기본 콘텐츠로 건너뛰기

Why Zero Trust Is Harder Than Vendors Admit — A CTO's Honest Assessment

Why Zero Trust Is Harder Than Vendors Admit — A CTO's Honest Assessment

I have been in enough vendor briefings to know the script by heart. The Zero Trust slide deck always starts with a compelling attack scenario — a credential stolen through phishing, lateral movement across a flat network, data exfiltrated before anyone noticed. Then comes the solution: a perimeter-free architecture where every user, device, and application must continuously prove their identity and authorization before accessing any resource. Trust nothing, verify everything. The slides are beautiful. The demos are polished. The case studies feature companies you recognize.

What the slides do not show is what happened in the twelve months after the contract was signed. The identity infrastructure remediation work that consumed your entire security team's bandwidth for a quarter. The legacy application that required a six-month exception because it was built in 2008 and uses protocols that Zero Trust cannot handle. The helpdesk ticket spike from users locked out of systems they needed for their jobs. The organizational conflict between the security team pushing for strict enforcement and the development team who needed to ship product.

I am writing this because the gap between the vendor narrative and the implementation reality is wide enough to drive a truck through, and too many organizations are discovering this after they have already committed to a multi-year contract and a major transformation program. This is not an argument against Zero Trust — the underlying architecture is sound and the security benefits are real. This is an argument for entering the implementation with clear eyes, realistic expectations, and a plan built around your actual constraints rather than your vendor's reference architecture.

Digital security protection concept
Photo by Pixabay on Pexels

The Identity Infrastructure Problem Nobody Warns You About

Zero Trust is, at its core, an identity problem. You cannot verify everything if you do not know who and what everything is. Before you can implement device trust, before you can build policy-based access control, before you can do continuous verification of session context — you need a complete, accurate, and authoritative identity store that covers every user, every service account, every device, and every application in your environment.

In theory, this is what your existing Active Directory or LDAP directory provides. In practice, after years of mergers, reorganizations, system migrations, and the organic growth of shadow IT, most enterprise identity directories are a mess. I have conducted identity audits at companies of various sizes, and I have never once found an identity directory that was clean. What you typically find is: service accounts created for projects that ended three years ago and never deprovisioned, shared accounts used by multiple people because some old system did not support individual authentication, external contractors who left but whose accounts were never disabled, applications using individual employee credentials rather than service accounts, and on-premises groups and cloud groups that were created in parallel and have never been synchronized.

At one company I worked with — a mid-market financial services firm running approximately 1,200 employees — the initial identity audit identified 4,700 active user accounts and service accounts in Active Directory. After six months of remediation work, that number was reduced to approximately 1,900 legitimate, properly attributed accounts. The other 2,800 accounts were orphaned service accounts, former employees, test accounts, and duplicates. Every single one of those 2,800 accounts was a potential attack surface — a credential that an attacker could compromise and use to move through the network with a legitimate-looking identity.

Six months. For a company of 1,200 people. That is before a single Zero Trust policy was written or a single new tool was deployed. The identity remediation is not a prerequisite you complete in a sprint and then move on from. It is an ongoing operational discipline, and it requires dedicated staffing.

Legacy Applications Are the Immovable Objects

Zero Trust assumes that every application can participate in modern authentication and authorization protocols. Specifically, it assumes that applications can handle OAuth 2.0 or SAML-based SSO, that they can communicate with a policy enforcement point to have access decisions made dynamically, and that they can provide sufficient logging for audit and monitoring purposes.

Many enterprise applications cannot do any of these things. Custom-built internal applications from the early 2000s that use hardcoded service account credentials. ERP modules from vendors who have reached end of support but which nobody can migrate because the data migration cost is prohibitive. Manufacturing execution systems that run on closed networks and use proprietary protocols. Laboratory information management systems in regulated environments where any software change requires a formal revalidation process that takes twelve to eighteen months.

The vendor response to legacy application problems is usually some combination of a proxy layer, an API gateway, or the phrase "we have a solution for that." What they mean is that they have a workaround that wraps the legacy application in a Zero Trust-compatible interface. This works for some applications some of the time. It does not work for all applications, and even when it does work, it adds latency, increases operational complexity, and introduces a new component that has to be maintained, patched, and monitored.

At a manufacturing company I advised, roughly 30 percent of internal applications could not be brought into the Zero Trust architecture without either replacing them (which was not funded) or operating permanent exceptions. The security team negotiated those exceptions by compensating with network-layer controls — microsegmenting the legacy application environments so that even if they could not do identity-based access control, the blast radius of a compromise was limited. This is a valid approach. It is also an honest acknowledgment that "Zero Trust" in this organization meant "Zero Trust except for a third of our application estate."

I am not criticizing the security team's decision — they made the pragmatic choice available to them given real constraints. I am criticizing the vendor narrative that makes these compromises seem like edge cases rather than the near-universal reality of enterprise Zero Trust implementations.

Professional working on security in an office environment
Photo by cottonbro on Pexels

User Friction Is Real and It Has a Cost

Security teams tend to see user friction as an acceptable trade-off. Users see it differently, and they have more ways to route around it than security teams typically anticipate.

The friction points in a Zero Trust implementation are numerous: MFA prompts that appear more frequently than users expect, device compliance checks that fail for legitimate reasons (a software update that has not yet been installed, a security certificate that expired), conditional access policies that block users working from locations they regularly use but that the policy did not account for, and SSO sessions that expire and require re-authentication at inconvenient moments.

At one technology company, the first three months after Zero Trust enforcement was enabled saw a 340 percent increase in helpdesk tickets related to access issues. The helpdesk team, which was not sized to absorb that volume, began creating exceptions as a matter of operational necessity — disabling policies for users who complained loudly enough, whitelisting devices that should not have been whitelisted, and generally creating a shadow permission structure that existed outside the Zero Trust policy framework. Within six months, the Zero Trust policies looked rigorous on paper but had been exception-riddled in practice.

The solution to user friction is not to reduce security controls — it is to design for usability from the beginning. This means investing in SSO coverage so that users are not repeatedly prompted for credentials across different applications. It means building a reliable, fast device compliance enforcement mechanism so that compliant devices rarely fail checks unnecessarily. It means creating a fast-path exception process with proper audit trails so that when a legitimate access issue arises, it can be resolved in hours rather than days. And it means training users on what to expect before enforcement begins, not after.

All of this takes time and resources that are not reflected in the vendor's implementation estimate.

Callout: The Helpdesk Staffing Math
Before enabling Zero Trust enforcement broadly, calculate your expected support burden. If your organization has 5,000 users and you expect 10 percent to encounter access friction in the first month, that is 500 tickets. If each ticket takes 30 minutes to resolve, that is 250 helpdesk hours. Does your helpdesk have that capacity? If not, partial enforcement — starting with lower-risk user populations — is not a sign of weakness. It is a realistic deployment strategy.

The Security Team vs. Development Team Conflict

Zero Trust creates organizational tension that is rarely discussed in vendor materials. The security team's incentives are to enforce strict policies, minimize exceptions, and hold the line on controls. The development team's incentives are to ship product quickly, maintain access to the environments they need to work in, and not have security policies blocking their deployments.

In the absence of a clear escalation path and decision framework, these tensions are resolved by whoever shouts loudest or has the strongest executive relationships. This is not a governance model. It is organizational entropy.

The specific friction points that come up most often between security and development in a Zero Trust implementation are: developer access to production environments (security wants this locked down, developers argue they need it for incident response), CI/CD pipeline credentials (Zero Trust policies make automated pipelines more complex to configure), service-to-service authentication (every microservice call now requires an identity, which adds architectural complexity), and the speed of security review for new application integrations (developers want to ship; security reviews take time).

Resolving these tensions requires executive-level clarity on the organization's risk tolerance and a structural mechanism for fast security reviews of development requests. Many organizations implement a "secure by default, approved exceptions" model — new development access requests start with Zero Trust controls enabled, and exceptions require a documented risk acceptance signed by an appropriate executive. This creates accountability on both sides without giving either team veto power over the other.

Vendor Lock-In and the Overclaiming Problem

Zero Trust is a philosophy, not a product. But vendors have done an effective job of making it sound like a product — specifically, their product. This creates a lock-in dynamic that is worth understanding before you sign a contract.

