Trust: The Failure Point IT Security Teams Must Avoid

By Josh Neame, CTO, BlueFort Security

The term Zero Trust was coined in 2010 by a Forrester analyst named John Kindervag to describe a novel security approach whereby no user or device is trusted by default. Whilst Mr Kindervag gave the concept a catchy name, the principles were actually devised by The Jericho Forum several years earlier which promoted the idea of de-perimeterisation.

The thinking was that as technology and networks continued to evolve, it would become critical to protect the data that would inevitably flow in and out of the ‘traditional’ enterprise network boundary. Keeping it safely within the confines of a corporate network was yesterday’s thinking. And, as we know, we shouldn’t live in the past – they speak a different language there.

Core Principles of Zero Trust

Explanations of the meaning of Zero Trust are ten a penny on the Internet, but I particularly like this one from Crowdstrike:

“Zero Trust is a security framework that mandates stringent identity verification for every user and device attempting to access resources, regardless of whether they are inside or outside the organisation’s network.

Unlike traditional security models that rely on a defined network perimeter, Zero Trust operates on the principle that no user or system should be automatically trusted. Instead, continuous authentication, authorization, and validation of security configurations are required before access is granted to applications and data.”

The core principles that underpin the framework are:

• Continuous verification – the whole premise of Zero Trust means that trust without hard evidence does not exist. No user, device, or application is trusted by default, regardless of whether it is inside or outside the network. Every request access must be continuously and dynamically checked and verified via strict identity checks and real-time risk assessments, to ensure that only authorised entities gain access.
• Least privilege – the concept of least privilege is that a user or identity only has access to specific data, resources, and applications that are needed to complete a task. Not only does this deliver an improved security posture by shrinking the potential attack surface, it also reduces the risk of malware spread. Least privilege enforcement ensures the user or identity has the requisite access needed and nothing more.
• Micro-segmentation – with a Zero-Trust approach, networks are segmented into individual smaller islands where specific workloads are contained. Each segment has its own ingress and egress controls to minimise the effect of unauthorised access to data. Implementing software-defined perimeters with granular controls increases the difficulty for unauthorised actors to propagate throughout a corporate network, thereby reducing the lateral movement of threats.

Key Drivers for Adoption

A recent report by analyst firm MarketsandMarkets, calculated that the Zero-Trust access market will reach $4.18 billion (USD) by 2030 – up from $1.34 billion (USD) in 2025. This equates to a whopping 25% CAGR in just five years, from 2025 to 2030. This tells me two things. First, some people are inevitably going to make a lot of money, but second, and much more importantly, the severity of the cybersecurity challenges that organisations must tackle is clearly only going to get harder.

With cloud computing, remote work, and hybrid IT setups becoming the norm, traditional security models just don’t cut it anymore. The dated premise of a clear network perimeter has all but disappeared. Add in the surge of major cyberattacks like ransomware, phishing, and supply-chain breaches, and it’s clear why more and more organisations are turning to Zero-Trust security. The goal is simple: reduce attack surfaces and block unauthorised access.

Governments and regulators are also stepping in, requiring Zero Trust as part of compliance standards, which is speeding up adoption even further. For companies focused on protecting data, securing their cloud environments, and reducing insider risks, Zero-Trust architecture is quickly becoming the go-to approach for modern cybersecurity.

Architectural Components

Zero Trust flips the old way of thinking about security on its head. Instead of locking down entire networks, it focuses on securing access to specific resources. Rather than just trusting someone because their username and password check out (which can easily be stolen), it looks at the bigger picture – context and risk – before granting access. In simple terms, Zero Trust separates security from the network itself. The cool part? It means companies can safely use the internet as their corporate network without relying on those clunky, traditional perimeters.

The core architectural building blocks of a Zero-Trust approach are:

• Identity and Access Management (IAM) – at its most basic, IAM ensures that the right users (human, devices, and applications) have the correct access to resources at the right time by verifying their identity and managing their permissions. This secures digital assets and enforces the principle of least privilege, referenced earlier.

• Multi-Factor Authentication (MFA) – Instead of relying only on a password, MFA asks you to prove your identity in a couple of different ways before letting you in. That might mean typing your password and entering a code sent to your phone, or maybe using your fingerprint on top of your login. By mixing things you know (like a password), things you have (like your phone or a token), and things you are (like a fingerprint or face scan), MFA makes it a whole lot harder for attackers to break in, even if they’ve stolen your password.

• Network Microsegmentation – the goal of microsegmentation is that by dividing the network into smaller, discrete sections, if one part becomes compromised, it can be easily sealed off from the rest of the network. In effect, it increases security by confining threats to the compromised segment without impacting the rest of the network.

• Device Posture Management (DPM) – device posture is a mechanism to measure how secure or trustworthy a device is. A DPM solution automatically verifies device compliance and security posture before granting access to sensitive data. Continuous monitoring ensures only healthy, compliant devices can interact with critical resources.

• Automation and Orchestration – considered by many to be the backbone of a Zero- Trust approach, automation and orchestration tools deliver continuous policy enforcement, accelerated threat detection and response, reduced human error, and scalable security operations by linking various security tools and automating workflows to manage security policies and responses across the entire environment. Automation handles individual security tasks, while orchestration coordinates multiple automated functions into cohesive processes creating a fast, efficient workflow that is essential for a proactive, adaptive Zero-Trust approach.

The Role of AI in Zero Trust

AI is no longer just a tool for innovation – attackers are having a field day with it. The 2025 IBM Cost of a Data Breach Report found that one in six breaches involved AI-driven attacks. Nearly all organisations that suffered AI-related breaches (97%), lacked proper access controls.

Zero Trust’s core principle “never trust, always verify”, could well be the antidote to AI’s unpredictability. But to be effective, Zero Trust must evolve to include AI models, APIs, and machine identities. Examples of how AI can strengthen Zero Trust include:

• Automating processes for responding to and mitigating threats – these responses involve immediately separating the breached devices, suspending access rights, and triggering incident response processes.
• Access controls that adapt to the threat environment – AI-driven access control systems can dynamically set each user’s access level through risk assessment in real time.
• Analysing behaviours to detect anomalies – behavioural analytics uses AI to exhaustively analyse network and user activities to determine the baseline for normal behaviour.
• Discovering sensitive data – automatically finding and classifying sensitive information across all possible data-leakage channels.
• Enhancing user productivity – identifying the underlying problems causing user- experience issues, enhancing productivity for the workforce and the IT helpdesk.

How BlueFort Can Help

Research by business insurance firm Hiscox found that two-thirds of UK companies plan to implement Zero-Trust architecture by 2030, reinforcing the need for more stringent security controls in today’s threat landscape.  A 2024 Gartner report found that 63% of organisations worldwide have already implemented a Zero-Trust strategy to some extent.

However, it’s not for the faint hearted. The modular, component-based characteristic of the Zero-Trust approach will likely require a range of specialised solutions often supplied by multiple vendors. With so much complexity, individuality and rapid change related to an organisation’s infrastructure, implementing a Zero-Trust model is unlikely to be straightforward.

To underline this point, Accenture issued a report earlier this month that found 88% of CISOs struggle to implement Zero Trust. Of note from the report, one authentication manager quoted in the report said this… “Vaguely defined, minimally incentivised, and often unending, the Zero-Trust journey is notably challenging and complex. ‘I want to meet the 12% who have not found it a struggle.”

A Problem Shared is a Problem Halved

BlueFort’s methodology of Continuous Cyber Discovery, which draws on the principles of the CTEM and NIST frameworks, makes it absolutely possible to design, deploy, and constantly review a Zero-Trust model. The technology-based roadmap that we have devised delivers a comprehensive understanding of tools, assets, policies, and APIs across on-premise, cloud, and hybrid environments – the essential building blocks to any Zero-Trust program.

Our team of specialist security engineers work hand in hand with our clients’ internal teams to design, specify, implement, and manage everything – Zero Trust soup to nuts.

I’d also encourage everyone to take a look at the NCSC’s Zero Trust guide, which is aimed at everyone who’s looking at designing and introducing a Zero-Trust infrastructure that’s specific to your own organisation’s requirements.

Tech-Talk Tuesday – Trusting Zero in 20 Minutes

If you’d like to learn more about Zero Trust and how BlueFort can help you navigate your organisation’s unique journey, why not join me on my next Tech Talk Tuesday webinar on Tuesday 23rd September at 2 pm.

We’ll aim to cover:

• The core principles of Zero Trust – continuous verification, least privilege, micro-segmentation.
• Architectural components – identity, endpoint, network, application, and data-security layers.
• Key drivers for adoption – remote work, cloud migration, ransomware, insider threats.
• Implementation roadmap – from assessment to full policy enforcement.
• Common pitfalls – and how to avoid them.

Register here and remember, trust is not the desired state, it’s the failure point you want to avoid.