Zero Trust isn’t dead – it’s becoming built-in security by design

COMMENTARY: In 2010, the first iPad was released, Instagram was founded, and the term “Zero Trust” entered the cybersecurity zeitgeist. Fast forward to 2025: Apple has announced its 11th-generation iPad and Instagram’s annual revenue is nearing $70 billion. Technology has leapt ahead, yet our approaches to Zero Trust remain largely stuck in a bygone era.

That’s why nearly 88% of organizations report significant challenges in their Zero Trust implementation attempts, even as most CISOs rank Zero Trust among their top priorities. The takeaway is clear — we must stop treating Zero Trust as a checkbox or a product and instead recalibrate our approach, embedding Zero Trust principles into the very fabric of our architectures to truly operationalize the “never trust, always verify” philosophy.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

To appreciate what “built-in” security means, consider the phone in your pocket. Unboxing a new iPhone is simple — peel off the wrapper, power it on, sign in — but behind that simplicity is an intricate choreography of defenses working by design. For example, the Messages app automatically runs any untrusted content through BlastDoor, Apple’s new Stolen Device Protection requires Face ID/Touch ID for sensitive actions when in an unfamiliar location, and their recently-introduced Memory Integrity Enforcement makes entire classes of memory corruption attacks materially harder by default.

None of these protections are bolt-on accessories; they’re woven into the product’s DNA. The device is safe not because users manage it perfectly, but because its architecture makes whole categories of mistakes far less costly.

That’s the lesson for enterprises: Zero Trust works best as design, not décor. Most security leaders already agree in principle but struggle in practice.

Related reading:

Priorities, point solutions, and the gap between promise and practice

Research from Cisco highlights about 86% of organizations say they’ve started adopting Zero Trust security, but only 2% have fully achieved maturity across all its pillars. In other words, nearly everyone is on the journey, yet almost no one has reached the destination.

Boards and executives aren’t impressed by how many new tools you’ve deployed or the logos on your slides; they care about outcomes. Even so, many smart teams stall on the road to Zero Trust because the effort begins as a shopping spree or a series of siloed projects rather than a cohesive strategy. We install MFA over here, endpoint detection and response over there, maybe a so-called “ZTNA” solution in front of some apps — and assume we’re making progress. But without an overarching design, these point solutions don’t add up to a resilient whole.

We also have to rethink the traditional “crawl, walk, run” mindset for Zero Trust. For years, capabilities like microsegmentation were treated as advanced moves reserved for the final stages of a long journey. But that conventional wisdom is outdated. Modern technology has democratized these protections, making them more accessible to organizations of all sizes. In fact, authorities like the U.S. Cybersecurity and Infrastructure Security Agency (CISA) now call microsegmentation foundational to Zero Trust, not an optional extra.

What used to be considered a “nice-to-have” is now a must-have early on — especially as new automated segmentation tools remove the historical complexity. The bottom line is that a piecemeal, point-solution approach to Zero Trust will yield only superficial gains.

Zoom out to zoom in: Zero Trust architecture

You wouldn’t build a house room-by-room with no blueprint; likewise, you can’t secure a modern enterprise by tackling each domain (identity, devices, network, applications, data) in isolation. Instead of tacking on one tool after another, step back and design a unified Zero Trust architecture.

At its core, Zero Trust architecture boils down to a few fundamental capabilities. First, identity becomes the new control plane. Every user, device, or application request should be evaluated dynamically before it’s allowed to proceed. Who is making the request? From what device and posture? What resource are they trying to access, and under what conditions? The answers feed into a policy engine that makes a just-in-time decision: either allow only the least privilege needed or challenge/deny the request. No more permanent entitlements or “standing keys to the kingdom.”

Next, make segmentation intrinsic to your environment. Every application and service should run in an environment where the default stance is least-privilege network access. In simple terms, nothing should be able to talk to anything else unless policy says it should — and policies must travel with workloads and identities. Whether an application is in the data center, a public cloud, or a developer’s laptop, it should obey the same granular access rules.

By corralling assets into their own microsegments with strict access policies, you dramatically lower the chances of an attacker pivoting from an initial foothold to your most sensitive systems. This is exactly why CISA’s 2025 Zero Trust guidance emphasizes microsegmentation as a baseline requirement: it slashes the attack surface, constrains lateral movement, and gives your ops team fine-grained visibility into what’s happening in each segment.

As you implement these controls, remember that a Zero Trust architecture thrives on continuous improvement. Discover and map actual traffic flows in your environment and use that insight to refine your policies. Where possible, simulate the impact of new rules before enforcing them, so you can catch any unintended disruptions. Over time, this iterative approach turns Zero Trust from a lofty concept into measurable outcomes.

Finally, apply the same discipline to external access that you do internally. If your shiny new “Zero Trust Network Access” solution still gives a remote user a broad, long-lived tunnel into your network, then all you’ve done is rebrand the old VPN problem. True ZTNA means per-session, contextual access — each time a user or device connects, it gets only the specific application or resource access it needs, and nothing more. The access should be continuously re-evaluated too, because trust is never permanent.

Breach statistics aren’t just dollars on a ledger; they translate to days of business interruption, weeks of recovery work, and months of diverted attention. The antidote to this pain is architectural resilience. Resilience shows up when your policy follows identity everywhere, when segmentation is ubiquitous rather than an afterthought, and when verification never goes to sleep.

The phone in your pocket isn’t secure because you, the user, did everything right — it’s secure because its makers assumed you might not, and they built in proactive protective layers. That’s exactly the standard we need to bring into our enterprises. Zero Trust isn’t a one-time pilgrimage or a stack of vendor logos; it’s a redesign of how systems connect and protect themselves, such that the whole environment is safer by construction. Zero Trust isn’t dead — it’s evolving into something much more powerful: a world where security is not an add-on, but an intrinsic property of the way we operate.