Zero-Trust Alone Won’t Save You
With all the chatter surrounding zero-trust, it seems mature initiatives should be chugging along by now. But Gartner just threw a bucket of reality on the market with its prediction that in three years, only one-tenth of large enterprises will have zero-trust programs in place that are mature and measurable.
John Watts, VP analyst, Gartner warned in a release that “CISOs and risk management leaders should not assume that zero-trust will eliminate cyberthreats. Rather, zero-trust reduces risk and limits impacts of an attack.”
That 10% does represent significant growth—only 1% of programs are mature and measurable today.
“The current assessment of the percentage of large enterprises with mature zero-trust programs at just 1% will be depressing to read for large organizations, who have spent millions on the latest zero-trust technologies,” said Claude Mandy, chief evangelist, data security, at Symmetry Systems. “No matter how damning it feels, it is, unfortunately, a fair assessment considering the holistic definition of zero-trust as outlined by Gartner.”
Many organizations have “established their infrastructure with implicit rather than explicit trust models to ease access and operations for workers and workloads. Attackers abuse this implicit trust in infrastructure to establish malware and then move laterally to achieve their objectives,” said Watts. “Zero-trust is a shift in thinking to address these threats by requiring continuously assessed, explicitly calculated and adaptive trust between users, devices and resources.”
Gartner’s warning comes as no surprise to security experts. “Zero-trust architectures (ZTAs) remain susceptible to social engineering exploits due to the complexity involved and so-called ‘shift-left’ approaches to security are falling short as many of the API exploits are actually occurring against authenticated APIs,” said Ted Miracco, CEO at Approov, who noted that “in the past, slowing down the attackers was sufficient to get out of danger, but today there is nowhere to hide from the determined hackers.”
When applications, especially mobile applications, are released “without the ability to perform real-time monitoring, application self-protection, over-the-air updates, new API keys,” it invites “danger as the API threats are growing dramatically in this space,” Miracco said.
A key gap “is the excessive amount of access to data provided to everyone in the organization, including machine identities,” said Mandy.
“The only way to limit the impact of an attack (or data blast radius) is by continuously assessing the amount of data access (including data accessible through APIs) and right-sizing it to reduce the implicit trust provided to users and machine identities,” said Mandy. “Unfortunately, maintaining least privilege like this remains challenging for all organizations.”
Noting that “zero-trust addresses a number of weaknesses presented by placing too much trust in an identity or a particular computer” and when “done well and done consistently … can provide a huge leap in overall risk reduction,” Christopher Hallenbeck, CISO, Americas, at Tanium, added that “Where zero-trust will struggle to help is where you have machine-to-machine or cloud-to-cloud, communication using APIs. API access is often quite permissive, so the theft of an API token or key can lead to bulk data theft.”
APIs, Hallenbeck said, “are meant to facilitate automated, high-volume transactions between systems, so differentiating between an attacker using stolen access and legit activity can be difficult.”
And “two of the biggest API threats that cannot be addressed with zero-trust include unknown APIs within the environment and API attacks that stem from authenticated users,” said Nick Rago, field CTO at Salt Security. “There can be a lot of confusion between API security and zero-trust. The reality is that even with a good zero-trust strategy, some API security risks can’t be mitigated by zero-trust.”
There are other methods that attackers can use “to bypass the security controls put in place by a zero-trust model,” said Steve Hahn, executive vice president at Bullwall. They include, he said, exploiting vulnerabilities in software and hardware, using stolen or compromised credentials, conducting spear phishing campaigns targeted at specific individuals, gaining physical access to devices and network infrastructure and using malware or other malicious software to gain access to systems and data.
“Organizations put themselves at risk if they rely solely on zero trust for API security. Many API risks can’t be mitigated by zero-trust due to the fact that APIs require access to function,” said Rago. “As a result, it’s not possible to ‘build’ zero-trust into API security. Rather, organizations need to recognize the weaknesses of zero-trust in API security and take steps to minimize the risks.”
Gartner urged CISOs and risk management leaders to help their organizations “complete the scope of their zero-trust implementations” by “developing an effective zero-trust strategy that balances the twin needs of security and running the business.
“It means starting with an organization’s strategy and defining a scope for zero-trust programs,” said Watts. “Once the strategy is defined, CISOs and risk management leaders must start with identity—it is foundational to zero-trust. They also need to improve not only technology but the people and processes to build and manage those identities.”
The people part of the equation is important to security, as well. “It is important for organizations to not only implement technical solutions but also to provide regular security awareness training to employees to help prevent these types of attacks and regularly monitor and assess their systems and networks for any signs of compromise,” said Hahn. “Lastly, organizations would be wise to invest in active attack containment, as preventative methods continue to come up short.”
It is difficult to quantify the maturity of a zero-trust program because “everyone’s goal post is different,” John Yun, vice president, product strategy, at ColorTokens, said. Yun stressed that microsegmentation “alone greatly reduces the risk of a breach by modern cyberattacks, provides early detection of stealthy lateral movements and, even in case of a breach, greatly reduces the blast radius by segmenting the networks.”
