When I introduced the Zero Trust model back in 2010, my goal was to transform how we approach cybersecurity. I recognised the urgent need to move away from traditional security models operating on the outdated secure perimeter strategy.

Security practices have taken a while to catch up with the concept. Nevertheless, Zero Trust is finally being recognised as a critical strategy for cyber resilience today. From governments in the US and Europe to major enterprises, the importance of Zero Trust is now catching up to everyone.

Unfortunately, despite growing adoption, misconceptions around Zero Trust are plenty. Busting these myths is essential for businesses to truly benefit from this transformative strategy.

"Zero Trust is just user identity verification, right?"

One of the most common misconceptions I encounter is the belief that Zero Trust is solely about identity verification. While verifying who is accessing your network is a crucial part of Zero Trust, it’s only one strand in a more comprehensive security strategy. Identity alone cannot provide the full context to make informed security decisions.

Consider this: even a trusted user with valid credentials can become a threat if their actions are not continuously monitored and assessed. This is why Zero Trust goes beyond identity, incorporating contextual markers such as device type, location, and behaviour patterns. For instance, the same credentials used during a regular workday might be a red flag if used at an unusual time or from a different location.

Reflecting on the early days of Zero Trust, I would have emphasised more clearly that identity verification is just one piece of the puzzle. The real strength of Zero Trust lies in its ability to adapt to changing contexts, ensuring that every access request is scrutinised with the full picture in mind.

"I don't think we can budget for a complete security overhaul"

Another widespread misconception is that implementing Zero Trust demands a complete overhaul of existing security systems. This belief often discourages organisations from adopting the strategy, fearing high costs and operational disruption: but Zero Trust is a strategic framework, not a replacement for your current security infrastructure.

The journey to Zero Trust should be incremental, beginning with small, manageable projects. Most companies can achieve a lot by leveraging their existing infrastructure long before they have to consider ripping and replacing.

"Zero Trust? Isn't that really complicated to manage?"

Along with the expense of replacing existing security infrastructure, I also find company heads are concerned about the complexity of taking on Zero Trust.

In reality, the model is all about reducing complexity. The incremental approach means there is a high level of control and flexibility, and while a full system-wide rollout is ideal, each small-scale implementation will still deliver benefits. Focusing on securing one critical area at a time allows you to refine and adapt without overwhelming your resources.

Knowing where to start requires in-depth and accurate knowledge of the company's infrastructure and security priorities, but what effective security strategy doesn't?

The best way to start seeing immediate results is with microsegmentation. I’ve always advocated this as a foundational pillar of Zero Trust and am pleased to see it being a focal point in recent guidance from the NSA.

Microsegmentation divides the network environment into smaller sections, making controlling and monitoring traffic easier. Again, there is a lot of flexibility here.

Start with segmenting your most valuable databases, critical applications, development environments – whatever will deliver the biggest impact to your overall security.

Once it's in place, Zero Trust manages complex network security needs in an agile and streamlined way. Companies grappling with complex hybrid cloud setups will find they can apply new rules to govern access far more easily than with a manually controlled firewall.

Security teams can continuously monitor the entire network and adjust policies based on real-time data.

"Another security product? My stack is bloated as it is!"

Finally, I still find people thinking that Zero Trust is something you can buy off the shelf - a product that will instantly secure your network. Considering how many different security tools are vying for attention, it's an understandable mistake.

It also couldn't be further from the truth. Zero Trust is a strategic framework, not a single tool. It's a mindset that fundamentally changes how you approach security. While various solutions such as microsegmentation or Zero Trust Segmentation (ZTS) can help implement Zero Trust, the concept itself is not a product but a philosophy centred on the mantra: "Never trust, always verify."

It's not about acquiring the latest technology; it's about adopting a continuous, rigorous approach to verifying every access request within your network.

Setting the record straight on Zero Trust

The Zero Trust Model has come a long way in the 14 years since I first coined the term. It's evolved from a cutting-edge niche concept to a mainstream strategy that is slowly becoming a standard approach.

Still, as the Zero Trust model has evolved, some misconceptions have remained the same. In lieu of turning back the clock to set these myths straight, the solution is to focus on educating decision-makers on the true nature of Zero Trust and how it can help secure their business.

Zero Trust isn't just about user identity, overhauls, or buying a product - it's about embracing a strategic, context-driven approach to security. The more organisations that understand and embrace this mindset, the more secure we'll all be.

John Kindervag Chief Evangelist Illumio

John Kindervag has over 25 years of intellectual leadership experience in the cybersecurity space, recently joining Illumio as Chief Evangelist Officer from MSSP ON2IT, where he led cybersecurity strategy as a senior vice president.

Previously, he served as field CTO at Palo AltoNetworks. Before that, Kindervag spent over eight years as a Vice President and Principal Analyst on the security and risk team at Forrester Research.

It was there that he famously developed the concept of Zero Trust, an architectural approach founded on the principle of “never trust, always verify” that operates on the assumption that breaches are inevitable and that threats can originate from anywhere, even inside the network. Kindervag also serves as an advisor to several organizations, including the Cloud Security Alliance and Venture Capital firm NightDragon, and he was a contributor to the National Security Telecommunications Advisory Committee Report to the President.