Gartner Reprint https://www.gartner.com/doc/reprints?

id=1-2C771V39&ct=230105&st=sb

Licensed for Distribution

Predicts 2023: Zero Trust Moves Past Marketing Hype

Into Reality
Published 6 December 2022 - ID G00780267 - 18 min read

By John Watts, Jeremy D'Hoinne, and 2 more

A majority of organizations have established a zero-trust strategy for information security. Our
predictions help SRM leaders move past marketing to define what success looks like and plan
to implement zero trust at scale within their organization.

Overview
Key Findings
!"Zero trust is top of mind for most organizations as a critical strategy to reduce risk in their
environments, but very few organizations have completed the scope of their zero-trust
implementations.

!"Zero trust addresses specific risks in the environment, such as restricting lateral movement on
networks and limiting third party and insider threat damages, but not all risks are addressed by
a zero-trust posture.

!"Moving from theory to practice with zero trust is challenging. It is easy to fall into the trap of
deploying point zero-trust solutions without developing a strategy, resulting in failed zero-trust
project attempts.

Recommendations
!"Define a zero-trust strategy and baseline identity processes and tools first before embarking on
a wider zero-trust technology implementation.

!"Tailor fit a zero-trust strategy to the organization that aligns zero trust to threat mitigation and a
realistic scope for a zero-trust architecture starting with a smaller subset of people, devices and
applications before wider implementations.

1 of 14 30/1/2023, 1:59 pm
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C771V39&ct=230105&st=sb

!"Evaluate existing providers for their support for zero-trust capabilities before evaluating and
purchasing additional technologies. Be wary of vendors promising to deliver a complete zero-
trust solution.

Strategic Planning Assumptions

!"By 2026, 10% of large enterprises will have a comprehensive, mature and measurable zero-trust
program in place, up from less than 1% today.

!"Through 2026, more than half of cyberattacks will be aimed at areas that zero-trust controls do
not cover and cannot mitigate.

!"By 2027, 20% of organizations will shortlist the same vendor for ZTNA and micro segmentation,
up from less than 5% in 2022.

!"Over 60% of organizations will embrace zero trust as a starting place for security by 2025. More
than half will fail to realize the benefits.

Analysis
What You Need to Know
Zero trust is a popular term, but confusing for many organizations. Gartner defines zero trust as a
security paradigm that explicitly identifies users and devices, and grants them just the right
amount of access so the business can operate with minimal friction while risks are reduced. Zero
trust can be applied as a mindset or paradigm, strategy or implementation of specific
architectures and technologies (see Figure 1).

Figure 1. Zero-Trust Terminology

2 of 14 30/1/2023, 1:59 pm
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C771V39&ct=230105&st=sb

The idea of implementing least privileged access controls to enterprise resources using real-time,
contextual-based controls appeals to organizations looking to stem the onslaught of threats faced
on a daily basis. Organizations that adopt zero-trust technologies like ZTNA often do so to
support a hybrid remote workforce, or as a direct response to the failure of their perimeter security
controls. 1 Malware takes advantage of stolen credentials and implicit trust granted between
organizational assets providing vectors for infection and lateral movement. Security vendors have
seized this opportunity to repackage existing technologies, as well as introduce new technologies
promising to reduce breaches and incidents for organizations willing to invest in new ways of
securing their environments.

A zero-trust posture, however, is not achieved with a single technology. A mature, widely deployed
implementation demands integration and configuration of multiple different components — often
requiring additional budget and program level, multiyear implementation efforts. MIT Lincoln
Laboratory indicates it takes three to five years for organizations to implement zero trust at
scale, 2 while Google’s BeyondCorp whitepapers indicate that its migration to BeyondCorp took
years. 3 A high level zero-trust architecture is represented in Figure 2.

3 of 14 30/1/2023, 1:59 pm
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C771V39&ct=230105&st=sb

Figure 2: Zero-Trust Architecture

Zero trust requires organizations to think in terms of least privileged access, resource sensitivity
and confidentiality of data secured within the zero-trust architecture. These concepts are not new.
Many teams have tried to implement least privileged access controls in the past and experienced
challenges as they expanded the scope and increased the granularity of controls. Zero trust is not
immune to these issues. Organizations must plan ahead and invest in people and resources to
succeed with zero trust, and not view it as a one time, one size fits all answer to securing their
organization.

Strategic Planning Assumptions

Strategic Planning Assumption: By 2026, 10% of large enterprises will have a mature and
measurable zero-trust program in place, up from less than 1% today.

