Years ago I was placed in a conference room with a security/infrastructure team that truly thought that their deployment of a VPN had eradicated their security issue with remote access. Three weeks later, one of the compromised contractor laptops navigated itself through their insides and came into contact with finance systems which it should never have had access to via a vendor laptop.
This incident turned the nature of all the security discussions in this company. In a split second, Zero Trust Security seemed no longer to be another Gartner buzzword but rather a survival tool.
The bummer is that it’s no some high-tech strategy used by an advanced nation-state. The attacker was accessing the system with valid credentials and had too many permissions, and traversed numerous trusted internal systems with the belief that anything within the network boundary should be trusted. I’ve seen examples of this very same error in manufacturing, SaaS, logistics and even in healthcare providers with high cost enterprise security stacks.
This is attracting fury from the market. Gartner has been championing the idea of “identity-centric security architecture” for years, and Microsoft made a significant extension to its Zero Trust maturity guidance for the identity, endpoint, application and data layers. In the meantime, IBM’s Cost of a Data Breach report issued in 2024 showed that breaches via compromised credentials continued to be one of the most costly for enterprises. That’s a significant number because while the number may be down, it is still a painful reality that attackers no longer need to “break in” when organizations are still too trusting of authenticated users.
Even for most companies which are taking this step, it is still not understood what they are taking up.
Buying more security tools will not fix your trust problem
I’ve seen companies invest millions of dollars in cyber security products and have the same trust assumptions that underlie it all.
One organization I worked with had:
- Palo Alto firewalls
- CrowdStrike endpoint protection
- Okta identity management
- Microsoft Defender
- expensive SIEM infrastructure
Even after user authentication using VPN successfully, they still made it easy to have wide internal access.
The equipment used was up-to-date. The architecture was not however.
That doesn’t mean that vendors don’t feel it, though.
The basic principle of Zero Trust Security is that the assumption is “untrusted until continuously verified” versus the traditional “trusted until suspicious. When you look at it on a PowerPoint slide that’s easy to say. In reality, it quickly turns into a mess due to many legacy systems, undocumented access dependencies, shadow IT and internal politics between teams within an enterprise environment.
In the real-world implementation, security teams typically find out the same disconcerting fact: They don’t know all their own identity relationships.
It can take months to delay projects if only that realization is there.
There was a retail business that I can remember where over 1200 service accounts were identified by the IAM team that were dormant as a result of previous automation processes that were no longer needed and not anyone was sure what would break if they disabled them. There were some of those accounts that still had privileged access to the database.
They had not been touched by man in years.
That’s where Zero Trust initiatives either succeed as a transformational initiative or turn into marketing campaigns.
Why Zero Trust Security projects fail in the first year
99% of failures are not technical.
They are operationally and organisationally effective.
An approach to security first is to begin with segmentation policies and then proceed to clean up the identity governance. This is because a user can no longer access systems that had been accessible to him/her via an overly permissive trust. Excessive pressure is put on teams to make temporary exceptions.
Temporary exceptions are transformed to permanent architecture.
This has happened to me many times!
The best applications typically start with visibility of identities, rather than network restrictions. In its enterprise Zero Trust recommendations, Microsoft was similarly adamant about the importance of identity verification, conditional access, and least-privilege controls in the cloud.
Then there’s the monetary aspect, which is often overlooked within companies when discussing security. The initial costs of implementing Zero Trust deployments are high, as a number of factors must be addressed, such as:
- access reviews
- policy redesign
- endpoint compliance enforcement
- authentication modernization
- application dependency mapping
Before CFOs realize the risk exposure is decreasing, they are increasing their spending on security.
That puts an emphasis on proving the value of their operations quickly.
Here’s the smart thing to do with this when it’s a manufacturing customer. Focusing on reducing cyber insurance exposure and being able to be better prepared for third-party audits, rather than just cybersecurity modernization, was the way they pitched the project. A shift in the frame occurred in the blink of an eye, as finance leaders began to see how to tie security controls to tangible business results.
If financial matters are taken into account by the finance department, it makes security architecture discussions a lot easier.
The counterintuitive reality nobody mentions
The part that catches out many IT teams off-guard.
However, if not deployed correctly, implementing a strict Zero Trust environment can actually be the first step towards making security more invisible.
This may seem like it’s backwards, but I’ve seen it done.
Teams lose focus of blocking the movement and tightening the segmentation, and end up disrupting logging flows, monitoring integrations or internal telemetry collection between systems. A Healthcare service that I worked with had endpoint logs being dropped from their SIEM pipeline during periods of overnight maintenance as a result of unintentionally creating segmentation rules.
They enhanced the network’s resistance to hackers, and they also helped to decrease the visibility of hacking.
Hence, in mature implementations, observability becomes a part of the architecture and is not an additional monitoring layer that is later added.
This is more of an intelligent approach to the task than many businesses that started to copy Google’s idea superficially. Google has put a strong emphasis on device trust, identity validation, and contextual access, without compromising on the usability of operation. The one lesson that the majority of organizations fail to learn is that Zero Trust is not a technology that is centered around blocking traffic. It is all about creating high confidence verification at each access decision, without drowning productive efforts.
It’s not as easy as it sounds in vendor diagrams.
What mature enterprise deployments actually look like
The most effective ones that I’ve seen have been all but one of the following attributes:
They aggressively limit standing privileges, in the first place. Users are not granted the access elevations that they need to use, but temporary access elevations instead. For this reason, these kinds of products have come into the spotlight within many enterprise deployments, such as Microsoft Entra ID Privileged Identity Management and CyberArk.
Second, endpoint posture becomes non-negotiable.
An authenticated user with a compliant corporate device does not receive the same level of access as someone using an unmanaged or outdated device. CrowdStrike, Microsoft Defender for Endpoint and VMware Workspace ONE are popular options here, as they provide compliance data directly to conditional access policies.
Third, application-level access replaces network-level trust wherever possible.
It’s an important move.
In traditional implementations of VPNs, parts of the internal network are exposed following authentication. Instead, modern Zero Trust Network Access (ZTNA) platforms like Zscaler Private Access and Palo Alto’s Prisma Access enable access to approved applications directly from the user without revealing more network visibility.
It’s particularly crucial in credential compromise scenarios.
Verizon found that credential abuse remains a significant component in enterprise incidents, with the Data Breach Investigations Report showing it’s still a big issue. There is a significant difference in the outcome of a breach if the lateral movement is restricted after the credential theft has occurred.
But not theoretical, security language. It impacts cost of downtime, recovery difficulty and exposure to legal liability.
Here is what I would do in the first 30 days
Most businesses attempt to make a complete re-design.
That is a mistake.
If I were leading a new implementation today, I would focus on four key actions during the first month before introducing any aggressive segmentation policies.
Build a real access inventory
Not the spreadsheet someone updated eight months ago.
I mean a verified inventory of:
- privileged accounts
- service accounts
- SaaS integrations
- dormant identities
- third-party vendor access
- unmanaged endpoints
You cannot enforce least privilege against systems you do not fully understand.
Turn on conditional access gradually
Do a small pilot to begin with and enforce MFA and detect risky login attempts in that group.
One financial services client tried rolling out a company-wide solution straight away and blocked out its executives going on international trips due to its high sensitivity in identifying identity risk. The rollback lasted hours and caused a loss of people’s faith in the project within.
Political damage prevention is a function of pilot groups.
Identify applications that should never touch the open internet
Teams typically have fewer players in their roster than this list.
There can be external access via internal administrative portals, operational databases, back-up consoles and legacy ERP interfaces that many people are not aware of.
Here restrictions to exposure generate quick risk reduction.
Measure user friction honestly
Security teams can sometimes make a big mistake by assuming that friction doesn’t exist.
It absolutely matters.
Once the architecture is beginning to suffer as engineers begin to work around controls by taking non-approved routes, then the architecture is already in trouble. The risk reduction and usability of the security program are measured in mature security programs.
It’s that skewed viewpoint that distinguishes successful deployments from security theater.
Our coverage of hybrid identity governance and enterprise AI infrastructure security adds to many of the access-control dependencies highlighted here for those who are working through a broader modernization of the cloud.
Legacy infrastructure is where the real pain begins
Cloud-native businesses tend to be more adaptive, as they are already primarily an identity-centric business.
Businesses that have been around for awhile are not like that.
Legacy business applications and operational technology systems often lack granular identity enforcement, especially in manufacturing plants, logistics networks, hospitals, and financial institutions. In one project, I worked with a distribution company that still relied on internal applications using hard-coded service credentials shared across multiple departments for authentication.
Not a place like that just “turns on” Zero Trust.
Carefully redesigning workflow, with minimum impact.
This is also where many cybersecurity vendors get their ideas (and their optimism) skewed when selling. When it comes to product demos, it is a rare sight to see the complexity that can be incorporated into mixed environments with:
- Active Directory
- legacy ERP systems
- Linux workloads
- cloud SaaS platforms
- unmanaged contractor devices
- industrial systems
All of the burden of implementing falls on the enterprise team, not the vendor.
A lot of CISOs are not happy about that disconnect between marketing reality and what it takes to keep the business running.
Zero Trust Security is becoming a business resilience issue
These projects could have been considered as modernization projects a few years ago.
Now is the time to act before it’s too late.
Board-level discussions are increasingly intertwined with operational continuity, cyber insurance requirements. Third-party contract eligibility and regulatory exposure, and a lack of cyber maturity has negative consequences across these areas.The lack of cyber maturity has consequences for the board level discussions around operational continuity, cyber insurance, third-party contract eligibility, and regulatory exposure. Identity controls and lateral movement protection are now under an extreme degree of scrutiny by enterprises that have to deal with sensitive data, like health care, financial, or infrastructure data.
It certainly makes budgeting discussions a different topic.
Early adoption of more advanced Zero Trust Security configurations isn’t just lowering risk of breach, it’s saving companies money as well. Nevertheless, they tend to get better:
- vendor trust
- compliance positioning
- customer confidence
- cyber insurance negotiations
- merger and acquisition readiness
This last is an important one, one that many don’t care to pay attention to. A lack of identity governance and the widespread trust relationships inside the organization have become a significant concern for a buyer’s acquisition due diligence process.
Security architecture is now more and more influencing enterprise valuation.
Well, it’s just that it was only natural that the change should happen.
Conclusion
I no longer believe that the biggest challenge of implementing Zero Trust is technical. Having gone through several enterprise deployments, I don’t believe the challenges are technical anymore. The most difficult part is convincing organizations that they already have a lot of trust in their environment, but it is implicit.
That realization leaves people uneasy as it forces them to confront years of decisions made for their convenience, which have taken place over time.
However, businesses that are waiting for a “perfect” implementation roadmap, are most likely waiting too long. Today’s companies that are making steady progress are not those that are striving for theoretical perfection. They’re the ones who are continually cutting unneeded trust relationships. Making identities more visible, and realizing security architecture is now an inherent part of business resiliency.
The question your leadership team should be asking themselves at this point, is probably, “why not implement Zero Trust Security? The question that your leadership team should be asking themselves now is, why not implement Zero Trust Security? The key question is whether they still think of perimeter trust models as being applicable to their current enterprise systems.
Author Bio
Talha Qureshi is an enterprise technology analyst and blogger. With over a decade of hands-on experience across cybersecurity, cloud infrastructure, B2B SaaS, and enterprise AI. He writes about the gap between how enterprise technology is marketed and how it actually performs in real organizational environments.
