Unlocking the full potential of zero trust

Danny Lopez at Glasswall looks at the security risks associated with zero trust and how to address them

 

Zero trust is based on the “never trust, always verify” principle that, by default, no user, device or application should be trusted, regardless of where it sits on the network. Instead, access is continuously verified to limit the risk of unauthorised activity and prevent lateral movement after a breach. The model has gained significant global support in recent years, with the U.S. government formally adopting it as a national security priority, with the UK, among others, following suit.

 

But while zero trust represents a positive shift in security strategy, it’s no silver bullet. Success depends on how well it’s implemented and how effectively the broader security environment supports it. Any gaps in coverage, inconsistent policies or poor security hygiene can all weaken its impact, with all-too-familiar consequences.

 

Where zero trust gets complicated

Deploying zero trust across a complex IT estate is no small task. For a start, implementation can require a significant infrastructure overhaul, which brings the risk of misconfigurations and architectural mismatches that introduce new vulnerabilities when the intention is to remove them.

 

Even where deployment is successful, weaknesses in identity and access management can persist, with attackers continuing to exploit poor multi-factor authentication and weak credential policies to bypass controls. Without robust, continuously monitored identity measures in place, the idea of “never trust, always verify” quickly loses its meaning.

 

Performance is another common concern. The continuous verification required by a zero trust approach can introduce latency, disrupt workflows and cause friction for users, particularly in high-frequency access environments. While these issues can be addressed through intelligent policy design and adaptive authentication, they remain a frequent pain point for IT and security teams trying to balance protection with productivity.

 

Then there are the challenges associated with hybrid and multi-cloud environments. For instance, maintaining consistent access controls, visibility and monitoring across multiple platforms, each with its own authentication standards and APIs, is difficult. Legacy systems further complicate the picture, not least because many were never designed with cloud integration or zero trust principles in mind. This can create potential security gaps that are hard to close without significant investment or workarounds.

 

There are also issues that arise from broader operational practices. Outdated access controls, weak policy hygiene, and poor patching discipline can all dilute the effectiveness of zero trust. When security hygiene is neglected, zero trust becomes just another layer of complexity rather than a genuine improvement.

 

Even at the endpoint, zero trust has its limitations. Malicious files embedded in PDFs, Office documents and email attachments remain a highly effective route into protected environments. These threats often go undetected by traditional reactive security tools, such as antivirus and sandboxing, which rely on known signatures or behaviour patterns. As a result, attackers can bypass multiple controls and deliver payloads undetected, especially when trust decisions are being made based on incomplete information.

 

From strategy to implementation

The cumulative impact of these issues can expose users to additional security vulnerabilities and, on a general level, risks eroding confidence in the zero trust model itself. Understanding these friction points is essential not just for managing deployment, but for identifying where optimisation efforts must focus to deliver long-term value.

 

Indeed, effective zero trust requires a grounded, methodical approach that translates its core principles into day-to-day processes. Strengthening identity and access management is a natural starting point because, by enforcing least-privilege access and layering strong multi-factor authentication with behavioural monitoring, organisations can dramatically reduce the likelihood of unauthorised access, even if credentials are compromised. Context-aware access controls that adapt to location, device health and user behaviour can also improve security while easing the burden on legitimate users at the same time.

 

Herein lies an important point because to avoid undermining productivity, continuous verification processes need to be optimised to minimise disruption. That means replacing one-size-fits-all policies with intelligent, risk-based decision-making that only prompts for reauthentication when necessary. Equally important is the need to bring legacy and hybrid systems properly under the zero trust umbrella and, where full integration isn’t possible, techniques such as segmentation can help reduce exposure and apply consistent controls across disparate environments. These measures ensure that older platforms, often business-critical, do not become weak links in an otherwise strong zero trust perimeter.

 

Collectively, this can leave organisations with a lengthy to-do list, but the risks are now so pervasive that zero trust is quickly becoming a must-have for security leaders, particularly those working within large organisations. As JPMorgan Chase revealed last year, the bank blocks around 45 billion network connection attempts each day, and even with 62,000 technologists on their team, the challenge is enormous. In this context, zero trust has a big role to play in putting organisations in the firing line back in full control of their security.

 

---

 

Danny Lopez is CEO of Glasswall

 

Main image courtesy of iStockPhoto.com and sasha85ru