Analysis by: John Watts

Key Findings:

4 of 14 30/1/2023, 1:59 pm
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C771V39&ct=230105&st=sb

!"Organizations implementing zero trust may implement technology controls, but have no idea
how to quantify how much risk has been mitigated and how much residual risk remains.

!"Board of directors often have a disconnect with a CISO on risks to the organization and may not
understand how much value they receive for their investment in zero trust.

!"Many zero-trust definitions, principles and maturity models exist and can not be universally
applied to all organizations.

Market Implications:

Zero-trust strategy must be driven by a business decision on how much investment an

organization is willing to make, and the amount of benefit derived from the investment. As
organizations improve their capabilities in explaining cyber security as a business investment,
zero-trust efforts will become less tactical and reactive to be more structured, proactive, scoped
and measured alongside other program level security efforts.

Vendors are heavily marketing zero trust and organizations like the U.S. Department of Defense 4
and CISA 5 have applied zero-trust concepts to every domain and resource tied to an organization.
There are few standards both for zero-trust protocols and technologies (e.g., standard policy
definition languages) and operational metrics to measure the effectiveness of zero trust. Vendors
often cite their own maturity models and benchmarking services oriented around their specific
product offerings. As a result, benchmarking of zero-trust posture is difficult at best with no
universal standard for everyone to follow.

Scope and maturity is another critical issue. Organizations must define what is in scope for zero
trust and to what level of sophistication zero-trust controls should be. Not every organization
should strive for the highest levels of maturity in zero-trust controls across all assets. There are
diminishing returns to zero-trust control effectiveness.

!"Removing applications from internet visibility results in a significant reduction of risk from the
most common types of attacks against web applications: external hacking and DDoS attacks. 6

!"Further limiting device access to application, rather than full network access, reduces risk of
lateral malware propagation.

!"Applying continuous, context-based risk-adjusted access policies goes one step further and
may be appropriate for the most sensitive resources and risky users.

Organizations must factor in the advanced capabilities of zero-trust technologies with other
controls in place to understand the trade-off with hard dollar costs, complexity and administrative
overhead — both for configuration and troubleshooting end-user productivity impacts.

5 of 14 30/1/2023, 1:59 pm
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C771V39&ct=230105&st=sb

Gartner estimates that a majority of organizations are in the beginning stages of their zero-trust
journey. Gartner clients are excited about the promise of zero trust, but few are focused on the
post-implementation realities of zero trust. Organizations who are further in their journey report
roadblocks with complexity of multiple policy definitions and policy engines across disparate
vendors with little to no standardization. Implementing and maintaining least privileged access
has historically been difficult across IT environments, and zero-trust policies are no exception.
Currently, there is a lack of zero-trust assurance testing tools and services to help organizations
ensure that resources are fully isolated within zero-trust controls, and that the intended policies
are being enforced.

Recommendations:

!"Do not assume that zero trust will eliminate cyberthreats, but quantify how much damage it can
limit. Use cyber risk quantification techniques and outcome driven metrics (ODM) to
communicate zero-trust investments to the organization.

!"Implement zero trust to improve risk mitigation for the most critical assets first, as this is where
the greatest return on risk mitigation will occur.

!"Complement zero trust with other preventive security strategies, such as planning for cyber
resilience and continuous threat and exposure management (CTEM).

!"Build your own maturity model derived from other existing models, such as the CISA maturity
model or vendor specific models to track progress against the organization’s internal zero-trust
goals and objectives. This should be done rather than adopting relative benchmark
assessments from maturity models, which are not tailored for your organization.

!"Invest in the resources required to maintain a zero-trust posture after implementation, including
testing for resource isolation and adherence to least privileged access policies for implemented
controls.

Related Research:

Cyber-Risk Appetite: How to Put the ‘Business’ in ‘Managing Cybersecurity as a Business Decision’

Drive Business Action With Cyber Risk Quantification

The Gartner Cybersecurity Business Value Benchmark, First Generation

Prepare for New and Unpredictable Cyberthreats

Strategic Planning Assumption: Through 2026, more than half of cyberattacks will be aimed at
areas that zero trust controls don’t cover and cannot mitigate.

6 of 14 30/1/2023, 1:59 pm
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C771V39&ct=230105&st=sb

Analysis by: Jeremy D’Hoinne, John Watts

Key Findings:

!"Organizations rarely fully realize the scope and limits of zero-trust architecture. Early
implementations of technologies tagged as zero trust show the promise of reduced and limited
impacts of incidents, but typically not all devices, users and resources can be in scope for a
zero-trust project.

