Check out all the on-demand sessions from the Intelligent Security Summit here.
Few security bandwagons have gathered as much interest and momentum as zero trust. In fact, 97% of companies either have a zero-trust initiative in place or plan to implement one in the next 12 to 18 months. Yet a new report released by Gartner this week suggests that zero trust isn’t a silver bullet or a fix-all solution.
The research warns that by 2026, 50% of cyberattacks will target areas that are not or cannot be protected by zero-trust controls, such as public-facing APIs and social engineering scams.
The report also highlights that zero-trust maturity is a long way off for most organizations. It estimates that just 10% of large enterprises will have a mature and measurable zero-trust program in place by 2026, an increase from just 1% today.
When considered together, the challenges in achieving zero-trust maturity and the growing trend of API-based threats and social engineering attacks highlight that organizations can’t afford to rely on a single security framework to secure their environments.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
What’s wrong with zero trust?
At the heart of Gartner’s prediction that zero trust will become less effective is that threat actors are targeting segments of the cloud attack surface, which are difficult to protect with access controls alone.
“The enterprise attack surface is expanding faster and attack[er]s will quickly consider pivoting and targeting assets and vulnerabilities outside of the scope of zero-trust architectures (ZTAs),” said Jeremy D’Hoinne, VP analyst at Gartner.
“This can take the form of scanning and exploiting of public-facing APIs or targeting employees through social engineering, building or exploiting flaws due to employees creating their own “bypass” to avoid stringent zero-trust policies,” D’Hoinne said.
Organizations can apply zero-trust controls and multifactor authentication to APIs, with potentially thousands of APIs being provisioned and deprovisioned throughout the enterprise. But this approach is difficult to scale.
On the plus side, while zero trust can’t prevent social engineering and phishing scams from gaining a user’s online login ID and password, it can help to implement the principle of least privilege and limit the amount of data that an intruder has access to.
However, if D’Hoinne is correct that the exploitation of public-facing APIs is outside the scope of zero trust, then this is a significant oversight, particularly considering that based on Gartner’s own research, by 2023, API abuses will move from infrequent to the most frequent attack vector.
It’s also a weakness that security teams can’t afford to overlook, particularly after Twitter and T-Mobile experienced API breaches that resulted in the exposure of the personal information of millions of users.
Addressing the API security challenge
At the very least, organizations need to start investing in API security capabilities if they want to mitigate risk. In practice, that means deploying systems to generate an inventory of public-facing APIs, identifying vulnerabilities and fixing them before an attacker has a chance to exploit them.
Past Forrester research has highlighted the need for organizations to move away from protecting APIs with a perimeter-based security approach, and to start instead embedding security into the development of APIs and proactively verifying connections.
“Authenticate everywhere; design explicit chains of trust as an integral part of API development and deployment pipelines,” the report said.
However, Ted Miracco, CEO of API and mobile app protection provider Approov, argues that shift-left approaches to API security have some serious weaknesses.
“So called ‘shift-left’ approaches to security are falling short, as many of the API exploits are actually occurring against authenticated APIs. In the past, slowing down the attackers was sufficient to get out of danger, but today there is nowhere to hide from the determined hackers,” Miracco said.
For Miracco, the solution is to implement continuous, real-time monitoring of APIs to secure the attack surface.
“Releasing applications, especially mobile applications, without the ability to perform real-time monitoring, application self-protection, over-the-air updates [and] new API keys is inviting in danger, as the API threats are growing dramatically in this space,” Miracco said.
Other limitations of zero trust
While zero trust provides a strong model for managing data access within a perimeter-based network, it’s not a one-stop-shop for risk mitigation. “Even if an enterprise fully implements a zero-trust model, it does not guarantee complete protection against cyberattacks,” said Steve Hahn, Executive VP at BullWall.
Hahn argues that API exploitation, social engineering, hardware and software vulnerabilities, stolen or compromised credentials, spear phishing campaigns, malware, and physical access to devices and network infrastructure can all be used to bypass zero-trust controls to access systems and data.
As a result, organizations need to supplement the controls offered by zero trust with additional security measures to optimize their cyber-resilience.
“It is important for organizations to not only implement technical solutions but also to provide regular security awareness training to employees to help prevent these types of attacks, and regularly monitor and assess their systems and networks for any signs of compromise. Lastly, organizations would be wise to start investing in active attack containment, as preventive methods come up short,” Hahn said.
The real role of zero trust: Risk reduction
Going forward, the true role of zero trust isn’t to eliminate cyber-risk completely, but to increase cyber-resilience and help organizations implement risk reduction in the enterprise.
In its conclusion, the report argues that organizations should implement zero trust to enhance risk mitigation for critical assets first, to generate the greatest returns. But it also notes that CISOs should implement a system of continuous threat exposure management (CTEM) to create an inventory of threats outside the remit of zero trust.
By combining the zero-trust framework with a CTEM program, organizations can identify and mitigate risks as they emerge and commit to making continuous improvements to their overall security posture.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.