The research firm’s forecast comes as a reminder that the zero trust security model, an increasingly popular approach to information security that means distrusting all devices by default, has its limits. What’s more, Gartner predicts that only 10% of large enterprises will have a mature and measured zero-trust program in place by 2026, compared with less than 1% now.
“Zero trust is at this peak of inflated expectations, so we should see some rationalization of the hype this year,” Gartner vice president and analyst John Watts told SDxCentral. “If there’s too much focus on zero trust and not enough on things like compliance, and data security, and identity management, and security operations, and the other parts that are important, then there will be a disappointment because if someone’s expecting zero trust to kind of be that magic solution that will solve all of their security problems,” Watts added.
John Yun, vice president of product strategy at zero trust cybersecurity firm ColorTokens, told CPO Magazine that in his experience, all large organizations have at least “some sort” of zero trust program. He said businesses often “implement zero trust in multiple stages.”
Jeremy D’Hoinne, another vice president and analyst at Gartner, told CPO that likely attack vectors not protected by zero trust include public-facing APIs, social engineering and risks created by workers trying to skirt tough zero-trust rules.
Steve Hahn, executive vice president at ransomware cybersecurity firm BullWall, added that hackers may also dodge zero trust by taking advantage of hardware and software vulnerabilities, using ill-gotten credentials, running spear-phishing campaigns against particular individuals, getting physical access to devices and using malware. Ted Miracco, CEO at mobile app security firm Approov, told Security Boulevard that “in the past, slowing down the attackers was sufficient to get out of danger, but today there is nowhere to hide from the determined hackers.”