People often distrust technology. If it’s too complex, faulty, or doesn’t solve the user’s problem, they may return it or avoid using it. “I just want it to work!” is a common cry among consumers and business users. Narrow the focus to cybersecurity issues where users face phishing attacks or malicious software and deal with privacy concerns and data breaches, and their lack of faith can extend beyond technology to the content of texts, emails, and networks like the Internet.
Cybersecurity professionals increasingly are using distrust as part of a security measure called zero trust. Zero trust is a security framework that assumes no device, user, or network is inherently trustworthy. Zero trust security requires organizations to verify the identity of both machines and users and the context and behavior that appear with every access request. Zero trust is not a single product or solution, but a comprehensive strategy.
Despite the increasing use of zero trust, cybersecurity experts point to both pros and cons of the approach. Pros include strict access control, the principle of least privilege, and efficient threat detection and containment. Cons include complex implementation, high costs and resource use, and pushback from employees who must comply with more authentication steps and training.
Pratik Mistry, executive vice president of the Technology Council at Radixweb, a software development and IT consulting company, said, “The pros of zero trust are solid enough that it has become a standard line item in every IT and security playbook. It is a game changer in tightening security and limiting damage from breaches. Can’t deny that.”
The budget line item allocates a category specifically for zero trust implementation projects, and includes a dollar figure and a description of supported activities.
“But,” said Mistry, “and this is a big ‘but,’ the cons often wipe out a lot of that promise [for zero trust]. The biggest challenge is complexity. Zero trust is resource-intensive and doesn’t work well with legacy systems. Managing continuous authentication and monitoring creates overhead that seriously impacts user productivity. It’s no surprise that employee pushback is common. No one loves having to jump through more hoops day after day.”
Zero trust is resource-intensive because identity management, micro-segmentation, and analytics require additional computing power, software, and integration across multiple systems. Micro-segmentation divides networks into small segments at the workload or application level, each with its own security controls to limit access and contain threats. Other resources include skilled staff who manage network access and monitor activity. Users must prove their identity so frequently that it makes workflows sluggish, creating overhead in managing continuous authentication.
Insights on access control and least privilege
Christopher Hadnagy, chief executive officer of Social Engineer LLC and adjunct professor of social engineering at the University of Arizona, shared his experiences with zero trust during engagements for a financial institution and a major retailer.
According to Hadnagy, his team ran an onsite adversarial engagement at a finance organization where they were able to pivot from a single receptionist’s computer to internal HR systems because of improper access control. “Zero trust would have broken that chain. Limiting access by default, then granting only what’s essential, doesn’t just protect systems; it frustrates attackers,” said Hadnagy.
This was a real-world attack scenario approved by the organization. If the finance company had allowed only necessary access rights and privileges, the receptionist’s computer, which had no reason to access HR systems, would not have been able to do so.
“But strict access controls aren’t just about stopping the bad guys; they also help incident responders by drastically reducing the blast radius. I’ve seen organizations stop insider threats mid-action because their behavior didn’t align with baseline access models. That’s powerful,” said Hadnagy.
The more controls that automatically detect and prevent attacks, the less incident response teams have to do. They can focus on threats and threat actors who are not so easily dismissed.
“I remember consulting for a major retailer where the database admins had full root access to marketing analytics platforms ‘just in case’. It was a nightmare when they left the company,” said Hadnagy. “Not just because their access wasn’t revoked immediately, but because no one even knew exactly what they had access to. It created a huge insider risk and an even bigger cleanup effort.”
Root access means the database administrators had complete control of the analytics platforms. Not only did they not need it, it created a chain from those admin rights to the retailer’s marketing analytics data, such as intellectual property (IP), that a threat actor could follow.
Pros and Cons of Zero Trust
“I handle multilingual translation for the legal and financial fields, where slight security errors can seriously damage a company. We set up a team of 43 linguists in three different continents who worked under NDAs (non-disclosure agreements) for one M&A project,” said Danilo Coviello, founder of Espresso Translations, a multilingual translation company serving businesses.
According to Coviello, the zero trust implementation at his company assessed login devices, IP addresses, time zones, and how the user behaved for each login.
“We reported eight possible security threats the first month, among them a compromised login attempt in São Paulo traced to a fake VPN. The approach stopped it before users could access resources,” said Coviello. This kind of security threat can happen when someone tries to log in with unauthorized credentials from a VPN designed to hide the threat actor’s location and/or identity.
Coviello acknowledged there are difficulties with zero trust. It took 22% longer than usual to train staff due to the zero-trust deployments, he said. Further, Espresso Translations had to install reliable security programs on the systems of 14 freelance linguists.
‘Real-World Benefits’
“Last year, we implemented a zero trust architecture after suffering a breach when a contractor’s compromised credentials gave attackers access to our entire network,” said Renante Hayes, executive director at Creloaded, an e-commerce consultancy.
Attackers using phishing, credential stuffing (attempted to use stolen credentials from other breaches), or keylogging (recorded keystrokes) to obtain remote login information, such as usernames and passwords, from a contractor.
“The real-world benefits [of zero trust] were immediate,” said Hayes. “When a staff member’s account exhibited unusual login patterns from an overseas IP, our zero trust controls automatically blocked access despite valid credentials. This contained what could have been another significant breach to just a single blocked attempt,” said Hayes. Zero trust can recognize that overseas logins are invalid when users only log in locally.
“However,” said Hayes, “the transition wasn’t without challenges. Our development team initially struggled with constantly re-authenticating to various systems. We had to invest significantly in both technology and training, approximately 18% more than our previous security budget.”
In instances like these, technology and training investments can include multi-factor authentication, context-aware access controls, endpoint security tools, and training on zero trust policies and practices. Endpoint security tools protect individual devices, while context-aware access controls dynamically manage who can access what resources on the basis of real-time factors, such as device status and user identity.
“Beyond the technical aspects, the cultural shift was perhaps the most difficult. Staff accustomed to frictionless access experienced workflow disruptions. We ultimately succeeded by implementing a phased approach with clear communication about security benefits,” said Hayes.
Adaptive Decisions
Cybersecurity researchers are working on ways to mature the zero-trust approach. Jin-Hee Cho’s work at Virginia Tech is one example.
Cho, an associate professor in the Department of Computer Science, said her research on dynamic, context-aware trust management offers a more adaptive approach. Rather than assuming no trust by default, Cho treats trust as something that can be learned and adjusted based on behavior, context, and history.
With this approach, trust decisions adapt based on user behavior, current context, and past actions, making security more flexible and responsive. Dynamic trust management enables trust rules to change in real time. Context awareness means the current circumstances and user activity determine security decisions. With an adaptive approach, security adjusts as behavior or circumstances change.
“By incorporating uncertainty modeling, not just equating uncertainty with risk, but understanding it as a spectrum, we can make more nuanced, risk-aware decisions. This helps strike a better balance between security and usability. While zero trust makes sense in high-risk environments, trust- and uncertainty-aware systems can offer more flexible, efficient alternatives in dynamic or resource-constrained settings,” Cho said.
Uncertainty about users and user behavior can change depending on its position along the spectrum, as determined by the model. Uncertainty alone is not reason enough to deny all access. Instead, uncertainty informs adaptive access decisions.
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment