Security is approaching Zero Trust all wrong.
Vendors are promising too much and delivering too little. Marketing hype has overtaken practical security, and organizations are chasing an idea of Zero Trust that doesn’t (and arguably shouldn’t) exist in reality. The result is confusion, frustration, and initiatives that stall long before they meaningfully reduce risks.
If we ignore the hype, we can talk honestly about what Zero Trust means: what it isn’t, and how it can work for businesses.
No state of absolute Zero Trust
In a literal sense, Zero Trust is totally unworkable for most businesses. If there were no trust at any point, users would be forced to reauthenticate, device posture would need to be revalidated, and identity would be re-proven for every single action, every time. Productivity would plummet, users would balk, and business would grind to a halt.
Zero Trust is a framework, and there is no vendor or organization that operates in a state of absolute Zero Trust. However, we can trust, but briefly, conditionally, and with constraints.
Trust but verify. This idea is far more in line with how Zero Trust was originally viewed: trust isn’t binary. Nothing is completely “trusted” or “untrusted.” Trust is evaluated over time, continuously tweaked, and reassessed regularly. Trust can be earned, partially stripped away, or even revoked completely depending on behavior, context, and risk.
That’s a far cry from the all-or-nothing version that marketing often portrays it as.
A branding problem, not a security one
Zero Trust didn’t appear on the scene as a point solution or a definitive technical standard. It was born out of a reaction to something that was dissolving: perimeter-based security and all the risky assumptions embedded in flat, implicitly trusted networks.
It began its life as a marketing buzzword rather than a concrete, implementable concept, and it has been shaped and reshaped ever since. Along the way, the industry added more and more products, unrealistic promises, and big claims, turning it into something it was never meant to be: a destination you could somehow arrive at and declare yourself ready.
In its truest sense, Zero Trust is an ongoing way of thinking about risk. It’s about sound security fundamentals: segmentation instead of flat networks, access controls instead of blind trust, strong authentication, and ongoing verification.
Why Zero Trust sometimes fails
There are many reasons why Zero Trust initiatives fail:
Some companies see Zero Trust as a once-off exercise, where it’s really a framework, involving tools, procedures, and protocols. They also think it’s a tech project, not a strategy. With no clear risk goals or support from executives, Zero Trust ends up patchy or incomplete, and full of security gaps. Similarly, these programs stall when only IT is involved. If there is no shared ownership among risk, compliance, legal, HR, and the business funding dries up and with it, progress. Others try to roll Zero Trust out across all apps and locations in one go. Teams get bogged down with planning, deadlines pass, and the initiatives lose trust before they’ve had a chance to show results.
Also, even stronger network controls, like MFA, cannot fix the problem if there is too much access. If users have too many privileges, and access isn’t tightly controlled, bad actors are still able to move laterally within the network when armed with valid credentials.
Older legacy systems and industrial environments have their own issues. Often, they cannot support modern login methods. What begins as a few “temporary” exceptions quickly turns into permanent weak points unless other measures are put in place. Also, when MFA or device checks become too strict or disruptive, it’s human nature to look for ways around them in order to do their work. This leads to shadow IT and plenty of frustration, not better security.
If checks and balances only happen the first time someone logs in, risks run rampant once the session is active. Should anything change or an account be compromised, access stays open for far longer than it should.
Finally, too often, Zero Trust is sold as a cure-all, which sets unrealistic expectations. Real success is about limiting risk and being able to bounce back faster, never assuming that breaches will never happen.
Zero Trust still matters
Despite all these points, Zero Trust is incredibly valuable when viewed realistically.
Without all the marketing hype, Zero Trust is a philosophy, not a product. It challenges some of our most dangerous assumptions, for instance, that network location implies safety, credentials are trustworthy by nature, or that internal traffic doesn’t need to be closely monitored. It’s these assumptions that bad actors love to exploit.
Zero Trust also asks the right questions:
Who really needs to have access to this?
Why does this particular system trust that service?
What would happen should this credential be compromised?
Those questions reveal decades of inherited risk that perimeter security ignored. Zero Trust should not be an all-or-nothing approach. Applying its principles incrementally (to critical systems, sensitive data, or high-risk users) will bring meaningful improvements without overwhelming the business.
What the US is doing
Encouragingly, some countries are building a better foundation for Zero Trust. For instance, in January of 2022, the US government made a zero-trust model a requirement for federal agencies, moving them away from traditional perimeter security solutions. By the end of the 2024 fiscal year, according to OMB Memo M-22-09 and Executive Order 14028, they must achieve specific Zero Trust outcomes.
To help them achieve this, CISA’s Zero Trust Maturity Model breaks Zero Trust into five areas, covering identity, devices, networks, applications, and data. Agencies need to improve each of these over time. Throughout the process, it places strong focus on visibility, automation, and good governance.
In practice, it means agencies need to do things like implement stronger, phishing-resistant MFA, keep meticulous records of all the devices that attach to their networks, encrypt web and DNS traffic, make sure applications are properly tested, and classify data clearly to allow access to be controlled automatically.
Zero Trust is also backed by ongoing support from the government. Two years ago, the federal CDO and CISO Councils published a Zero Trust Data Security Guide, containing input from multiple agencies, to help teams put data protection into practice. CISA also provides regular shared guidance and tools through sites like zerotrust.cyber.gov, as well as services including Protective DNS, endpoint detection and response, and FedRAMP offerings.
Used together, these initiatives hope to keep agencies moving in the same direction and be better prepared for the complex cyber threats that bombard them daily.
A more honest way forward
Instead of chasing the fantasy of a “fully Zero Trust” environment, it makes more sense to focus on what improves resilience.
Segment where it matters. Be clear about who really needs access, and why. Remove the inherited trust that lets one small mistake turn into a big problem, and keep watching how things behave over time, in context, so you’re not guessing what’s happening inside your own environment.
If you do these things well, you are practicing Zero Trust in ways that make a meaningful difference, even if you never claim to have “achieved” it.
Zero Trust has not earned its bad rap. The real culprit is how it’s been oversold. Treated as a panacea, it fails. Treated as a flexible, pragmatic framework grounded in reality, it improves resilience.
Mieng Lim is Director of Product Management at Fortra, responsible for the strategy and development of the company’s infrastructure protection solutions. She joined Fortra in 2021 when the company acquired Digital Defense, where she had held various senior management positions for over twenty years.
Mieng serves a mentor and STEM advocate encouraging young women to pursue careers in security and technology and volunteers with BSides San Antonio as a staff member. Mieng holds a Bachelor’s Degree in Computer Science with Minor in Sociology from Trinity University.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.