CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Network Security·Security Architecture

Zero Trust Is 15 Years Old — Why Full Adoption Is Worth the Struggle

Fifteen years after its debut, Zero Trust remains the gold standard in cybersecurity theory — but its uneven implementation leaves organizations both stronger and dangerously exposed. The post Zero Trust Is 15 Years Old — Why Full Adoption Is Worth the Struggle appeared first on SecurityWeek.

Zero Trust Implementation

Zero trust isn’t failing; it’s the implementation of zero trust that isn’t complete.

The implementation of zero trust is essential for cybersecurity: but after 15 years, we’re still not there. Implementation is like the curate’s egg: good in parts.

Zero Trust turned fifteen years old on September 14, 2025. Its invention was announced with Forrester’s publication of John Kindervag’s paper, No More Chewy Centers: Introducing The Zero Trust Model of Information Security, on that date in 2010 (archived here).

Zero trust recognizes that treating cybersecurity like an M&M (a hard crunchy shell impenetrable to hackers protecting a soft chewy center where staff can work freely and safely) simply doesn’t work. “Information security professionals must eliminate the soft chewy center by making security ubiquitous throughout the network, not just at the perimeter,” wrote Kindervag.

This is the basis of zero trust (or ZT): abandon the old concept of a barrier between two separate networks (one untrusted: the internet; and one trusted: the enterprise). Instead, trust nothing and verify everything, regardless of source or destination. The concept is sound and rapidly gained approval, culminating in EO14028 mandating that federal agencies must move toward a zero trust architecture while private companies should do similar – but never defining how it could be achieved.

John Kindervag, creator of Zero Trust,
John Kindervag, creator of Zero Trust, and chief evangelist at Illumio.

There’s the rub. Zero trust is fundamentally a concept where implementation will depend on individual different corporate ecospheres. There is no single list of requirements for all organizations, no likelihood that any national regulation can require zero trust, and no product that can be installed to provide zero trust. Instead, zero trust has become a widely accepted ‘best practice’ that (apart from federal agencies) is simply recommended by regulations. 

Europe’s NIS2 Directive, for example, declares, “Essential and important entities should adopt a wide range of basic cyber hygiene practices, such as zero-trust principles…” But it is a directive (EU-speak for a requirement that member states should implement in their own way), not a regulation (EU-speak for a law that applies verbatim to the entire EU); and there is no definition of what it is.

The result is that a widely recognized and lauded approach to cybersecurity (perhaps the best practice rather than a best practice) has become a curate’s egg: implementation is good in parts.

Where Zero Trust is good

A fundamental principle of ZT is that it must be applied to data from anywhere to anywhere, everywhere. It doesn’t differentiate between human to human, machine to machine, or any variation on that: that data should not be trusted until the source and destination have both been verified.

This usually requires it to be retrofitted to existing networks that were not designed for ZT and are continuously growing like Topsy (“I ‘spect I grow’d. Don’t think nobody never made me”). It follows that ZT is more easily implemented and better maintained where Topsy’s haphazard expansion is constrained.

“Zero Trust is most effective when deployed within modern, cloud-native enterprise architectures that are intentionally designed to enforce security at every layer of the infrastructure,” comments Suresh Katukam (co-founder and CPO at Nile). “In these environments, core Zero Trust principles – default-deny posture, identity-based access, least privilege and continuous verification – are implemented natively rather than retrofitted.”

Effective ZT will not eliminate all breaches – there are simply too many ways into a network – but it would certainly limit the effectiveness of stolen credentials (the most common initial access vector) and inhibit lateral movement by intruders, and malicious activity by insiders inside the enterprise network. 

“Here’s the part most people miss: Zero Trust is just as important for reducing insider risk as it is for keeping out external threats.,” comments Chad Cragle (CISO at Deepwatch). “Zero Trust is just as important for reducing insider risk as it is for keeping out external threats.”

“It may not have stopped breaches from the outside, but it very closely regulates internally who gets access to what,” adds John DiLullo (CEO at Deepwatch). “Since 70% of all data losses still happen at the hands of insiders, whether through malice or neglect, Zero Trust hugely reduces the surface area of a company’s most sensitive assets. Zero Trust is first and foremost an access rights technology.”

“Insiders often already have keys to the kingdom,” continues Cragle. “That’s where segmentation, least privilege, and continuous validation truly matter. If your Zero Trust framework isn’t helping you see and control insider abuse, then you don’t have Zero Trust; you have wishful thinking.”

