Zero trust is one of the few security trends that has gained widespread attention and support. In fact, somewhere around 97% of businesses either already have a zero-trust policy in place or are planning to do so over the next year and a half. However, a new analysis from Gartner this week indicates that zero trust isn’t a panacea.

By 2026, public-facing APIs and social engineering schemes will account for half of all cyberattacks, according to the study’s authors.

Also, the survey emphasises that most companies are still quite far from reaching zero-trust maturity. It predicts that by 2026, barely 10% of big businesses will have a fully developed and quantifiable zero-trust programme, up from just 1% at present.

Companies can’t afford to rely on a single security framework to defend their environments, especially in light of the difficulties in reaching zero-trust maturity and the rising trend of API-based risks and social engineering assaults.

Where exactly does zero trust go wrong?

Because threat actors are increasingly focusing on parts of the cloud attack surface that are difficult to secure with access restrictions alone, Gartner believes zero trust will grow less effective over time.

Attackers would soon explore pivoting and targeting assets and vulnerabilities outside the scope of zero-trust architectures (ZTAs), according to Jeremy D’Hoinne, a vice president and principal analyst at Gartner.

This, according to D’Hoinne, “may take the shape of scanning and abusing of public-facing APIs or targeting employees through social engineering, building, or exploiting weaknesses” since workers have devised their own “bypass” to circumvent zero-trust regulations.

Thousands of APIs may be deployed and deprovisioned across the company, while zero-trust restrictions and multifactor authentication may be applied to each. Nonetheless, this method has limited scalability.

While zero trust can’t stop social engineering and phishing schemes from getting a user’s login ID and password, it can help implement the principle of least privilege and reduce the amount of information an attacker has access to.

However, if D’Hoinne is right that exploiting public-facing APIs is not covered by zero trust, then this is a major omission, especially because, according to Gartner’s own data, API abuses will go from being rare to becoming the most common attack vector by 2023.

After API hacks at Twitter and T-Mobile exposed the personal information of millions of users, this is a vulnerability that security teams can no longer afford to ignore.

The Problem of API Security and How to Fix It

If businesses are serious about risk reduction, they must begin investing in API security capabilities immediately. In reality, this involves putting in place mechanisms to compile a list of all public-facing APIs, scan it for security flaws, and patch them before an attacker can exploit them.

Forrester has previously found that enterprises should stop using a perimeter-based security strategy to safeguard APIs and instead incorporate security into API design and use proactive connection verification to ensure that APIs are secure.

The research recommended that “authentication be used everywhere” and that “designing explicit chains of trust as an important component of API development and deployment pipelines” be implemented.

Approov CEO Ted Miracco thinks that shift-left methods to API security have significant flaws.

Many API vulnerabilities actually occur against authorised APIs, proving that so-called “shift-left” methods to security are ineffective. While it was possible to escape danger by just slowing down attackers in the past, today there is “nowhere to hide” from the persistent hackers, as Miracco put it.

For Miracco, the answer to protecting against attacks is to set up constant, real-time monitoring of APIs.

Applications, especially mobile ones, that are released without real-time monitoring, application self-protection, over-the-air upgrades, and new API keys are asking for trouble, according to Miracco.