Zero Trust: is it as unequivocal as it sounds?

Person at a laptop with secure lock symbol floating above it within a cloud
(Image credit: Shutterstock / laymanzoom)

Zero Trust is today’s favorite buzzword, and so of course it is being used liberally, and often imprecisely. Originally conceived when businesses only had a small percentage of remote workers signing in to the corporate network, the common wisdom of the day dictated that you couldn’t implicitly trust the authentication of those remote users any longer because they weren’t on the company network. The original Zero Trust solution focused on proving the identity of the user and the device.

About the author

Neil Thacker is CISO EMEA/LATAM at Netskope.

Things have evolved a little over the years, and there are probably now as many different approaches to Zero Trust as there are vendors pushing it, but most cybersecurity professionals would agree that the central tenet of Zero Trust is to shift from ‘trust but verify’ to ‘verify then trust’.

This is nifty phrasing but in practice it’s a problematically finite statement; overly permissive in non-static environments while being simultaneously inflexible . ‘Verify then trust’ assumes that, once verified, you are good to go. And if not verified, permanent blocking is justified. The first option leaves a significant hole in an organization's defenses, and the latter will impinge upon business productivity.

Continuous adaptation of trust

What is actually needed in a cloud-first, perimeter-less environment, is something that is continuously adapted. The unequivocal verbiage of ‘zero’ is ill-suited in such a nuanced environment. Context is key and trust judgements require insight to effectively determine grades of permission.

SASE is a fairly new architectural model for securing a perimeter-less IT real-estate, and it has significant advantages when working on a Zero Trust approach because of the visibility and insights it allows. Zero Trust in a SASE environment is more accurately ‘continuous adaptive trust’ across users, devices, networks, applications and data. The wealth of contextual insight available within a SASE platform removes the requirement to place implicit trust or to base permission decisions on single pieces of information (an IP address for example). Decisions can be based upon a tailored set of constantly reassessed parameters, built using several contextual elements intertwined (e.g. user identity + device identify + time + geolocation + business role + data type). And because with SASE the security policy follows the data, not the user or device, the resource itself is effectively determining the appropriate level of trust, only for a specific interaction, reassessed each time a parameter changes.

Evaluating trust at the start of an interaction alone is insufficient. This trust assessment can and should take place throughout an interaction. During the interaction, context should be continuously evaluated as alterations to the context can result in an adaptation (increase or decrease) in the level of trust that is appropriate, which in turn should alter the type of access granted to the resource.

Managing trust

Of course, it must be acknowledged that zero trust models necessarily add a degree of management overhead. Owners of resources must assume responsibility for carefully assessing and continuously adjusting not just the lists of allowed users for their resources, but also defining the attributes and contextual elements that together determine the level of access allowed to resources. Management of entitlements is often a manual process, but automation is starting to reach the market.

The balance of permission and restriction

The advantages of a continuous adaptive trust approach are manifold, but three stand out as compelling when preparing a business case:

More opportunities to provide some degree of access, to reorient the majority of security decisions away from “no” towards “yes, with conditions…” Inappropriate access is constrained, reducing the blast radius of compromised accounts Visibility into sensitive data types, locations, and movements in improved and constant.

While points two and three are clear risk reduction advantages, the first point is in many ways more crucial when selling the approach internally. Zero Trust appeals to security professionals from the moment you hear the name, specifically because it sounds unequivocally safe and secure. If you don’t trust anyone, you can’t get hurt, so the brokenhearted will tell you. But however much security professionals might joke about how much easier our jobs would be without a user base of employees, we must acknowledge that giving access is as much a part of our job as restriction and blocks. Continuous adaptive trust walks that line, using insight to issue and retract dynamic permissions. With it, organizations can maximize business productivity without any unnecessary exposure.

Neil Thacker

Neil Thacker, Chief Information Security Officer EMEA, Netskope.

Read more
Dr Chase Cunningham speaking at ZTW25
The grand delusion: endpoint protection isn’t the magic pill, says Dr Zero Trust
An abstract image of a lock against a digital background, denoting cybersecurity.
Building a resilient workforce security strategy
Security
Protect your network with an AI-secure browser and SASE framework
ThreatLocker CEO Danny Jenkins speaking at ZTW25
“It’s made our jobs harder, not easier” - ThreatLocker CEO Danny Jenkins on AI
Security padlock in circuit board, digital encryption concept
Best Zero Trust Network Access Solution of 2025
Concept art representing cybersecurity principles
What businesses need for modern third-party risk management
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in Features
Assassin's Creed
Assassin's Creed Shadows has Max subscribers streaming the 2016 movie flop – here are 3 better video game adaptations with over 90% on Rotten Tomatoes
David Kampf #64 of the Toronto Maple Leafs warms-up before playing the Philadelphia Flyers at the Scotiabank Arena on March 25, 2025 in Toronto, Ontario, Canada.
ChatGPT and Gemini Deep Research helped me choose an NHL team to support, and now I'm obsessed with ice hockey
Context Windows
Why are AI context windows important?
A collage of a demasked Spider-Man, Captain Marvel staring into the camera, and Daredevil shouting
17 Marvel heroes I want to see added to the Avengers: Doomsday cast – Spider-Man, Ms Marvel, Wolverine, and more
BERT
What is BERT, and why should we care?
Google Gemini 2.5 and ChatGPT o3-mini
I pitted Gemini 2.5 Pro against ChatGPT o3-mini to find out which AI reasoning model is best