The idea of wishful thinking introduces one possible downside to ZT. The concept requires monitoring all access doors throughout the network. If using ZT principles closes only 95% of the doors, the company may have a false sense of security. That single open door means you don’t have ZT, you have wishful thinking. And that single open door will eventually be found and used by malicious actors.

The reality is that ZT is only zero trust where it is fully implemented but isn’t zero trust where it is not fully implemented. The question is not about ZT itself, but why is it so difficult to implement?

Where it’s not so good

“Poorly implemented zero trust can actually increase your risk profile,” says Dana Simberkoff (chief risk, privacy and information security officer at AvePoint. “When employees face excessive friction – multiple approvals just to access shared files, constant re-authentication that interrupts workflow – they find alternatives.” 

The difficulty with zero trust is that it requires reduced friction without reduced verification. That’s hard, because the problem is not one of technology, but one of psychology – we put people above technology and pander to human sensitivities. Kindervag suggests this may be due, or at least aggravated, by a basic misunderstanding of the relationship between people and technology in security. 

“People, process, technology. That’s our mantra – but that is wrong,” he says. People, who we consider first, are ancillary to security. “People cannot make proper security decisions in real time because their brains do not have the computational ability even when they understand the process. The ‘human firewall’ is a myth. It should be technology, process, people.”

Putting people first is good people management and good PR, but bad security. It gives too much leeway to three basic human characteristics: a propensity to trust on sight, a tendency to be lazy, and a deep rooted curiosity. We have a natural tendency to trust first and ask questions later; to skirt security controls when they are too intrusive and hinder our work, and we are naturally curious. “Curiosity may be a primary cause of death to cats,” comments Kindervag, “but it’s also the primary cause of a lot of data breaches when people go where and do what they shouldn’t.” All this can be prevented by ZT but is impossible if we put people before technology.

Technology first is becoming more essential in the emerging world of AI-enhanced deepfakes. We can no longer rely on people being able to recognize people. We are easily fooled into believing this entity is the entity we know and trust. Trust can no longer rely on people; only technology can tell the truth, not just by deepfake detection (which could fail) but by examining the packets of data, and knowing who is sending what to whom and from where can we verify before we trust.

Trust is the primary people-concern and is the very basis of ZT. Kindervag tells a story to illustrate this people-based trust. “I’m in my living room watching TV with my wife and I see some guy I’ve never seen before getting beer out of the fridge. I say, ‘Honey, do you know the guy getting beer out of the fridge?’ She says, ‘No, I don’t.’ I reply, ‘Oh, well, I guess since he’s able to get beer out of our fridge, he must belong here’.” That’s the metric we use: he’s here, so he must have the right to be here.

“So, I go and get some clean sheets and make up the guest room. And that’s what we do every single day for attackers in our environment. We make up the guest room because we assume, since they’re able to get on the network, they must belong on the network. We don’t ask the question: ‘Do you belong on the network?’” That’s not how we protect our home, and it should not be how we protect our networks. Don’t trust, always verify. And call 911 if there’s any doubt.

The consequence of over-trusting can be negated by the principle of least privilege. Even if a person (could be an insider or an intruder with stolen credentials) is authorized to be on the network, perhaps that person should not be on that part of the network and he should not be privileged to take beer out of the fridge. 

It’s not as if we haven’t seen the effect. The Snowden leaks were only possible because the NSA over-trusted a contractor from Booz Allen and gave him administrator rights. He was able to go there because he was authorized to go there, and he was allowed to do what he did because he was authorized to go there. That’s a people-first approach to security. But a zero trust technology-first approach would care less about the person and more about the data. That would have shown that this authorized person was doing something naughty. In short, the Snowden leaks would not have happened if the NSA had implemented a full zero trust environment.

Kindervag has personal experience of this. He was asked to do some work for the federal government and needed to get clearance. That’s standard, but when he looked more closely, the clearance included access to data, and he didn’t need access to data for the work he was doing. He thought, “This violates the first principle of least privilege. I don’t need that access, so I shouldn’t have that access. I literally had to fight to not get the access, because they automatically wanted to give me that access.”

‘People first’ also panders to the human characteristic of lazy. We say to ourselves that we shouldn’t implement security that hinders people quickly achieving their work targets because they’ll bypass the security. But it’s just lazy, on both sides of the fence. The implementers don’t put in the extra effort to find or develop friction-free but properly secure zero trust controls, while the users excuse their own lazy by saying ‘I just want to get on with my job’. For the implementers it requires more effort in system design, while for the users it requires deeper security awareness training on the dangers of being lazy – perhaps enforced by sanctions for backsliding.