!"Attackers typically choose the path of least resistance, and will pivot to easier methods and
new techniques to bypass improved security controls, such as zero-trust architecture (ZTA).

!"The technologies required to implement ZTA are not fully mature, leaving implementation gaps
that attackers could also exploit.

!"Abuse by trusted third parties, insider threats, targeted account take over attacks, DDoS attacks
against the security infrastructure or vulnerabilities in zero-trust architecture components
themselves are several potential attack paths that must be addressed — even in a fully
implemented ZTA.

Market Implications:

Zero-trust architecture (ZTA) projects are heavy lifting projects, mobilizing resources and requiring
multiple years investments. The high expectations resulting from the industry hype around zero
trust and the vendor’s aggressive promises overshadow the limits of what ZTA can achieve, even
if the documentation exists. 7

The enterprise attack surface expands faster and extends beyond what
zero-trust architecture can protect.

The combination of expanding and underprotected attack surface outside of the scope of ZTA,
attackers pivoting to more profitable and easier to exploit attacks — and flaws in ZTA
implementations — will leave organizations at risk.

As demonstrated numerous times in the past, Gartner expects attackers to pivot and target assets
and vulnerabilities outside of the scope of ZTA. 8 This could take the form of:

!"Increased attacks leveraging legitimate credentials

7 of 14 30/1/2023, 1:59 pm
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C771V39&ct=230105&st=sb

!"Pivoting to service credentials that might not be monitored by a security controls part of the
ZTA

!"Scanning and exploiting of public-facing APIs

!"Targeting employees more directly through social engineering, coercion or exploiting flaws due
to employees creating their own “bypass” to circumvent too stringent ZT policies

Credential theft and phishing/social engineering can directly exploit remote workers who may be
more prone to directly transfer money, or have credentials stolen and used against assets not
protected by zero-trust controls.

Additionally, as the technologies required to fully implement zero trust are also not all mature,
organizations also face the dilemma of selecting consolidated platforms for easier
implementation or selecting the best components and face potentially higher costs. 9 This could
lead to gaps in the implementation that attackers would also exploit. The cost of managing fine-
grained access policy grows exponentially as the number of assets and user personas increase.

Recommendations:

!"Communicate clearly with ZT sponsors, IT and business stakeholders about the scope and
limits of ZTA, and highlight the discrepancies in maturity for the technologies required.

!"Balance priorities, investment and resources across ZTA and defenses against threat vectors
outside of ZTA scope.

!"Run a continuous threat exposure management (CTEM) program to better inventory and
optimize your exposure to threats beyond the scope of ZTA.

!"For externally exposed and unmanaged or unidentified assets, use a CTEM approach to identify
the best candidates for risk reduction by bringing them into the zero-trust architecture, and
which require a different approach.

Related Research:

How to Respond to the 2022 Cyberthreat Landscape

Prepare for New and Unpredictable CyberthreatsImplement a Continuous Threat Exposure

Management (CTEM) Program

Strategic Planning Assumption: By 2027, 20% of organizations will shortlist the same vendor for
ZTNA and micro segmentation, up from less than 5% in 2022.

8 of 14 30/1/2023, 1:59 pm
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C771V39&ct=230105&st=sb

Analysis by: Dale Koeppen

Key Findings:

!"Forward-leaning organizations who have a mature zero-trust strategy are seeking a simplified
and unified approach to deploying zero-trust technology policies throughout the organizations.

!"Maintaining multiple zero-trust policy sets within disparate zero-trust technologies creates a
complex operating model and increases administrative cycle times.

!"Vendors’ lack of integration through a management plane and poor cross-platform

collaboration unnecessarily duplicates the available telemetry and increases troubleshooting
time.

!"Organizations who adopt microsegmentation to isolate applications at runtime also seek

secure ways to enable privileged users, including third parties and contractors offering DevOps
support to access and protect workloads running within the micro segmented environment.

!"Zero-trust network access (ZTNA) and microsegmentation will potentially replace network
access control (NAC) and software-defined networking (SDN), and this has accelerated the
zero-trust technology providers to provide cross collaboration platforms to provide a unified
zero-trust policy approach.

Market Implications: Organizations are embracing a strategic and operational shift toward zero
trust and interest into supporting zero-trust architectures, and technologies were well underway by
late 2021. 10 As enterprises continue to accelerate in their zero-trust architectural plans and
progress beyond the strategic planning phase — and move into practical implementation projects
— gaps remain between the buyer requirements and the supplier capabilities.