The Zero Trust vendor market in 2026 is largely dominated by a handful of platform players — Zscaler, Palo Alto Networks, CrowdStrike, Microsoft, and Google — alongside a long tail of point solutions for specific use cases. Each platform vendor has a strong incentive to position their suite as the complete Zero Trust solution and to make their platform components work better together than they work with competitors' tools. This is rational vendor behavior, but it means that choosing a primary platform vendor early in your Zero Trust journey has significant implications for which other tools you can use effectively alongside it.

Before selecting a vendor, there are specific questions worth pressing them on: What happens to my data if I need to switch vendors in four years? What does your pricing model look like at scale — specifically, what are the contract terms if our user count doubles? Which of your platform capabilities are genuinely differentiated versus commodity capabilities I could get from an open-source alternative? And — the most revealing question — can you introduce me to a customer who had a failed or significantly delayed Zero Trust implementation with your platform and is willing to talk about why?

No vendor will have a clean answer to that last question. But how they respond to it tells you a lot about how honest they are willing to be about implementation complexity.

Person working at computer with multiple screens
Photo by Anete Lusina on Pexels

A Realistic Three-Year Zero Trust Roadmap

Based on implementations I have either led or observed closely, here is what a realistic Zero Trust roadmap looks like — not what a vendor presentation looks like.

Year 1: Foundation Work. Identity inventory and remediation, MFA enrollment to 95 percent of users (getting the last 5 percent takes disproportionate effort), device inventory and management platform deployment, SSO coverage for the top 30 to 40 critical applications, and network segmentation audit. By the end of year one, you should have a defensible identity and device foundation. You should not expect to have Zero Trust policy enforcement broadly in place. If you are ahead of this pace, great — but plan for it rather than against it.

Year 2: Policy Enforcement. Conditional access policies for high-risk access scenarios (privileged accounts, sensitive data access, external access), microsegmentation for critical network segments, service account rationalization and just-in-time privilege access, and Zero Trust network access replacing traditional VPN for remote work. Year two is when the security benefits start becoming visible and when the organizational friction is highest. This is the year you need executive sponsorship most actively.

Year 3: Maturity and Extension. Continuous monitoring and behavioral analytics, Zero Trust enforcement expanded to the broader application estate, automation of policy updates and anomaly response, and third-party access management. Year three is when Zero Trust starts to look like the vendor slides from year zero — but only because you did two years of unglamorous foundation work first.

What "Good Enough" Zero Trust Looks Like

Perfect is not an available option. Every enterprise environment has legacy applications, exceptions, and constraints that prevent a pristine Zero Trust architecture. The question is not "have we achieved Zero Trust?" — it is "have we materially reduced our attack surface and our lateral movement risk compared to our previous posture?"

A "good enough" Zero Trust implementation for a typical enterprise has these characteristics: MFA is enforced for all users on all externally accessible systems and all privileged access, device health is validated before granting access to sensitive applications, network access is segmented so that a compromised credential in one business unit cannot easily move laterally to another, privileged access is managed through just-in-time mechanisms rather than standing permissions, and security events generate alerts that someone actually reviews.

Notice what is not on this list: Zero Trust enforcement on every legacy application, perfect visibility into every data flow, or elimination of all standing access. Those goals are worth pursuing over time. They are not prerequisites for claiming meaningful security improvement.

Callout: Measure Security Outcomes, Not Security Theater
The most honest metric for a Zero Trust program is not "what percentage of our applications are Zero Trust compliant?" It is "how long would an attacker with a stolen credential take to reach your most sensitive data?" Run tabletop exercises and red team exercises against your actual architecture, not your policy documentation. The gap between what your policies say and what an attacker can actually do is the real measure of your security posture.

Comparison Table: Zero Trust — Vendor Claims vs. Implementation Reality

Aspect What Vendors Say What Actually Happens
Implementation timeline 3–6 months to full Zero Trust 2–3 years to meaningful coverage
Legacy application compatibility "We have a solution for that" 20–40% of apps need permanent exceptions
Identity readiness Assumes clean identity directory 6–12 months of identity remediation first
User impact Transparent to users with SSO Significant helpdesk spike, requires change management
Total cost License cost only in proposal 2–4x license cost in staffing and integration work
Vendor lock-in Open standards, portable policies Deep integration creates significant switching costs
Person analyzing data on laptop
Photo by Mati Mango on Pexels

Key Takeaways

  1. Identity infrastructure remediation is the non-negotiable prerequisite for Zero Trust, and most organizations underestimate how much work it involves — budget 6 to 12 months before meaningful policy enforcement can begin.
  2. Legacy applications are not edge cases. In most enterprises, 20 to 40 percent of the application estate cannot be brought into a Zero Trust architecture without permanent compensating controls or replacement investments.
  3. User friction is a program-threatening risk. Plan your helpdesk staffing, invest in SSO coverage, and do phased rollout rather than big-bang enforcement.
  4. The real cost of Zero Trust is 2 to 4 times the vendor license cost when you include the staffing, integration work, training, and organizational change management required.
  5. Vendor lock-in in Zero Trust is real. Platform vendors design their suites to work best together, creating switching costs that compound over time.
  6. A realistic three-year roadmap — year one for foundation, year two for enforcement, year three for maturity — is more achievable and delivers more durable security improvement than an ambitious 6-month timeline that collapses under implementation reality.

Zero Trust works. The underlying principles are correct and the security benefits for organizations that implement it well are substantial. But "implementing it well" requires honesty about the distance between your current state and the reference architecture, adequate staffing for the remediation work that precedes the interesting policy work, and executive patience for a multi-year transformation rather than a quarterly security initiative. Enter with realistic expectations, and you will get there. Enter with vendor-slide expectations, and you will get discouraged before you see the benefits.

Tracking security compliance automatically? — See what I built

라벨:

댓글

댓글 쓰기

이 블로그의 인기 게시물

EU AI Act Compliance in 2026: What Every Enterprise Needs to Do Now

The EU AI Act Is Now Law — And Your Countdown Has Started The EU AI Act entered into force on August 1, 2024. The first provisions took effect six months later. The full implementation timeline runs through 2027. If you're building, deploying, or using AI systems in or for the European Union, this law applies to you — and the window for being caught unprepared is closing. I've spent the past year working with enterprise clients on AI governance programs, and the pattern I see consistently is this: organizations vastly underestimate how much operational work EU AI Act compliance actually requires. It's not a checkbox exercise. It's a fundamental reorganization of how you develop, document, deploy, and monitor AI systems. This guide is what I wish existed when I started. It covers the substance of the law, the practical compliance requirements, the timelines that matter, and the things I've seen enterprises get wrong in early implementation efforts. Pho...
댓글 쓰기
자세한 내용 보기

AWS vs Azure vs GCP in 2026: Which Cloud Platform Should You Choose?

The cloud platform decision is one of the most consequential technology choices an organization makes, and in 2026 it's also one of the most misunderstood. Most of the debate I see in enterprise architecture forums reduces to "we're an AWS shop" or "we go Azure because of Microsoft" — neither of which is a strategy. A platform choice made primarily on inertia or existing vendor relationships is a choice that will cost you for years. I've spent significant time in all three major cloud environments — AWS for scale workloads and data engineering, Azure for enterprise SAP and Microsoft-integrated architectures, and GCP for AI-intensive and analytics-heavy use cases. My goal in this guide is to give you a genuine, nuanced comparison that goes beyond feature lists and into the practical realities of choosing and running a cloud platform in 2026. I'll cover market position, each platform's honest strengths and weaknesses, how to match workloads t...
댓글 쓰기
자세한 내용 보기

Zero Trust in 2026: What It Actually Takes to Implement It Beyond the Buzzword

In 2026, Zero Trust is everywhere. Every major security vendor claims to offer it. Every enterprise RFP asks for it. CISOs reference it in board presentations. It appears in government mandates, insurance questionnaires, and compliance frameworks. Zero Trust has, in the span of about five years, gone from a niche architectural philosophy to a ubiquitous marketing term — and that ubiquity has created a serious problem. The problem is that "Zero Trust" now means almost nothing, because it means too many different things. A vendor selling multi-factor authentication calls it Zero Trust. A company that replaced its VPN with a cloud proxy calls its network Zero Trust. An organization that added certificate-based authentication to its API gateway calls that Zero Trust. Each of these is a step in the right direction, but none of them is Zero Trust in the original sense — and more importantly, none of them alone provides the security posture that the term implies. I have wor...
댓글 쓰기
자세한 내용 보기