Getting the technology ready for ZT is also hard, partly because many applications were not built with ZT in mind. “Many older programs just don’t play nice with modern security,” comments J Stephen Kowski (field CTO at SlashNext), “so businesses end up stuck between keeping things secure and not slowing down the way they work.” Security leaders are often forced to find a balance because available software provides little alternative. “Lock things down too much and you might block your own team, but if you’re too loose, you’re open to risk.” But finding that ‘balance’ negates the essence of ZT: trust nothing, verify everything.

The problem isn’t limited to older software. Just as today it is hard to find a new application that doesn’t lay claim to be AI-based, so has the concept of zero trust been built into product marketing. “Many vendors have misled organizations,” says Negin Aminian (senior manager of cybersecurity strategy at Menlo Security). “For years, ‘zero trust’ was a cybersecurity buzzword, much like ‘AI’ is today. Cybersecurity vendors added it to their product names; however, the way their technology was set up either made zero trust very difficult to implement or, upon closer inspection, didn’t adhere to its principles.” 

Browsers are an additional problem. “Today, most work happens in the browser, including accessing business-critical applications,” continues Aminian. “However, many organizations haven’t extended zero-trust principles to the browser, which leads to ongoing breaches.” It’s a classic example of putting people and their love and need for easy access to browsers and browsing before technology.

It’s hard. It’s very hard on everyone to go that extra mile for zero trust. But Kindervag has another story for the security professionals. “I remember Dan Kaminsky, who said words to the effect, ‘I won’t listen to people who say this is hard anymore. Cybersecurity is hard, and we chose to be in this business. And if you’re in this business, you worship hard – meaning you worship the hard things. So, if you don’t have that right attitude, please go into a different business.’” 

“Zero Trust isn’t just about prevention; it’s about limiting the blast radius when (not if) something goes wrong,” suggests Cragle. “Think of it like an onion: the more layers of control around identity, devices, workloads, and data, the more difficult it is for attackers to penetrate. But peel away one neglected layer, and attackers can move freely. That’s why Zero Trust only works when applied across all layers, not just at the perimeter or identity tier.”

Those layers must negate the human user elements of over-trust (should be reined in by greater use of the least privilege rule), and security awareness training to combat user laziness. “The pivot to zero trust also requires user acceptance and ongoing education to overcome inevitable barriers to adoption as well as continuous monitoring – it is not a set and forget option,” warns Nick Emanuel (director of product management at Panaseer).

“Zero Trust has added the opportunity to make sure the right human, with the right account, from the right place, on the right hardware or system, is accessing the right services,” says Trey Ford (CISO at Bugcrowd). 

“It sounds simple but putting it in place is way tougher than it looks, because it takes a lot of people, time, and money to do it right,” adds Kowski.

Zero trust at its fifteenth anniversary

Kindervag will not abandon the core principles of zero trust, nor soften them to make the concept easier to adopt. It’s zero trust, no compromise. But he believes zero true adoption is higher than generally perceived. “The zero trust market size has been calculated at $30 billion,” he comments. “I’ve even been invited to give a talk about zero trust at one of the most prestigious London men’s clubs, formerly patronized by Prince Philip (I’m a farm kid from Nebraska, and I never expected anything like that would happen). There’s just a ton of enthusiasm, throughout business leadership, not just technologists.”

He suspects the reason for the apparently slow take-up is twofold: there are millions of companies without the resources to implement zero trust quickly and fully; and the media never reports on failed attacks, only on successful attacks. Consequently, we only hear about the attacks where partial, poor or absent implementation has failed – not the attacks foiled by zero trust. “It’s a question of scale,” he adds, “and frankly, the majority of organizations still operate old-school 20th century perimeter-based networks with poor policy on their security controls – like a firewall mistakenly set to allow everything without verification.”

Zero trust isn’t failing; it’s the implementation of zero trust that isn’t complete. But Kindervag is far from downhearted. “We need to enforce policy based on the packets. Packets are not people, and we need, over time, to change and get rid of all this human baggage that we bring to the digital world – and that takes a long time. I never thought it would be quick – I thought it would take longer than it has. Actually, I’ve been quite amazed by the speed of adoption of all this stuff.”

Fifteen years is not a long time when you’re trying to change the digital world.

Related: The History and Evolution of Zero Trust

Related: Cloudflare Expands Zero Trust Capabilities with Acquisition of BastionZero

Related: Cutting Through the Noise: What is Zero Trust Security?

Related: CISA Publishes New Guidance for Achieving Zero Trust Maturity

Related: NSA Shares Guidance on Maturing ICAM Capabilities for Zero Trust

Latest News

CYBERNEWSMEDIAPublisher