Zero Trust: From Buzzwords to Reality – The Tools That Break It, and How to Get It Right
Posted on May 7, 2025
By Tania Postil
We’ve covered the philosophy of Zero Trust—the mindset that says trust no one, verify everything, and assume breach. But now, let’s go deeper.
Because here’s the uncomfortable truth: even with all the right buzzwords in your tech stack—VPN? Check. SSO? Check. MFA? You bet—you could still be miles away from practicing real Zero Trust.
Why?
Because Zero Trust doesn’t care about your checklist. It cares about context.
And context is exactly what most implementations ignore.
So, in this second part of my series ahead of the ISACA Malta Biennale, let’s do two things:
- Expose the tools and setups that quietly break Zero Trust, even when they look “compliant”
- Lay out the principles for building it the right way—with fewer regrets and a lot more resilience
The Illusion of Security: When “Good” Tech Breaks Zero Trust
Let’s talk about betrayal. Not the personal kind—the technical kind. The kind where tools you rely on turn out to be the weakest link.
⚠️ SSO
Great for user experience. Terrible when you issue 12-hour sessions without a single re-check.
→ Result? One compromised token = full access.
⚠️ MFA
Feels reassuring. But phishable MFA (like SMS codes) is practically an invitation.
→ Modern attackers don’t bypass it—they log right in.
⚠️ VPNs
“Secure tunnels” sound safe—until your full tunnel exposes the entire network.
→ Once in, attackers go anywhere.
⚠️ IAM Roles
Role chaining, wildcard permissions, or lack of just-in-time access = way too much power, for way too long.
→ Your internal users become unintentional threats.
⚠️ CASB / DLP / SIEM
Fantastic visibility. But if they can’t enforce policy, they’re just observers.
→ Logging is not protection.
⚠️ Device Certificates
Trusted once ≠ trusted forever.
→ Devices drift, patching lags, malware gets cozy.
Each of these tools can support Zero Trust. But only if used intelligently, contextually, and with relentless verification.
So, You Want Real Zero Trust? Here’s How to Build It Right
It’s time to shift from critique to construction. You don’t need a bigger budget—you need a better blueprint.
Here’s how to stop messing it up—and start doing it right.
1. Stop Treating Trust Like a Lifetime Achievement Award
Access should never be forever.
✅ Continuously revalidate. Use short sessions. Trigger re-authentication on risk signals (location change, time anomalies, device drift). Trust must be earned again and again.
2. Every Door Needs a Lock (and Someone Watching the Cameras)
The perimeter is dead. But internal segmentation? Still MIA in many orgs.
✅ Apply microsegmentation. Limit lateral movement. Combine per-app access with device health checks and behavior monitoring. Internal zones shouldn’t exist—every interaction should be verified.
3. SSO? Yes. Eternal Tokens? Absolutely Not.
SSO done right is beautiful. But “set it and forget it” tokens are security rot.
✅ Use OpenID Connect with fine-grained scopes. Rotate tokens. Re-auth for sensitive actions. Monitor everything about token behavior.
4. Kill the Zombie Devices
They once passed compliance. They no longer do.
→ And they’re still on your network.
✅ Use real-time device posture assessments. Enforce with MDM/UEM, EDR. Quarantine risky endpoints. If it’s outdated, it’s dangerous.
5. Shrink the Blast Radius
No one needs access to everything—ever.
✅ Implement RBAC/ABAC. Use just-in-time (JIT) and just-enough-access (JEA). Expire all elevated permissions by default. Audit frequently.
6. Fix the Feedback Loops
Your SIEM is watching—but is anyone acting?
✅ Integrate with SOAR and IAM. Set correlation rules. Automate revocation, session termination, or step-up auth when behavior crosses risk thresholds. Visibility must lead to enforcement.
7. Make Zero Trust Everyone’s Job
Tech alone won’t save you. Culture will.
✅ Build security literacy. Use scenario-based training. Embed security champions. Make Zero Trust part of team rituals and executive briefings. When people understand why it matters, they won’t bypass it.
TL; DR – Don’t Be Fancy. Be Relentless.
Zero Trust isn’t a shiny product launch. It’s a thousand tiny decisions, made wisely and repeatedly.
It’s choosing short tokens over comfort. Least privilege over convenience. It’s having awkward conversations about permissions. It’s reviewing access when no one asked.
Smaller doors. Shorter keys. Smarter questions.
When Zero Trust works, you won’t notice.
When it doesn’t, you’ll be the headline.
This concludes my two-part series leading into the ISACA Malta Biennale on May 15.
If you’re attending—bring your assumptions. And get ready to challenge them.
Let’s get practical. Let’s get real.
Let’s stop trusting systems that never deserved it.
