Zero Trust Security: Why “Never Trust, Always Verify” Is Winning the Cybersecurity War
In 2020, hackers slipped into SolarWinds’ build pipeline and pushed poisoned software updates to 18,000 organizations, including the U.S. Treasury, Homeland Security, and the Pentagon. They moved through networks undetected for months. The perimeter had held. The castle walls were intact. The attackers were already inside, trusted by every system they touched.
That’s the problem zero trust security was designed to solve. And after two decades of being dismissed as too complex, too expensive, or too theoretical, it has become the dominant cybersecurity framework for enterprises, governments, and anyone who can’t afford to assume the person inside the network is actually who they say they are.
The zero trust security market hit $40.01 billion in 2025. It’s projected to reach $182.59 billion by 2035. Every major federal agency in the United States is under a legal mandate to adopt it. Yet only 30% of organizations have actually done it. That gap, between the promise and the practice, is the real story.
What Zero Trust Security Actually Means
Zero trust is not a product. It’s not software you buy. It’s a philosophy, and that distinction matters enormously, because hundreds of vendors are selling “zero trust solutions” while the framework’s own creator is calling them out on it.
“Zero Trust is first and foremost a strategy. It’s something that you do, not something you buy.” — John Kindervag, Chief Evangelist, Illumio; Creator of the Zero Trust model; speaking at RSAC 2025. Source
Kindervag created zero trust around 2009–2010 while a VP and Principal Analyst at Forrester Research. His foundational paper proposed a framework in which companies abandon the assumption that any device or user, inside or outside the corporate network, can be trusted by default. The phrase he coined: never trust, always verify.
The authoritative technical definition comes from NIST (Special Publication 800-207, published August 2020): zero trust “provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
In plain English: assume the network is already breached. Verify every user, every device, every access request, every time. Grant only the minimum access required for that specific task. And continuously monitor, because a device that was clean at 9 a.m. might be compromised by 11 a.m.
Traditional security asks: Are you inside the network? If yes, you’re trusted. Zero trust asks: Who are you, what device are you on, what do you need, and does this request make sense right now?, every single time.
How It Works: The Five Pillars
CISA’s Zero Trust Maturity Model organizes the architecture across five pillars. If you’re building or assessing a zero trust program, this is your map.
| Pillar | What It Covers | Why It Matters |
|---|---|---|
| Identity | Multi-factor authentication, privileged access, identity governance | The highest-ROI starting point. Most breaches begin with compromised credentials. |
| Devices | Endpoint detection, device health validation, mobile device management | A user with valid credentials on a compromised device is still a threat. |
| Networks | Micro-segmentation, encrypted traffic inspection, DNS security | Limits lateral movement — what attackers do after they’re in. |
| Applications & Workloads | App-layer access control, secure APIs, cloud workload protection | The average enterprise uses 130 SaaS apps. Each is a potential attack vector. |
| Data | Data classification, DLP, encryption at rest and in transit | Ultimately, data is what attackers want. This pillar protects the final target. |
Each pillar progresses through maturity stages, Traditional, Initial, Advanced, and Optimal. Cross-cutting capabilities including visibility, analytics, automation, and orchestration apply across all five. The point isn’t to buy a tool for each pillar. It’s to map your existing security investments to this framework and identify what’s genuinely missing.
The VPN vs. ZTNA Distinction
The most misunderstood comparison in enterprise security: a VPN and Zero Trust Network Access (ZTNA) are not the same thing. A VPN grants broad network access once a user authenticates, you’re in, and you can reach most of what’s on the network. ZTNA grants access only to specific resources, verified continuously for every session. It’s the difference between handing someone a master key and escorting them directly to the one room they need. Gartner predicted that by 2025, 60% of companies would replace VPNs with ZTNA solutions, and that transition is still very much underway.
Why Zero Trust Is Winning Now
Three forces converged to make zero trust urgent rather than optional.
The Perimeter Collapsed
The traditional “castle and moat” security model assumed that everything inside the corporate network could be trusted. That assumption died slowly, then all at once. SolarWinds (2020), Colonial Pipeline (2021), and the MOVEit breach (2023) each involved extensive lateral movement that perimeter defenses couldn’t detect. The attackers weren’t breaking through the walls, they were walking through the gate with stolen credentials.
Remote Work Killed the Network Edge
When 2020 sent millions of employees home overnight, it didn’t just complicate security, it obliterated the physical boundary the perimeter model depended on. Workers logging in from home networks, personal devices, coffee shops, and foreign countries made the “inside vs. outside” distinction meaningless. Zero trust, which had been growing steadily, became unavoidable.
The U.S. Government Made It Mandatory
In May 2021, President Biden’s Executive Order 14028 formally required federal civilian agencies to develop plans for Zero Trust Architecture. The OMB memorandum M-22-09 (January 2022) went further, requiring all federal agencies to meet specific ZT objectives by the end of FY 2024. When the U.S. government mandates a cybersecurity framework across every civilian agency, the private sector follows, not because it has to, but because the vendor ecosystem, talent pool, and enterprise procurement processes all orient toward it.
