Zero trust is moving from hype to reality

Technology


Editor’s note: This article is from John Watts, a vice president analyst at Gartner. If you would like to submit a guest article, you can submit it here.

Most organizations view zero trust as a top priority when it comes to reducing risk in their environments. However, zero trust at scale across the entire organization is yet to become a reality for many organizations.

Zero trust is a security paradigm that explicitly identifies users and devices and allows them access to operate with minimal friction while still reducing risk. Zero trust requires organizations to think in terms of least privileged access, resource sensitivity and data confidentiality. 

These concepts are not new. Many teams have tried to implement least privileged access controls in the past and experienced challenges as they expanded the scope and increased the granularity of controls.

Zero trust is not immune to these issues. Organizations must plan ahead and invest in people and resources to succeed with zero trust, and not view it as a one time, one size fits all answer to securing their organization.

To initiate zero-trust implementation, organizations can start by defining a strategy and baseline prior to embarking on a wider zero-trust technology implementation.

It is important to tailor zero-trust strategy to the organization and align it to which types of attacks it is best positioned to mitigate such as lateral movement of malware.

Zero trust will not be achieved with one technology, but with the integration of multiple different components. 

The majority of organizations will implement zero trust as a starting point for security

Gartner predicts that over 60% of organizations will embrace zero trust as a starting place for security by 2025. However, more than half will fail to realize the benefits — initiating zero trust requires more than technology.

Due to the marketing pressures and hype around zero trust, security leaders are overwhelmed and struggle to translate the technical reality into business benefits. 

There is a common misconception that “zero trust” refers to no one being trusted, but this is not the case. Rather, zero trust refers to trusting the “right” amount needed and no more. Security leaders must understand zero trust will protect them and their organization from any oversights that may happen.  

When it comes to successfully launching zero trust within organizations, cybersecurity leaders must not attempt to execute zero trust programs with only technology controls. Zero trust is not a technology-first effort, but rather a shift in mindset and security approach. 

Once this is understood, cybersecurity leaders will then need to receive executive backing and support. This support will show how zero trust enables new business approaches and a more resilient environment that allows for more flexibility.

Failure to obtain this support will put zero trust programs at risk. 

Cybersecurity leaders must accept the potential for complexity and interim redundancy to occur. Security teams will operate under a new, granular approach, but old controls will still be required. There may be conflicting goals between the old and new controls. These must be reconciled and continuously reviewed to avoid conflicts.

As organizations move from the hype of zero trust into reality, security leaders must pivot their focus from technology and marketing messaging to the cultural and security program of zero trust. Security leaders can set themselves up for success by setting realistic goals that align to both manageability and security objectives.

Position zero-trust programs in terms of desired business outcomes such as risk reduction, better end-user experience or improved flexibility to set realistic expectations about the scope and impact of zero-trust programs.

More organizations are implementing zero-trust programs, but measurability is needed

Currently, the majority of organizations are in the early stages of their zero-trust journey. While organizations are excited about the promise of zero trust, few are focused on its post-implementation realities. 



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *