-trust implementations, it is critical that CISOs and risk management leaders begin developing an effective zero-trust strategy that balances the need for security with the need to run the business.
“That means starting with an organization’s strategy and defining a framework for zero-trust programs,” Watts said. “Once the strategy is defined, CISOs and risk management leaders need to start with identity – it’s the foundation for zero trust. They need to improve not only the technology, but also the people and processes to create and manage those identities. However, they should not assume that zero trust eliminates all cyber threats. Rather, zero trust reduces risk and only limits the impact of an attack.”