According to Gartner, fewer than 10% of large enterprises will have a "mature and measurable" Zero Trust program in place by 2026, and even those that do will increasingly find its controls unable to mitigate the impact of attacks. Gartner warned that over the next three years, more than half of all cyber-attacks will focus on areas that Zero Trust controls don't cover and can't mitigate. Despite this, Gartner said that the approach will still offer a valuable way to reduce risk and limit the impact of many threats. We heard from two security experts on how this research from Gartner should be interpreted by the industry and if Zero Trust is still a viable approach to security strategy. Ted Miracco, CEO, Approov:
"Zero-trust architectures (ZTAs) remain susceptible to social engineering exploits due to the complexity involved and so called ’shift-left’ approaches to security are falling short as many of the API exploits are actually occurring against authenticated APIs. In the past, slowing down the attackers, was sufficient to get out of danger, but today there is nowhere to hide from the determined hackers.
Releasing applications, especially mobile applications, without the ability to perform real-time monitoring, application self-protection, over-the-air updates, new API keys, is inviting in danger as the API threats are growing dramatically in this space.”
Christopher Hallenbeck, CISO, Americas, Tanium:
“Information security is a cat and mouse game. You’ll ideally improve security in one or more areas which after a while will cause attackers to identify new avenues of attack.
Zero Trust addresses a number of weaknesses presented by placing too much trust in an identity or a particular computer. Done well and done consistently, it can provide a huge leap in overall risk reduction. Where Zero Trust will struggle to help is where you have machine to machine, or cloud to cloud, communication using APIs. API access is often quite permissive so the theft of an “API token”/key can lead to bulk data theft.
APIs are meant to facilitate automated, high-volume transactions between systems so differentiating between an attacker using stolen access and legit activity can be difficult."