Zero trust isn’t a feature, it’s a philosophy
For years, zero trust has been heralded as the cure-all for cybersecurity woes. Every vendor slapped the label onto their product, from firewalls to identity management systems to cloud access brokers. Magazines ran glowing features promising that once organizations embraced “Never trust, always verify,” ransomware would vanish and insiders would be neutralized. Chief information security officers (CISOs) eagerly inserted it into PowerPoints.
But a decade of hype later, the reality is stark: breaches continue unabated, costs skyrocket, and organizations remain just as vulnerable as ever. Zero trust, once hailed as a revolution, now looks more like a failed security as usual.
When zero trust falls short
You need look no further than DEF CON 2025, where AmberWolf UK security researcher David Cash reported that “Rather than being never trust, always verify, we found it was more, ‘always trust, never verify.'”
Specifically, Cash said AmberWolf found critical vulnerabilities across Check Point, Zscaler, and Netskope. The three top problems were authentication bypasses, credential storage failures, and cross-tenant exploitation. In a word, it was “ugly.”
Others, however, think that the problem isn’t so much with zero trust itself, but how it’s implemented. I asked executives across the security landscape for their thoughts on zero trust. As you might imagine, they had a lot to say. Chris Wallis, founder of the security company Intruder, kicks things off.
“They found some software designed to enforce other zero trust principles have security weaknesses (like any software can – just because one firewall has a flaw doesn’t mean firewalls don’t exist), or even some deeper architecture flaws. The research isn’t saying zero trust can’t exist in practice; it’s just saying be careful what exactly you buy and how it works. As with anything in security, there’s no silver bullet, and buying software only gets you so far.”
That’s an excellent point. Hyperproof CISO Kayne McGladrey observed, “The zero trust concept itself isn’t broken – it’s more about how it’s being implemented in practice.” From McGladrey sits, the real issues seem to be:
- Organizations often treat zero trust as a product to be bought and installed, rather than as a complete shift in their security mindset.
- Companies with flawed or stalled rollouts often do so because leadership wants to check the “zero trust” box.
- Legacy systems that don’t work well with modern authentication methods.
- Skills gaps: Many teams lack the expertise to implement zero trust properly.
He concluded, “I’ve noticed the vendor drama (like the Zscaler issue with customer data) gets lumped into ‘zero trust problems’ when it’s more nuanced, and often represents vendor-specific flaws or vulnerabilities. That’s not fair to the overall approach.”
Zero trust isn’t just a thing you can buy
Still, what’s a customer to do who “buys” a zero-trust solution that isn’t trustworthy? As Bert Kashyap, SecureW2 CEO, commented, “The research out of DEF CON highlights a deeper issue. It’s not that the idea of zero trust is flawed. It’s that most ZTNA products implement it in a way that puts too much faith in vendor infrastructure and client-side controls. What’s marketed as ‘never trust, always verify’ often ends up being ‘trust what we say is compliant and don’t ask too many questions.’”
That said, as Nicholas DiCola, VP of customers at the network security company Zero Networks, summed it up nicely, “Recent reports that zero trust is a failure miss the point; the problem isn’t the concept, it’s the implementation. The DEF CON/AmberWolf findings exposed what happens when zero trust is treated as hype instead of discipline – weak posture checks, trust assumptions, and lack of control over lateral movement.”
These are all excellent points. Zero trust was never a single technology. It’s an architectural philosophy: Authenticate every user, validate every device, authorize every access. On paper, it made sense. In practice, uh, not so much.
To do zero trust right, Stephen Christiansen, principal security consultant at Stratascale, explained, “It requires very careful planning. You need to start with a comprehensive assessment of your organization’s legacy platforms (systems, applications, data) that need to be protected. Then you prioritize based on the complexity of those systems, starting with the least critical, where you can test out the new models.”
All too often, though, instead of re-engineering every business security process, what emerged was “zero trust in PowerPoint,” but not in operations.
It also doesn’t help that all too many security companies rebranded their existing tools with a zero trust label. VPNs became “zero-trust gateways,” identity management became “zero-trust access,” and firewalls morphed into “zero-trust enforcement points.” The result? More confusion than clarity. If any of this reminds you of AI this, that, and the other in recent times, it should.
So what can you trust?
If you’re unsure of what to do, the National Institute of Standards and Technology (NIST) recently published new guidance on implementing zero-trust architecture. I highly recommend anyone considering putting zero trust to work study NIST SP 1800-35: Implementing a Zero Trust Architecture. It will do you more good than reading yet another zero trust marketing white paper.
Like AI, zero trust promises certainty in an uncertain world. But security is never absolute; it’s about managing risk.
As Roei Sherman, head of Mitiga Labs, the research and innovation division at cloud security company Mitiga, explained, “The concept of zero trust still matters. It’s one of the few models designed for a perimeter-less world. But making it real requires more than marketing slides. It needs layered defenses: hardened identity and access controls, resilient detection and response across cloud and SaaS, continuous monitoring, and independent validation of vendor claims. Without those guardrails, zero trust isn’t protecting you — it’s just giving a false sense of security.” Exactly so.
Besides, even properly implemented zero trust isn’t everything you need. Chris Hills, Chief Security Strategist at identity management company BeyondTrust, warned, “Zero trust is not enough. Threat actors are leveraging AI to manipulate identities, voice, video, and biometrics.”
Hills continued, “Organizations will also confuse the adoption of least privilege with zero trust, which is a huge mistake. Organizations need to embrace not only least privilege, but also zero trust in order to just keep up with some of the threat actors and even limit the exposure should they be infiltrated.”
In short, zero trust is not a bust. It’s just one more tool in your security toolbox that you must learn to use properly to make sure your company doesn’t end up in the headlines as another business brought down by a major security breach. After all, you, not your security vendor, are ultimately responsible for securing your business properly.
Will that be a lot of work? Yes, yes, it will. But, it’s worth it.