A CISA progress report published January 2025 assessed federal agency implementation through FY 2024. It was candid about failures and outlined next steps, which is itself a signal that the mandate has teeth, even if delivery is uneven.
The Implementation Gap: 72% Planning, 30% Doing
Here’s the single most important number in zero trust right now: according to Forrester, 72% of security decision-makers at large organizations plan to pursue zero trust or are already doing so. According to CyberRisk Alliance’s 2024 survey, only 30% of organizations have actually implemented zero trust practices.
That’s a 42-point execution gap. And it has a name: the implementation problem.
“Anything that helps me get visibility and reduces risk is a win, but Zero Trust has to start with a mindset and a strategy aligned to business outcomes.” — Jared Nussbaum, CISO, Ares Management; speaking at RSAC 2025. Source
What’s stopping organizations? The data from a StrongDM survey of 600 U.S.-based cybersecurity workers is blunt: 48% cite cost and resource constraints as their primary barrier. Another 22% report internal resistance. The obstacles aren’t technical, they’re organizational and financial.
Gartner’s estimate cuts even deeper: by the end of 2026, only 10% of large enterprises will have a mature and measurable zero trust program, up from less than 1% in 2023. Even among organizations that have started, most are mid-journey. Approximately 52% of organizations have completed full ZTNA deployment; 38% remain in partial implementation phases.
The IBM Cost of a Data Breach Report 2024 found that the average breach costs $4.88 million, a record high, up 10% from 2023. Organizations with mature zero trust deployments save an average of $1.76 million per breach compared to those without. A mid-market zero trust program can pay for itself from a single avoided breach.
For CISOs navigating this, the practical guidance is consistent: don’t buy new platforms before mapping existing investments. If you have MFA, EDR, and IAM tools already deployed, map them to the five pillars first. Identity is almost always where the highest-ROI work begins, because it’s where most breaches start.
The Hard Truth: What Zero Trust Can’t Do
No serious coverage of zero trust is complete without this part. Three categories of criticism deserve attention from anyone making real decisions about it.
The Vendor Exploitation Problem
The 2023 Okta breach is the cautionary tale. A threat actor accessed a stolen credential from the identity and access management firm, a company whose entire value proposition is verifying identity, and used it to access customer systems across Okta’s client base. As Jason Steer, CISO of Recorded Future, noted in the aftermath:
“A lot of organizations are now all in on companies like Okta, who offer zero trust, and that means threat actors understand that as well.” — Jason Steer, CISO, Recorded Future. Infosecurity Magazine, March 2026
Steer’s point is precise: zero trust can consolidate organizational risk into single-vendor dependencies. The identity pillar, when it relies on one provider, becomes a single point of failure with a much larger blast radius than the perimeter it replaced.
Kindervag himself has addressed the product misconception directly: “Any business or vendor that claims to have a zero trust product is either lying or doesn’t understand the concept at all.”
MFA Is Not Impenetrable
Identity is zero trust’s highest-ROI pillar and its most exploited weakness simultaneously. Attackers have developed reliable techniques to circumvent MFA: man-in-the-middle attacks that intercept one-time codes, SIM swapping to take over a user’s phone number, and push notification fatigue attacks that bombard users with authentication requests until they approve one out of frustration. Zero trust doesn’t prevent these. It raises the cost of exploitation, it doesn’t eliminate it.
The Academic Challenge: Is True Zero Trust Even Achievable?
This one is uncomfortable, and it mostly hasn’t penetrated vendor marketing materials or government mandates. Professor Virgil D. Gligor of Carnegie Mellon University, a 2019 inductee into the National Cyber Security Hall of Fame and recipient of NIST’s National Information Systems Security Award, published a formal technical challenge to zero trust’s theoretical foundations.
His argument: enterprise networks rely on “black box” devices whose security properties cannot be proven unconditionally. Because of this, the name “zero trust” is technically incoherent. What practitioners are building is trust minimization, which is valuable, but different. As Gligor concluded in his CMU CyLab Technical Report (22-002): “Zero trust is impossible in any enterprise network and has meaning only as an unreachable limit of trust establishment.”
Gligor’s argument isn’t that zero trust programs are worthless, it’s that teams which believe they have achieved complete trust elimination may operate with false confidence that itself becomes a vulnerability. The goal should be trust minimization, not trust elimination. If your security culture assumes zero trust means zero risk, that’s the threat.
The Friction-Shadow IT Paradox
Ironically, aggressive zero trust implementation can recreate the exact vulnerabilities it’s designed to prevent. When continuous verification creates too much friction, too many authentication prompts, too many blocked workflows, users find workarounds. Shadow IT proliferates. Unmonitored channels open. Organizations attempting comprehensive overnight transitions typically face implementation failures and user resistance that undermine the program entirely. Incremental deployment by pillar, starting with identity, consistently outperforms big-bang rollouts.
