Editor’s note: This article is from John Watts, a vice president analyst at Gartner. If you would like to submit a guest article, you can submit it here.
Most organizations view zero trust as a top priority when it comes to reducing risk in their environments. However, zero trust at scale across the entire organization is yet to become a reality for many organizations.
Zero trust is a security paradigm that explicitly identifies users and devices and allows them access to operate with minimal friction while still reducing risk. Zero trust requires organizations to think in terms of least privileged access, resource sensitivity and data confidentiality.
These concepts are not new. Many teams have tried to implement least privileged access controls in the past and experienced challenges as they expanded the scope and increased the granularity of controls.
Zero trust is not immune to these issues. Organizations must plan ahead and invest in people and resources to succeed with zero trust, and not view it as a one time, one size fits all answer to securing their organization.
To initiate zero-trust implementation, organizations can start by defining a strategy and baseline prior to embarking on a wider zero-trust technology implementation.
It is important to tailor zero-trust strategy to the organization and align it to which types of attacks it is best positioned to mitigate such as lateral movement of malware.
Zero trust will not be achieved with one technology, but with the integration of multiple different components.
The majority of organizations will implement zero trust as a starting point for security
Gartner predicts that over 60% of organizations will embrace zero trust as a starting place for security by 2025. However, more than half will fail to realize the benefits — initiating zero trust requires more than technology.
Due to the marketing pressures and hype around zero trust, security leaders are overwhelmed and struggle to translate the technical reality into business benefits.
There is a common misconception that “zero trust” refers to no one being trusted, but this is not the case. Rather, zero trust refers to trusting the “right” amount needed and no more. Security leaders must understand zero trust will protect them and their organization from any oversights that may happen.
When it comes to successfully launching zero trust within organizations, cybersecurity leaders must not attempt to execute zero trust programs with only technology controls. Zero trust is not a technology-first effort, but rather a shift in mindset and security approach.
Once this is understood, cybersecurity leaders will then need to receive executive backing and support. This support will show how zero trust enables new business approaches and a more resilient environment that allows for more flexibility.
Failure to obtain this support will put zero trust programs at risk.
Cybersecurity leaders must accept the potential for complexity and interim redundancy to occur. Security teams will operate under a new, granular approach, but old controls will still be required. There may be conflicting goals between the old and new controls. These must be reconciled and continuously reviewed to avoid conflicts.
As organizations move from the hype of zero trust into reality, security leaders must pivot their focus from technology and marketing messaging to the cultural and security program of zero trust. Security leaders can set themselves up for success by setting realistic goals that align to both manageability and security objectives.
Position zero-trust programs in terms of desired business outcomes such as risk reduction, better end-user experience or improved flexibility to set realistic expectations about the scope and impact of zero-trust programs.
More organizations are implementing zero-trust programs, but measurability is needed
Currently, the majority of organizations are in the early stages of their zero-trust journey. While organizations are excited about the promise of zero trust, few are focused on its post-implementation realities.
Organizations that are further along in their zero-trust journey have encountered roadblocks implementing and maintaining least privileged access. To help avoid these roadblocks, invest in resources that will isolate and adhere to least privileged access policies for implemented controls. Investing in these resources will maintain a zero-trust posture after implementation.
Gartner predicts that by 2026, 10% of large enterprises will have a mature and measurable zero trust program in place, up from less than 1% today.
A zero-trust strategy must be driven by a business decision on how much investment an organization is willing to make in cybersecurity, and the amount of benefit derived from the investment. Zero-trust efforts become less tactical as organizations improve in explaining cybersecurity as a business investment.
There is no universal standard for measuring zero trust maturity today, however existing maturity models are a useful starting point.
For example, the U.S. Federal Government Cybersecurity and Infrastructure Security Agency (CISA) published a zero-trust maturity model design to assist U.S. Federal agencies as they develop strategies and implementation plans for zero trust.
Using this strategy will track progress against the organization’s internal zero-trust goals and objectives. Prioritize this plan of action rather than adopting relative benchmark assessments from maturity models, as these benchmarks may not be comparable across organizations due to scope and differences in desired outcomes.
Moving from theory to practice with zero trust is challenging. It is easy to fall into the trap of deploying point zero-trust solutions without developing a strategy. A robust strategy is imperative and the only way to move beyond the marketing noise to ensure successful zero-trust implementation.