Gartner sees zero-trust network access as a great starting point for an enterprise rollout of zero
trust. The primary use case for ZTNA today is risk mitigation and protection for remote workers,
and fewer vendors are addressing desk bound users, on-premises network resources or workload-
to-workload communication. Agent-based ZTNA is increasingly deployed as part of a larger SASE
architecture or SSE offering for the extended workforce to implement zero trust at the edge of the
organization.

Applications have also evolved from monolithic architecture to a microservices-based

architecture, with the applications moving from traditional physical or virtual machines to
disaggregated infrastructure. This creates the need to apply granular controls that are closer to
the workloads, and to the end users, for complete end-to-end visibility and is increasingly desirable
for organizations over traditional segmentation methodologies. Microsegmentation provides this
level of control by abstracting the firewall function and placing it closer to the individual

9 of 14 30/1/2023, 1:59 pm
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C771V39&ct=230105&st=sb

workloads. However, microsegmentation technologies typically lack the ZTNA capabilities for
securing end-user remote access.

Buyers for zero-trust technologies are seeking to improve the security posture throughout the
organization, mitigate the risk of unsanctioned lateral traffic movement and lower the operational
complexity and management. Clients, however, should not do this at the expense of solutions that
are difficult to manage. To achieve a full zero-trust strategy, an organization would need to at least
address the remote access users, the on-premises users and workload-to-workload connectivity,
which would require the deployment of both ZTNA and microsegmentation.

Some early adopters of ZTNA and microsegmentation identified a challenge between the
disparate zero-trust solutions, where maintaining multiple but similar policy sets within the
individual technology products created unnecessary operational management overheads. Buyers
are seeking a single vendor, a single integration and a single management interface which, when
combined, lowers overall architectural complexity. Vendor solutions should provide a
management plane that supports access controls, such as RBAC and ABAC, including strategic
views for zero trust. This would provide assurances within the various layers of the IT
departments that their organizations have clear visibility into workloads, users and endpoints for
what is and isn’t isolated from a policy compliance standpoint. A unified ZTNA and micro-
segmentation solution would appeal to larger organizations, where IT teams are siloed providing
high-level architectural risk insights, microsegmentation views for system admins and app teams,
and ZTNA views for security/endpoint teams.

Recommendations:

!"Select fewer vendors when possible for implementing zero-trust solutions to reduce operational
cycles and troubleshooting based on maturity and requirement.

!"Identify partnerships or vendors who offer both ZTNA and microsegmentation options today,
even if they are not fully unified agents or policy engines.

!"Ask vendors for their long-term roadmap and vision for simplified zero-trust policy definition,
fewer agents and automation to keep up with a changing dynamic environment.

!"Define high level zero-trust policies in an abstract set of definitions today in anticipation that
these rules can be translated into more unified policies in the future.

!"Favor vendor or vendor partnerships who can, at a minimum, improve visibility of zero-trust
policies through a single unified dashboard and reporting console.

Related Research:

10 of 14 30/1/2023, 1:59 pm
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C771V39&ct=230105&st=sb

How to Select the Right ZTNA Offering7 Effective Steps for Implementing Zero Trust Network
Access

What Are Practical Projects for Implementing Zero Trust?

Adopt a Mesh App and Service Architecture to Power Your Digital Business

Replay Prediction
The replay prediction is a prediction from a previously published report that is so significant that it is
being republished here.

Strategic Planning Assumption: Over 60% of organizations will embrace zero trust as a starting
place for security by 2025. More than half will fail to realize the benefits.

Analysis by: Charlie Winckless

Key Findings:

!"Security leaders are inundated with marketing and vague language about zero trust, so they
struggle to translate the technical reality into business benefits.

!"Focusing on technology and marketing messaging — instead of the cultural and security
program of zero trust — risks missing the true tasks, objectives and steps required to effectively
implement a program.

!"Failing to obtain executive backing and clear support for a zero-trust program will put the
outcome at risk.

Market Implications:

A successful zero-trust initiative will require more than technology, despite the marketing and
regulatory pressures. Fundamentally, zero trust means removing the implicit trust (and the proxies
for trust) that have formed the foundation of many security programs, with explicit trusts based on
identity and context. This will require changing the way security programs and control objectives
are set, and especially changing the expectations about level of access. This problem is
compounded by the threatening overtones of the term “zero trust” — it implies that no one is
trusted at all, but rather means trust to the amount needed and no more; a “right” trust to perform
all of their responsibilities, while protecting them and the organization from any mistakes or
oversights that might occur.

