Why you can’t buy a zero-trust silver bullet

A blue color image of a person trying to log into a protected laptop.
(Image credit: Shutterstock/JARIRIYAWAT)

As businesses evolve to adopt more cloud services, remote working and bring your own device (BYOD) practices, they are creating new attack surfaces that need new security measures. The traditional perimeter security model of “trusted inside” versus “untrusted outside” no longer exists.

About the author

Tris Morgan, Director of Security Advisory Services at BT.

This has led to the significant adoption of zero-trust – an approach whereby you assume that all application access is potentially malicious or undesirable. But zero-trust is a misnomer. It’s often spoken about as if there’s an endgame or ideal outcome, but, it’s a long-term, collaborative journey.

Businesses need to better understand what zero-trust is before putting their hands in their pockets and investing. Despite the hype from many vendors, it’s not a one stop shop, but instead an approach that needs to be adaptable to organizational and technological change. To channel the right expertise and resources into areas and projects that make the most difference, organizations need to transcend this buzzword and prepare themselves for the realities of a perimeter-less IT environment.

Overcome the hype

The buzz around zero-trust is understandable, but the principle of never trusting and always verifying has been debated for decades. However, it’s only now that this theoretical model is becoming a reality. Zero-trust fits modern cyber security requirements - instead of trying to police all the borders and paths across a network, security teams can create islands of applications and data that can be protected in a much more focused way. 

This approach is certainly the best form of defense in a multi-attack vector environment. Businesses can monitor precisely who and what is accessing their network. It goes beyond simple criteria such as source IP address or username to answer questions such as: who is accessing your data? Where are they coming from? What applications do they want to use and when do they want to access them? How do they want to connect to the applications? What’s more, it also helps organizations how adopting new technologies like the Internet of Things (IoT) and SD-WAN affects their risk.

The problem though is that the cybersecurity arms race keeps businesses buying unnecessarily. Because zero-trust is being misused in the industry, organizations believe they can achieve it by buying multiple products from vendors and often fall into the trap of falsely assuming they have reached their end goal of zero-trust once they’ve made the investment. 

This is why zero-trust needs to be better defined. What businesses must understand is that zero-trust is enabled by vendors, rather than being provided by them. It’s not something you can buy off the shelf once – it’s an ongoing, phased concept that encompasses technology and people, and adapts as a business evolves.

There’s no easy ON button for zero-trust

So, what’s the starting point? Begin small. Making the move to zero-trust is a multi-phase, multi-year project. Large, established companies often develop substantial, complex applications but are unable to gain visibility into how they are used. Starting with a smaller, less complex application or a service that is known and understood will enable businesses to learn in a way that does not impact them while still providing repeatable and reusable controls.

Companies also need to start by looking at the people and devices interacting with the organization. They need to develop an identity management strategy and work out which access management solutions they will need to protect their most valuable assets. This means tighter regulation of what each user can do and a more robust approach to an individual’s access rights and privileges, especially those of third parties and suppliers. The key part here is to focus on the concept of least privileged. Only give a device or user access when they absolutely need it.

Zero-trust also needs to be considered every time a business modifies or augments their IT estate. For example, they need to consider how adding a new technology or tool will impact their access management and what changes they need to make to their zero-trust access policies as a result.

Zero-trust doesn’t always mean starting fresh either. A complete overhaul of existing cyber functionality isn’t necessary. Most organizations already have some of the pieces that make up the zero-trust puzzle in their arsenal and, if they don’t, they should partner with a provider that can optimize their own capabilities instead of costly ripping and replacing.

The future of trust starts with ‘zero’

Although there’s a lot of hype around zero-trust, it’s important that businesses cut through this noise and understand what it encompasses - including any benefits and challenges along the way. In an ideal world, achieving zero-trust would be as simple as deploying a single solution but there is no magic fix. Zero-trust is a long-term program that needs to be ever present in a cybersecurity strategy.

Businesses should look to partner with the right providers that have extensive experience managing identities and can help them identify the architectural stages required to follow a zero-trust approach, while working with the organization to continually manage their risk as their strategy evolves. After all, zero-trust isn’t a destination, it’s a journey - and, importantly, you don’t have to do it alone.

Connect securely online with the best business VPN.

Tris Morgan, Director of Security Advisory Services at BT.

Read more
Dr Chase Cunningham speaking at ZTW25
The grand delusion: endpoint protection isn’t the magic pill, says Dr Zero Trust
An abstract image of a lock against a digital background, denoting cybersecurity.
Building a resilient workforce security strategy
Cyber-security
Cyber security on a shoestring: maximizing your ROI
Security padlock in circuit board, digital encryption concept
Best Zero Trust Network Access Solution of 2025
A wall of data on a large screen.
“It's the same doors that the good guys use, that the bad guys can walk through” - former White House tech advisor on data-centric security in the wake of Salt Typhoon
ThreatLocker CEO Danny Jenkins speaking at ZTW25
“It’s made our jobs harder, not easier” - ThreatLocker CEO Danny Jenkins on AI
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Latest in Features
The cast of The Residence peek from a doorway
Netflix's #2 most-watched show is the new madcap whodunnit The Residence –here are 3 more mysteries to stream next
Google AI Mode
I tried Google's new AI mode powered by Gemini, and it might be the end of Search as we know it
Saily eSIM by Nord Security
"Much more than just an eSIM service" - I spoke to the CEO of Saily about the future of travel and its impact on secure eSIM technology
A collage image showing images from the TV shows The White Lotus on Max, Black Mirror on Netflix and The Handmaid's Tale on Hulu.
I'm pausing my Prime Video, Apple TV+ and Paramount+ subscriptions in April 2025 – here are the 3 streaming services I'm keeping instead
Gemini on a smartphone.
Gemini is pulling ahead of ChatGPT – combining Deep Research with Audio Overviews is one of the best uses of AI I’ve seen so far
The Rookie
The Rookie is Hulu's #1 show – here are 3 police procedural dramas with over 80% on Rotten Tomatoes to watch next