Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreidz5avvpzad4njqi56ol3tosbjup6mm6lsmziiypadrgcs37c2npa",
    "uri": "at://did:plc:qzjwstutqk2cy7df7jbzd2hx/app.bsky.feed.post/3mmvgaaddrrr2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreievfb2jfcf5du7bn3wsfyxq2ycluwaa4pvp6pa4sgwph7gp7gkd2e"
    },
    "mimeType": "image/jpeg",
    "size": 3423487
  },
  "path": "/article/4176471/zero-trust-isnt-broken-but-most-companies-are-doing-it-wrong.html",
  "publishedAt": "2026-05-27T16:23:05.000Z",
  "site": "https://www.networkworld.com",
  "tags": [
    "Identity and Access Management, Network Security, Security, Zero Trust",
    "John Kindervag",
    "Accenture",
    "Gartner",
    "poked holes in zero trust",
    "Morey Haber",
    "Today in Tech episode",
    "DrZeroTrust",
    "George Finney",
    "NIST"
  ],
  "textContent": "Zero trust is 15 years old, and like many teenagers, it can feel misunderstood and underappreciated.\n\nThe concept of zero trust was first defined by John Kindervag, a Forrester analyst at the time, as a strategy to replace the outmoded perimeter security model with a “never trust, always verify” approach. But going from principle to practice isn’t easy.\n\nAccenture reports that 88% of organizations have encountered significant challenges implementing zero trust. In a recent Gartner survey, 35% of respondents who indicated that they either attempted or partially attempted a zero-trust initiative suffered failures that adversely affected their organization. “Gartner has observed numerous instances of failed zero-trust initiatives among end users who lacked a strategic and measurable plan,” the report says.\n\nAt last year’s DefCon 33 conference, U.K. security researchers from AmberWolf poked holes in zero trust by identifying potential vulnerabilities in zero-trust network access (ZTNA) offerings from three vendors. “It turns out there are no magic ZTNA beans; we’ve got the same old bug classes reimagined for a new technology stack,” said AmberWolf researcher Richard Warren. “Rather than zero trust, we’re actually putting a lot of trust into these vendors to process our data securely.”\n\nMorey Haber, author and chief security advisor at BeyondTrust, sums up the state of zero trust in 2026 this way: “We all agree: zero trust is necessary. But it’s been hard to implement.” Haber describes the gap between intention and execution as “massive” during a Today in Tech episode focused on whether zero trust is failing or just misunderstood. “It doesn’t matter what you read or which framework you follow,” Haber said during the podcast. “The core issue is that we have a concept with principles and tenets, but not enough guidance on how to implement it.”\n\nHere are some myths and misconceptions associated with zero trust, as well as tips on how to avoid the pitfalls and successfully implement zero trust.\n\n## Myth: Zero trust is a product\n\nEven after 15 years, there is still considerable confusion about what zero trust is. It answers to many definitions—strategy, philosophy, concept, mindset, and architecture.\n\nChase Cunningham _,_ who bills himself as DrZeroTrust, says,”Security is not a product, but a combination of strategy, process, and execution. Zero trust is not just an architecture—it’s a mindset. There is no zero-trust product, period.”\n\nHaber agrees. “You have vendors claiming to sell “zero-trust” products, which is misleading. There’s no such thing as a zero-trust product. Products implement security controls, but they don’t embody zero-trust principles.”\n\nHe cautions, “If a vendor says, ‘This remote access solution achieves zero-trust principles,’ that’s great, but I have yet to see one that delivers more than 10%-15% of the required controls.”\n\nGartner adds, “The concept of zero trust is a security approach that organizations adopt to mitigate access risks associated with networks, applications, and associated data. This is frequently overshadowed by vendor marketing, which tends to promise high expectations but often delivers suboptimal results.”\n\n## Myth: Zero trust is a technology\n\nGeorge Finney, CISO at the University of Texas and author of two books on zero trust, tells _Network World_ that zero trust is not a technology; in other words, it’s not micro-segmentation to block lateral movement by attackers; it’s not policy-based identity to control who gets access to enterprise resources. Those are tools and tactics that help implement zero trust.\n\nZero trust at its core is a way of thinking about risk that requires breaking down silos among security teams, networking groups, business units, compliance, and risk management functions, according to Finney.\n\nThe first pillar of zero trust, as defined by Kindervag, is identifying the highest-priority protect surfaces in the organization. Kindervag says that unless the organization has a clear understanding of what the crown jewels are, there’s no way a zero-trust project can be successful. Kindevag adds that IT doesn’t necessarily know what those high-value protect surfaces are, but business leaders do, and that’s where a zero-trust initiative should start.\n\nThe second pillar of zero trust is to map transaction flows associated with those mission-critical protect surfaces. Again, this requires coordination and collaboration with teams running key enterprise applications. This is particularly important in today’s multi-cloud environments, where a specific business process can span on-prem, edge, cloud, containers, microservices, etc.\n\n“It’s not a technology issue at the end of the day that makes it hard,” Finney says. It’s people issues, cultural issues, and politics. He recommends that organizations think holistically about securing sensitive data across all attack surfaces, including endpoints, remote users, IoT devices, LLMs, AI agents, etc.\n\nGartner adds, “It is not a product or technology-focused exercise but rather a methodology driven by the organization’s overall objective and priorities.”\n\n## Myth: Zero trust is expensive\n\nFinney says zero trust does not have to break the bank. “A lot of folks think it’s going to be too expensive, but it doesn’t have to be,” he adds. Here are key steps on the road to zero trust that don’t involve buying anything**.**\n\n**Identifying high-value protect surfaces.** This requires thinking like an attacker and pinpointing the assets that an attacker is most likely to consider valuable. Finney adds, “In a given protect surface, you might have multiple controls that all have to be working together to remove those trust relationships.”\n\n**Creating a zero-trust team**. Finney says most organizations already have governance, risk management, and compliance teams that can be brought into a comprehensive zero-trust task force that includes security and networking groups. Gartner adds, “A zero-trust strategy must be initiated at the executive level and integrated across all departments and teams.”\n\n**Education.** Education is critical, says Finney. “It’s helping folks see the big picture. It gets people out of their silos.”Finney adds that a major challenge is political, having to deal with a fragmented organization in which many stakeholders are dismissive of security because it’s not what they’re measured on. For example, application developers who are under the gun to get software out the door aren’t necessarily incentivized to bake security into their processes. ****\n\n**Creating a strategy.** “When I talk to boards of directors, they understand that to be successful in any part of the business, you need to have a strategy. That resonates from the top,” says Finney. ****\n\nIn its analysis of why zero-trust initiatives fail, Gartner says, “The lack of a business-aligned strategic plan has led to ineffective governance, miscommunication, poor risk management, minimal budget allocation, poor execution of the organizational security objectives, and inefficient use of limited resources.”\n\n**Defining an architecture:** Every organization is different, so there is no boilerplate architecture that can be applied everywhere. Organizations need to write a specific architecture that fits their business needs, their level of risk tolerance, their specific vertical industry, and their unique technology infrastructure.\n\n**Setting and applying policies.** Again, there is no line item associated with writing access control and identity management policies.\n\n**Leveraging existing tools.** It’s important to realize that nobody is starting from zero.\n\nMost organizations already have multi-factor authentication or single sign-on in place, they already have identity management, network management, web application firewalls, etc. The key is to integrate and align existing technology and identify gaps where new tools might be needed.\n\nSpeaking to AmberWolf’s point that attackers can always find bugs in vendor software, zero-trust advocates counter that zero trust implies defense in depth. So, even if there’s a flaw that allows an attacker to gain end-user credentials and access the network, there will be multiple security controls in place, such as incident detection, micro-segmentation, monitoring of end-user sessions, and controls that prevent access to and exfiltration of sensitive data.\n\n## Myth: Zero trust is difficult to implement\n\nZero trust doesn’t have to be hard to implement if organizations follow widely disseminated guidance provided by NIST, numerous books, webinars, podcasts, experts, consultants, and more.\n\nFinney recommends starting small and showing quick wins. Zero trust can’t be implemented all at once across a large organization; it requires a targeted, methodical strategy.\n\nThe preferred approach is to start with those high-value protect surfaces and apply tools that support the overall architecture in a coordinated, consistent, managed, and monitored fashion.\n\n“An overall strategy can deploy different tactics,” Finney says. “You want to think about what will have the biggest impact on your organization today.” He says organizations need to make informed data-driven decisions based on logs, metrics, and other data, while factoring in an analysis of what attackers are doing vs. the specific vulnerabilities and weak points in the organization’s defenses.\n\nGartner states: “Narrowing the scope of initiatives or projects within the zero-trust program is essential for attaining a zero-trust posture within practical and reasonable timeframes. Organizations define overly expansive future target states by incorporating an excessive number of systems, applications, use cases, or datasets in the initial phase—or by proposing overly intricate and granular policy sets. They will encounter scalability and cost challenges, along with extended project timelines.”\n\n## Myth: AI breaks ZTNA\n\nEnterprises are racing to deploy generative AI and unleash semi-autonomous AI agents. This new world of black box large language models (LLM) and non-human identities (NHI) raises concerns that zero trust is an outdated strategy that’s not up to the challenge.\n\nLeading zero-trust proponents are pushing back, however, arguing that the core principles still apply. “With AI, zero trust is more important than ever,” says Finney. “Zero trust is a strategy; we don’t change the strategy because AI came out. AI proves how important that strategy is.”\n\n“AI is not magic,” he adds. “We secure it the same way we secure everything else. We integrate it into the tech stack and monitor it.”\n\nKindervag, currently chief evangelist at Illumio, concurs. “AI doesn’t change the fundamentals of zero trust. It reinforces them. Zero trust is the strategy that allows you to safely embrace AI. Without strict segmentation, policy enforcement, and control over data flows, AI becomes another soft and chewy center waiting to be exploited.” He adds, “You don’t need a new security strategy for AI. You just need to apply the right one. That’s zero trust.”\n\n## Myth: There’s no way to measure success\n\nAny project that seeks support from the board and C-suite, needs to be able to justify itself through some sort of metrics. Zero trust is no exception, but how do you measure “not getting hacked?”\n\nGartner says teams should use outcome-driven metrics that link zero-trust initiatives directly to business objectives.“It’s crucial to focus on schedule adherence, cost discipline, and control effectiveness,” says Gartner. “Focus on outcomes like reduced breach incidents, improved compliance rates, and enhanced operational efficiency. Additionally, identify specific risks, such as lateral movement, data breaches, account takeovers, and insider threats, which are essential to drive value, and organizations can better justify investments and drive continuous improvement.”\n\n## Myth: Zero-trust projects have a completion date\n\nZero trust is more about the journey than the destination,” Finney says. He points out that organizations are constantly growing and changing. At the same time, attackers are evolving. “Zero trust is a strategy. You’re never done with a strategy,” he adds.\n\nKindervag’s final pillar of zero trust is to monitor and maintain. In other words, organizations need to be actively monitoring to make sure that access control policies are not being violated. And the zero-trust implementation needs to keep pace with changing business needs.\n\nAnd since zero trust calls for organizations to focus on the highest value protect surfaces first, there are always additional protect surfaces that can be added under the zero-trust umbrella.\n\nWhen Finney looks back on how things have evolved over the past 15 years, he is encouraged by the fact that tools have improved dramatically. Teams can now apply AI and machine learning to functions like anomaly detection or incident detection and response. And there are now ways to automate tasks like networking monitoring or policy enforcement.\n\n“Overall, I’m feeling guardedly optimistic,” Finney says, “but the work is not done. We need to continue to make strides.”",
  "title": "Zero trust isn’t broken, but most companies are doing it wrong"
}