Cybersecurity leaders must first guard against attempting to only execute a zero-trust program
with technology controls. This approach will fail because — without changing the approach to
security — old patterns will be replicated and the result will be expensive new technology and little
to no benefit to security. Second, executive backing and support is required — and this means

11 of 14 30/1/2023, 1:59 pm
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C771V39&ct=230105&st=sb

explaining not just the technical aspects, but how zero trust can enable new business approaches,
provide a more resilient environment and allow for more flexible access. Without this support,
changing the culture and reducing access to the most appropriate levels is highly likely to be
derailed by the status quo. Lastly, the possible complexity and interim redundancy must be
acknowledged and accepted. Old controls will be required as organizations migrate, and security
teams must operate two approaches. The new approach must be granular, but only within the
limits that can be managed — while still being granular enough to meet the technical objectives.
These two granularity targets are competing and critical imperatives that must be continuously
evaluated and tuned for a successful “conversion” to zero trust.

Unless cybersecurity leaders address these challenges, investments made in zero trust are less
likely to be successful. Acknowledging — upfront — that this is a journey that requires significant
change outside of just technology is crucial to the success of a zero-trust initiative.

Recommendations:

!"Acknowledge and address the interim complexity; set realistic goals for granularity that align to
both manageability and security objectives.

!"Ensure that zero trust is not seen as a technology or even technology-first effort, but is a shift in
mindset and security approach.

!"Clarify what zero trust approaches can deliver by communicating the business relevance of the
concept and how it supports resilience and agility in a hybrid-first world.

Related Research:

How to Decipher Zero Trust for Your Business

What Are Practical Projects for Implementing Zero Trust?

How to Build a Zero Trust Architecture

A Look Back
In response to your requests, we are taking a look back at some key predictions from previous
years. We have intentionally selected predictions from opposite ends of the scale — one where we
were wholly or largely on target, as well as one we missed.

In response to your requests, we are taking a look back at some key predictions from previous
years. We have intentionally selected predictions from opposite ends of the scale — one where we
were wholly or largely on target, as well as one we missed.

12 of 14 30/1/2023, 1:59 pm
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C771V39&ct=230105&st=sb

This topic area is too new to have on-target or missed predictions.

Acronym Key and Glossary Terms

Zero Trust A security paradigm that replaces implicit trust with continuously
assessed explicit trust based on identity and context supported by
security infrastructure that adapts to risk-optimize the organization’s
security posture.

Zero-Trust A series of zero-trust principles, guidelines or rules used by an enterprise

Architecture to direct the process of acquiring, building, modifying and interfacing IT
(ZTA) resources throughout the enterprise. These resources can include
equipment, software, communications, development methodologies,
modeling tools and organizational structures.

Evidence
1 Ransomware Attacks Drive ZTNA Adoption: Learning From Those Who Learned the Hard Way,
IT News. Independent survey of 5,400 IT professionals in organizations with between 100 and
5,000 employees that was conducted by research house Vanson Bourne on behalf of Sophos in
2021.

2  Zero-trust Architecture May Hold the Answer to Cybersecurity Insider Threats, MIT.

3  Migrating to BeyondCorp: Maintaining Productivity While Improving Security, Google Research.

© 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc.
and
4 its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior
 Zero Trust Reference Architecture, U.S. Department of Defense
written permission. It consists of the opinions of Gartner's research organization, which should not be construed
as statements
5  Zero Trustof fact. While
Maturity the information
Model, contained
Cybersecurity in this publication
and Infrastructure has been
Security obtained from sources
Agency.
believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
6  2022 Data
information. BreachGartner
Although Investigations Report,
research may Verizon.
address legal and financial issues, Gartner does not provide legal or
investment advice and its research should not be construed or used as such. Your access and use of this
7 Zero Trust Architecture, NIST Special Publication.
publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and
objectivity. Its research is produced independently by its research organization without input or influence from
8
any 21%
thirdof all Sessions
party. For furtherWere Attacks
information, seein"Guiding
2021, Arkose Labs.,
Principles on Independence and Objectivity."

9  Zero Trust Adoption Report, Microsoft.

10Data was analyzed from Gartner conversations regarding zero trust client inquiry trends during
the time period of January 2021 through September 2022.
About Careers Newsroom Policies Site Index IT Glossary Gartner Blog Network Contact Send
Feedback

13 of 14 30/1/2023, 1:59 pm
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C771V39&ct=230105&st=sb

© 2023 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

14 of 14 30/1/2023, 1:59 pm