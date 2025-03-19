Zero trust is a concept that has been at the forefront of cybersecurity discourse for almost two decades. First coined by then Forrester analyst John Kindervag in 2009, the principle assumes all users, devices and services are untrusted by default, and subject to continuous strict verification and authorization across the network. A range of policies and tools can assist with a zero trust effort, including microsegmentation, access management and authentication tools. The concept of zero trust has taken on greater importance since the shift to remote working, which has rendered the traditional ‘perimeter’ security approach outdated. Zero trust’s relevancy has been further enhanced by its explicit inclusion in former US President Joe Biden’s Executive Order 14028 in 2021, which mandated federal agencies adopt zero trust principles. Global cybersecurity regulations, such as the EU’s NIS2 directive, also mandate zero trust as a basic practice of cybersecurity hygiene. Kindervag told Infosecurity that these regulatory requirements have resulted in widespread interest in adoption of the concept. Nevertheless, there are major question marks about the current effectiveness of zero trust in practice. Significant marketing hype about the architecture has created misconceptions, including the idea that zero trust is a single product or a ‘silver bullet’ to security. It is also not a strategy that can be implemented properly without the right foundational controls. This article will examine the key barriers to effective zero trust practices and what security leaders need to do to embed it properly in their organization.

Barriers to Zero Trust Misconceptions About the Zero Trust Framework One consequence of the huge promotion of zero trust by vendor marketing is the false perception that it can be a single product. While solutions such as identity and access management (IAM) tools can aid in the implementation of zero trust principles, it goes beyond tooling to encompassing a fundamental mindset change. In an article for Infosecurity published in 2024, Kindervag wrote, “Any business or vendor that claims to have a zero trust product is either lying or doesn’t understand the concept at all.” Therefore, simply buying a product from a vendor offering a zero trust-based solution is far from sufficient. In fact, there have been high-profile incidents impacting cybersecurity companies who offer zero trust-based solutions, which have enabled attackers to compromise multiple customers by via a single login. This includes a data breach of identity and access management firm Okta in 2023 after a threat actor was able to access a stolen credential. Jason Steer, CISO at Recorded Future, said: “A lot of organizations are now all in on companies like Okta, who offer zero trust and that means threat actors understand that as well.” Zero Trust a Cause of Friction Organizations need good foundational capabilities in areas such as identity management, asset management, security monitoring and threat management to effectively implement zero trust. Achieving these underlying steps can cause short-term disruption to the business, which can create challenges around gaining investment and executive buy-in. Fred Kwong, CISO at DeVry University, noted that there is often a significant cost to implementing a zero trust model as a result of changes to existing business processes, new operational processes and skillsets. “These changes can cause friction along with additional operational overhead. Zero trust is a long journey for most organizations, and the transition to it will take time,” he said. Attackers’ Ability to Circumvent Access Controls Another emerging challenge to the effectiveness of zero trust is attackers’ growing ability to circumvent identity and access controls – a critical element to the zero trust process of segmenting and continuing authorizing access to different parts of the environment. This includes bypassing a range of multifactor authentication (MFA) solutions through techniques like man-in-the-middle attacks to intercept codes, SIM swapping to gain control of user devices and push notification attacks. This issue highlights the limitations of zero trust, emphasizing that it is not infallible, even with MFA login requirements in place across the network. Why Zero Trust is Still Relevant Today Despite the challenges and misconceptions around zero trust, experts Infosecurity spoke to emphasized the importance of the framework in today’s world. “I think zero trust is a fantastic architecture and every organization should be moving towards it if they aren’t already,” commented Steer. It is a particularly important strategy for those organizations that have moved to hybrid working, with employees accessing systems on multiple endpoints and locations. Kwong added, “Zero trust is critical to ensuring strong identity and access validation on a continual basis.” Kindervag emphasized that zero trust, at its heart, is about resiliency – limiting the impact of compromises rather than an all-encompassing strategy that prevents attacks from occurring. Zero trust policies should have strict delimited rules on the systems that accounts can access – including what individual users can access, at what times they can do so and from what devices.

“Zero trust isn’t an end in itself, it’s a good way to boost resilience and keep you in business"