Clearing the hurdles on your Zero Trust journey.

IT Security

Clearing the hurdles on your Zero Trust journey

user

Brent Dorshkind Enterprise Analyst, ManageEngine

Listen to the article (AI powered narration)

Published on May 18, 2025

The world formally met the Zero Trust model of information security in 2010 thanks to John Kindervag, a Forrester analyst at the time. Zero Trust precursors had been around for years. The Jericho Forum, for instance, was promoting de-perimeterization in the early 2000s. And the principle of least privilege was articulated by Jerome Saltzer and Michael Schroeder in 1975. Kindervag and Forrester, however, were the ones to shine the infosec spotlight on Zero Trust.

Today, Zero Trust is becoming the de facto standard for information security. It’s either mandated or recommended by governments around the world, including Australia, Canada, Japan, New Zealand, Singapore, the United Kingdom, and the United States. And it’s been overwhelmingly embraced by countless organizations worldwide.

Yet despite the history and support, studies consistently show Zero Trust implementations lagging behind Zero Trust support—sometimes far behind. Cisco, for instance, found that nearly 90% of the organizations it surveyed have embarked on the Zero Trust journey, but only 2% have arrived at a mature deployment. Why? What’s taking so long for organizations to move to the next-generation cybersecurity model? And what can be done to expedite the process? We’ll find out by taking a closer look at Zero Trust—what it is, what’s standing in the way, and ways to clear key hurdles.

Zero Trust defined

Zero Trust emerged as a response to the shortcomings of traditional, perimeter-based security. The main shortcoming? Once bad actors got past the perimeter, they were often trusted with all the resources inside. And bad actors were getting past the perimeter with increasing ease.

Zero Trust, on the other hand, secures the entire digital enterprise, not just the perimeter. The model presented by Forrester has three defining principles: “1) all entities are untrusted by default; 2) least privilege access is enforced; and 3) comprehensive security monitoring is implemented.” NIST expands the model with seven additional tenets:

  1. “All data sources and computing services are considered resources.

  2. “All communication is secured regardless of network location.

  3. “Access to individual enterprise resources is granted on a per-session basis.

  4. “Access to resources is determined by dynamic policy.

  5. “The enterprise monitors and measures the integrity and security posture of all owned and associated assets.

  6. “All resource authentication and authorization are dynamic and strictly enforced before access is allowed.

  7. “The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.”

 In sum, Zero Trust advises you to “never trust, always verify” and explains how to put the advice into action. Take the advice and you get comprehensive security that evolves with your digital enterprise, addressing threats from cloud and mobile computing, hybrid work, AI, IoT, quantum computing, and other emerging business trends.

Zero Trust hurdles

Putting Zero Trust principles into practice is no small task. It’s an organization-wide undertaking. You can no longer rely on the perimeter alone to defend all of your unprotected resources. Now, each of your resources must be protected individually as well.

The move to granular, resource-level protection is a profound, fundamental change. To make it, you’ll have to clear hurdles related to complexity, cost, and legacy equipment, among others. Some of those hurdles will be higher—and will take longer to clear—than others.

So how long does it take to deploy to Zero Trust? More than seven years for some, according to a Ponemon/Converge survey, which found 28% of the respondents took that long to achieve a “full adoption” or a “mature” Zero Trust deployment. Another 43% took five to seven years.

Those percentages would likely be even higher if the deployments were evaluated with more rigorous criteria. That’s what Cisco found.

Commenting on the survey cited earlier, J. Wolfgang Goerlich, then an advisory CISO at Cisco, told CSO, “In past [Cisco] studies, a significant part of the sample said they had zero trust in place and were good to go.” However, when the survey drilled into the details of their Zero Trust technologies, only 2% of the respondents said they had a mature deployment. “The more organizations know about zero trust, the less they feel competent in zero trust. The more they learn, the more they realize they need to go further.”

Clearing key hurdles

As the stats above suggest, it will take a while to operationalize the Zero Trust model. But you can expedite the process. Here’s how:

Prioritize mindset over product set. Remember that Zero Trust is a conceptual model. It demands a new mindset, a new way of thinking about cybersecurity. You don’t buy Zero Trust security. You buy into the Zero Trust model. Kindervag made that point abundantly clear in his original Zero Trust reports. That clarity, however, was clouded by vendors who used Zero Trust to sell their products to organizations that hadn’t read Kindervag’s research.

“For over a decade, only Forrester clients and every security vendor in the world had access” to Kindervag’s Zero Trust reports, write Forrester analysts David Holmes and Jess Burns. “The hype train left the station, with those vendors shaping the Zero Trust narrative from their highly subjective, self-serving perspective. Non-clients and the greater cybersecurity community only saw Zero Trust through the stained-glass windows of vendor marketing.”

Those non-clients and community members found their Zero Trust view dominated by point products and feature sets. Their view finally changed in the early 2020s, when NIST published “SP 800-207: Zero Trust Architecture” and CISA published the “Zero Trust Maturity Model” (ZTMM). Together, these two documents restored “mindset” as the Zero Trust priority by effectively making Zero Trust concepts, architecture, implementation strategies, and use cases available to the general public

Get a handle on the project. With Zero Trust, you need to secure the entire enterprise. CISA’s ZTMM helps you make sense of the task and organize your work. It identifies exactly what you need to secure and what security looks like, functionally, for each identified component.

The ZTMM breaks enterprise security into five distinct components (or “pillars” in CISA parlance) as well as three “cross-cutting” capabilities that apply to each pillar and enable integration across the pillars. The five pillars are:

  • Identity. Security entails verifying and managing the identities of users, systems, and services to ensure that every entity accessing resources is authenticated and authorized.

  • Devices. Security means tracking, managing, and securing each device that connects to the network. You need to ensure each device complies with security policies and manage its access based on its security posture.

  • Networks. Security addresses how data moves within and between networks. You need to segment the network, encrypt data in transit, monitor network traffic, and ensure all communications are authorized.

  • Applications and workloads. Security applies wherever applications and workloads run, i.e., on-premises, on mobile devices, or in the cloud. You need to control and monitor application access, enforce least-privilege access, and protect application workflows against threats.

  • Data. Security means protecting sensitive information wherever it resides or moves. You need to classify data, control who can access it, encrypt data at rest and in transit, and monitor for unauthorized access or exfiltration.

 The three cross-cutting capabilities are 1) visibility and analytics, which provide insights that inform policy decisions, response activities, and risk profiles; 2) automation and orchestration, which use those insights to streamline operations for handling security incidents and events in real time; and 3) governance, which define and enforce security policies, procedures, and processes.

CISA isn’t the only source of guidance for your Zero Trust journey. Advice is also available from industry analysts, security vendors, and other government entities. Regardless of the source, it should focus on security functions and capabilities rather than specific technologies or products.

Work toward optimal maturity. Zero Trust implementations don’t just expand to include all five pillars and cross-cutting capabilities. They evolve to provide increasing levels of automation and integration of the pillars and capabilities. ZTMM identifies four stages of Zero Trust maturity: 

  • Traditional. Uses manual processes, static policies, functional silos, and limited data correlation.

  • Initial. Introduces automation, integrates external systems, and aggregates visibility.

  • Advanced. Expands automation across pillars and centralizes visibility.

  • Optimal. Establishes full automation, just-in-time processes, dynamic policies, and continuous monitoring.

To illustrate its Zero Trust Maturity Model, including the functional advances in each pillar as it moves through the four stages of maturity, CISA provides the following image:

Note the pillars don’t have to mature at the same rate. That means you can prioritize the pillar(s) that you deem most important to your organization. It also means you can implement Zero Trust on your terms, especially when it comes to your budget and your staff’s expertise.

Use what you’ve got. Implementing Zero Trust does not necessarily require a complete overhaul of your existing security infrastructure. “You don’t have to get brand new fancy shiny objects,” said Greg Scheidel, principle instructor at SANS Institute. “Zero Trust uses tools and technologies that we have had available to us for a long time, just with this Zero Trust mindset.”

Unless you’re starting from scratch, with no pre-existing security capabilities, you probably already have many of the products you need. NIST notes that most organizations have:

  • network firewalls and intrusion detection systems to provide perimeter security;
  • identity and credential access management systems to authenticate users and enforce authorized access based on identity and role;
  • endpoint security systems to protect laptops and/or mobile devices to provide firewall protections and ensure that they are running required antivirus or other security software;
  • tools for vulnerability and configuration management, log management, and other security-related functions; and
  • a security operations center.

 Similarly, you will likely be able to reuse many of your existing policies, procedures, and guidelines—or revise them to align with Zero Trust principles—rather than write new ones from scratch.

Enjoy the journey

Clearly, an optimal Zero Trust implementation takes time to deploy. But it doesn’t have to take any longer than necessary. Adopting the right mindset, securing the right support, and focusing on the right priorities will accelerate your Zero Trust journey. Just remember that it is a journey, not a destination. After all, new business challenges and opportunities will continue to reshape your digital environment—and drive the evolution of your Zero Trust implementation.

Brent Dorshkind

Brent Dorshkind

Enterprise Analyst, ManageEngine

Browse more

Prevention of cyber attack

6 overlooked signs your organization may be a target for cyberattacks

Read more
A visual representation of how weak passwords can compromise advanced cybersecurity systems

Why your strongest security tool is still a weak password

Read more
Enterprise security strategy

Enterprise security in an era of hacktivists and cyber civil disobedience

Read more
Discover more
Mobile promotion artule image

Want to read
this article on the go?

Do it on the ManageEngine
Insights app.

App store mobile link Play Store mobile link
Mobile promotion artule image
x