What’s Changing in 2025–2026
Two developments define the frontier of zero trust right now.
AI Integration
The integration of AI and machine learning within zero trust architectures is producing real capability improvements, particularly in behavioral analytics and anomaly detection. The canonical early example: in August 2025, Cloudflare launched new capabilities within its Cloudflare One platform designed to help organizations monitor AI usage and protect against Shadow AI, which it describes as the unsanctioned use of generative AI tools that bypass corporate security controls. Our read: this signals that zero trust is evolving to treat AI models themselves as entities that require access verification, not just the humans using them.
Post-Quantum Cryptography
In March 2025, Cloudflare announced end-to-end support for post-quantum cryptography within its ZTNA solution, enabling quantum-safe connectivity from web browsers to corporate applications without requiring organizations to individually upgrade each system. This matters because the encryption underpinning zero trust’s secure communications, the channel through which continuous verification happens, needs to be quantum-resistant before quantum computing makes current encryption breakable. The organizations that don’t start this transition now will face a retroactive security crisis when the threat matures.
NIST released the final version of SP 1800-35 (Implementing a Zero Trust Architecture) in June 2025, documenting end-to-end implementations built with 24 commercial vendors in a government lab environment. It’s the most comprehensive practical build guide available for organizations starting from scratch.
Frequently Asked Questions
What is zero trust security in simple terms?
Zero trust security is a cybersecurity approach that eliminates automatic trust for any user, device, or network connection, including those already inside a corporate network. Instead of trusting based on location, every access request is verified continuously. The core principle: “never trust, always verify.” NIST defined the framework in SP 800-207 in 2020.
What are the five pillars of zero trust?
The CISA Zero Trust Maturity Model defines five pillars: Identity, Devices, Networks, Applications & Workloads, and Data. Each pillar progresses through maturity stages, Traditional, Initial, Advanced, and Optimal. Cross-cutting capabilities including visibility, analytics, automation, and orchestration apply across all five pillars.
Is zero trust the same as a VPN?
No. A VPN grants broad network access once a user authenticates. ZTNA (Zero Trust Network Access) grants access only to specific resources, verified continuously for every session. It’s the direct VPN replacement technology. Gartner predicted that by 2025, 60% of companies would replace VPNs with ZTNA solutions, a transition still underway for most organizations.
Who created zero trust security?
Zero trust was created by John Kindervag while a VP and Principal Analyst at Forrester Research around 2009–2010. He published the foundational paper introducing the model and the phrase “never trust, always verify.” Kindervag is now Chief Evangelist at cybersecurity company Illumio and served as a primary author of the NSTAC report to the President on zero trust.
Does zero trust prevent ransomware?
Zero trust significantly reduces ransomware risk by limiting lateral movement, the ability of attackers to spread through a network after initial compromise. Micro-segmentation, a core zero trust control, contains breaches to smaller network zones. However, zero trust doesn’t prevent the initial point of entry, and identity controls remain vulnerable to MFA bypass techniques.
How much does it cost to implement zero trust?
Costs vary widely by organization size, existing infrastructure, and vendor choices. The financial case rests on IBM’s 2024 data: the average breach costs $4.88 million, while organizations with mature zero trust programs save an average of $1.76 million per breach. Most practitioners recommend starting with existing MFA and IAM tools mapped to the five pillars before purchasing new platforms.
What You Now Know That Most Organizations Don’t Act On
Zero trust security isn’t a product, a perimeter replacement, or a checkbox. It’s a strategic reorientation, from “trust by location” to “verify always, grant least privilege, monitor continuously.” The concept is 15 years old. The mandate, the market, and the threat landscape have finally caught up.
The implementation gap, 72% intent, 30% execution, is the central story of cybersecurity in 2025. The organizations closing that gap are not the ones that bought a “zero trust platform.” They’re the ones that mapped identity as pillar one, built maturity incrementally, and didn’t mistake a vendor’s marketing claim for a security guarantee.
Watch three things over the next 12–18 months:
- AI as a zero trust entity: As enterprises adopt generative AI tools, the frameworks for verifying AI model access, not just human access, will become a new frontier of zero trust architecture.
- Post-quantum cryptography adoption: Organizations that don’t begin transitioning the cryptographic layer of their zero trust implementations will face a retroactive security crisis when quantum computing matures.
- Regulatory enforcement sharpens: GDPR, NIS2, and U.S. federal compliance requirements are tightening. A breach without a documented zero trust program is increasingly being treated as negligence by regulators and cyber liability insurers alike.
If you’re building this, start with identity. Resist the “zero trust in a box” pitch. And read Gligor’s paper, not because he’s right that zero trust is theoretically impossible, but because the organizations that understand its limits are the ones that won’t be surprised when it doesn’t live up to its name.