Zero trust is a concept that has been at the forefront of cybersecurity discourse for almost two decades. First coined by then Forrester analyst John Kindervag in 2009, the principle assumes all users, devices and services are untrusted by default, and subject to continuous strict verification and authorization across the network.
A range of policies and tools can assist with a zero trust effort, including microsegmentation, access management and authentication tools.
The concept of zero trust has taken on greater importance since the shift to remote working, which has rendered the traditional ‘perimeter’ security approach outdated.
Zero trust’s relevancy has been further enhanced by its explicit inclusion in former US President Joe Biden’s Executive Order 14028 in 2021, which mandated federal agencies adopt zero trust principles.
Global cybersecurity regulations, such as the EU’s NIS2 directive, also mandate zero trust as a basic practice of cybersecurity hygiene.
Kindervag told Infosecurity that these regulatory requirements have resulted in widespread interest in adoption of the concept.
Nevertheless, there are major question marks about the current effectiveness of zero trust in practice.
Significant marketing hype about the architecture has created misconceptions, including the idea that zero trust is a single product or a ‘silver bullet’ to security.
It is also not a strategy that can be implemented properly without the right foundational controls.
This article will examine the key barriers to effective zero trust practices and what security leaders need to do to embed it properly in their organization.
Barriers to Zero Trust
Misconceptions About the Zero Trust Framework
One consequence of the huge promotion of zero trust by vendor marketing is the false perception that it can be a single product.
While solutions such as identity and access management (IAM) tools can aid in the implementation of zero trust principles, it goes beyond tooling to encompassing a fundamental mindset change.
In an article for Infosecurity published in 2024, Kindervag wrote, “Any business or vendor that claims to have a zero trust product is either lying or doesn’t understand the concept at all.”
Therefore, simply buying a product from a vendor offering a zero trust-based solution is far from sufficient. In fact, there have been high-profile incidents impacting cybersecurity companies who offer zero trust-based solutions, which have enabled attackers to compromise multiple customers by via a single login.
This includes a data breach of identity and access management firm Okta in 2023 after a threat actor was able to access a stolen credential.
Jason Steer, CISO at Recorded Future, said: “A lot of organizations are now all in on companies like Okta, who offer zero trust and that means threat actors understand that as well.”
Zero Trust a Cause of Friction
Organizations need good foundational capabilities in areas such as identity management, asset management, security monitoring and threat management to effectively implement zero trust.
Achieving these underlying steps can cause short-term disruption to the business, which can create challenges around gaining investment and executive buy-in.
Fred Kwong, CISO at DeVry University, noted that there is often a significant cost to implementing a zero trust model as a result of changes to existing business processes, new operational processes and skillsets.
“These changes can cause friction along with additional operational overhead. Zero trust is a long journey for most organizations, and the transition to it will take time,” he said.
Attackers’ Ability to Circumvent Access Controls
Another emerging challenge to the effectiveness of zero trust is attackers’ growing ability to circumvent identity and access controls – a critical element to the zero trust process of segmenting and continuing authorizing access to different parts of the environment.
This includes bypassing a range of multifactor authentication (MFA) solutions through techniques like man-in-the-middle attacks to intercept codes, SIM swapping to gain control of user devices and push notification attacks.
This issue highlights the limitations of zero trust, emphasizing that it is not infallible, even with MFA login requirements in place across the network.
Why Zero Trust is Still Relevant Today
Despite the challenges and misconceptions around zero trust, experts Infosecurity spoke to emphasized the importance of the framework in today’s world.
“I think zero trust is a fantastic architecture and every organization should be moving towards it if they aren’t already,” commented Steer.
It is a particularly important strategy for those organizations that have moved to hybrid working, with employees accessing systems on multiple endpoints and locations.
Kwong added, “Zero trust is critical to ensuring strong identity and access validation on a continual basis.”
Kindervag emphasized that zero trust, at its heart, is about resiliency – limiting the impact of compromises rather than an all-encompassing strategy that prevents attacks from occurring.
Zero trust policies should have strict delimited rules on the systems that accounts can access – including what individual users can access, at what times they can do so and from what devices.
“Zero trust isn’t an end in itself, it’s a good way to boost resilience and keep you in business"
“What you can control is the protect surface – there has to be a rule in place that says someone is allowed to access one area. If that rule isn’t in place, it doesn’t matter how sophisticated the attack is, because the rule just doesn’t allow it to happen,” explained Kindervag.
Thinking of zero trust in these terms is important to ensuring implement the concept properly and build solutions around it.
Kindervag’s colleague at Illumio, Trevor Dearing, Director of Critical Infrastructure Solutions at the firm, said: “Zero trust isn’t an end in itself, it’s a good way to boost resilience and keep you in business.”
This means zero trust, when implemented correctly, is future-proof.
Toby Sibley, Security Expert at PA Consulting, explained that zero trust principles are designed to be robust and flexible enough to cope with a range of new technologies and attack vectors.
“By placing sophisticated authentication and authorization at the heart of developing new IT capabilities, organizations can relieve some of the pressure of continuously firefighting new security issues,” he said.
How to Implement Zero Trust Effectively
Do the Foundational Work
Before selecting zero trust solutions and vendors, organizations should ensure they have a thorough understanding of their network and what they most want to protect.
“If an organization does not have access to accurate risk, threat, business impact and infrastructure data then its zero trust capability will fail to achieve its goals,” Sibley stated.
He urged organizations to undertake this prior analysis before jumping into selecting technology vendors.
Kwong added, “Many product vendors focus on what they can do, but not how their product integrates into the overall framework.”
Take Incremental Steps
Implementing zero trust architecture across an entire IT estate can seem like a daunting task for organizations, with the potential for significant disruption to the business.
Kindervag advised taking an incremental approach that breaks zero trust policies and solutions into small increments known as protect surfaces.
“Do it one protect surface at a time because it becomes iterative and it becomes non-disruptive,” he said.
Kwong also emphasized the need for a phased roadmap, which does not try and segment every part of a system in one go.
“Take larger swaths and over time funnel access down to what is needed. Many zero trust technologies will help with that. Develop a process to tune your rulesets and engage with business partners to ensure success,” he commented.
Balance Security with User Experience
Implementing zero trust should also balance risk with usability, understanding which systems and data should have the most stringent policies and authentication solutions.
PA Consulting’s Sibley said organizations should set clear objectives around its risk appetite and integrate zero trust solutions and policies accordingly.
Zero trust may not be appropriate for all parts of a system, for example where it is causing too much friction in systems that do not contain sensitive data. Therefore, senior managers should be trained and educated in zero trust concepts to see when things are going off track, according to Sibley.
“If a zero trust approach is no longer appropriate for an organization, this should trigger activities to evolve the digital controls until they are once again effective,” he explained.
Make Zero Trust Solutions a Priority
IAM can be a low priority for organizations today, with areas like vulnerability management seen as the top risk.
In many organizations, IAM is either a process that does not exist or is highly manual, according to Recorded Future’s Steer.
“The hard truth is the existing identity access management infrastructure is either inadequate or missing critical security capabilities,” he commented.
This is something that needs to change, with governments increasingly pushing for stronger authentication, least privilege access and continuous monitoring.
Commit to an Ongoing Process
Another important aspect for organizations to understand is that implementing zero trust is a ongoing process. This can make the concept difficult to gain executive buy-in for, as there is no clear end goal in sight.
“People think of it as a project, not a journey. You’re going to be doing it forever, you don’t ever finish it,” Kindervag said.
This should not be viewed as a negative. Cyber-attacks and attack surfaces are always changing, meaning cybersecurity by its very nature will never be a task that is complete.
Sibley noted: “A successful implementation of zero trust should be adaptive to the risk and threat context that an organization operates in. Mature zero trust solutions will need to flex and evolve as the organization changes and the risks that it is subject to alters.”
Conclusion
Zero trust has been a highly recognized term in cybersecurity for a number of years, yet major barriers to its successful implementation remain.
This is as a result of common misconceptions about the concept and the potential for friction to the business.
With zero trust principles gaining a presence in government regulations and identity a key target for attacks, implementing the framework appropriately is no longer a luxury.
Security leaders now have to make the case for zero trust in their business and stringently plan its implementation. From there, zero trust is an approach that requires continuous monitoring and updating.