Zero TrustNetwork SecuritySecurity
Blog11 minute read

A CTO'S Primer on Zero Trust: Part 2 - Overcoming Implementation Challenges

Zero trust shifts from traditional network defenses to nuanced, controlled security, but integrating legacy systems and creating precise access policies pose significant challenges. Success requires strategic planning and collaboration, balancing security with usability. The journey to Zero Trust demands foresight, technical rigor and commitment to a resilient security posture.

In part one,  we established that zero trust means moving away from the traditional perimeter-based network defenses and toward something far more nuanced and controlled. And while there's no denying that zero trust is intellectually very appealing, converting its vision into an actionable reality is a real challenge.

Many organizations find complex network architectures to be the first stumbling block on the path to zero trust. Traditional networks are often a hodgepodge of old and new solutions, which have been added over years — or even decades. On top of that, challenges with prioritizing initiatives or "biting off more than you can chew" can produce a daunting canvas on which to produce effective (and lasting) change.

Most enterprises have been architected with implicit trust in the users and devices that are allowed into the network. But they lack any kind of prescriptive trust for the solutions that live on the network. Retrofitting such environments to accommodate zero trust principles can seem akin to building a new airplane while retaining the old one in service.

Setting realistic expectations

Organizations are struggling to adopt zero trust for numerous reasons. One common issue we see is clients conflating remote access or application access with zero trust. Another issue is not having the right organizational change management or foundational components to begin building their program. Additionally, organizations often lose interest in the programmatic changes needed to accomplish their goals. To successfully implement zero trust and overcome these challenges, it is important to properly set expectations within the organization. Unrealistic expectations, such as believing that segmentation can be done across all business units and all of IT and OT infrastructure by the same tooling and in one project, can hinder progress.

Start small, then iterate

Establish and leverage the concept of protect surfaces

The concept of "protect surfaces" was introduced as part of the zero trust security model to help organizations better secure their critical assets. Protect surfaces are a key component of this approach. Unlike the traditional attack surface, which can be vast and difficult to defend, a protect surface is much smaller and more manageable. It includes only the most critical data, applications, assets and services (DAAS) that need to be secured. 

By identifying and focusing on these protect surfaces, organizations can implement more granular security controls and better protect their most valuable resources. Using this framework, you can start small while still making progress on your Zero Trust initiatives. Some example protect surfaces include "User to Web Application Access," "Business Unit to SharePoint Sites," and "Branch Offices." 

Establish governance and an architecture council

This does not have to start out being formal. However, it is important that new IT projects being onboarded into your organization meet the criteria set for your new zero trust framework. This ensures consistency and alignment with your security goals. 

To establish effective governance and an architecture council, especially in the context of implementing a zero trust framework, you can leverage several industry-leading frameworks and regulatory guidelines: COBIT, ITIL, ISO/IEC 38500, the NIST CSF or TOGAF.

Tie into larger business initiatives

It's imperative to align security initiatives with broader organizational goals and risk appetite. The ultimate goal? Turning cybersecurity into a business enabler rather than a reactive operational burden. 

Focus on where the risk exists today on specific protect surfaces and demonstrate how your organization can reduce risk to that specific protect surface. By aligning zero trust initiatives with larger business projects, you can show tangible benefits and gain broader support. 

You can also refer to our 2025 Security Priorities Report, put out by WWT Research. This report outlines the essential priorities for CISOs in 2025, presenting a roadmap for navigating this landscape. By focusing on these strategic priorities, security leaders not only protect critical assets but also empower businesses to innovate and thrive in an increasingly complex risk landscape. 

Establish relevant metrics

Establish your KPIs and metrics early so that you can effectively track the program's progress. Focus on metrics that impact the business, not just IT. For example, "Acquisition lag time to access company resources is currently 6 months." By tracking and improving such metrics, you can demonstrate the value of the zero trust program to the entire organization.

Integrating legacy systems

Adapting and integrating legacy systems within a zero trust architecture (ZTA) is akin to fitting a square peg into a round hole. The nature of these traditional systems often stands in stark contrast to the adaptable and security-centric requirements of ZTA. Legacy systems are like relics from a bygone era; they weren't designed for continual validation and scrutiny, which are the bedrock principles of zero trust.

Start with a high-level assessment of existing business functions, identifying and classifying them based on their role, importance and compatibility with modern security standards. You don't want to waste too much time inspecting the entire organization at a deep level — you're just looking for a few solid areas (i.e., protect surfaces) to prioritize. Choose a specific segment of the business with a risk profile that warrants prioritization.

Industry examples

  • Healthcare: One of the major hurdles in healthcare is the reliance on outdated medical devices that are interwoven into hospital networks, where sensitive patient data traverses. Despite their critical importance, many of these devices run on unsupported or obsolete operating systems, creating vulnerability points rife for exploitation.
  • Retail: Legacy point of sale (POS) systems present significant challenges for the retail industry. Retail POS systems were architected with ease of use and customer throughput in mind, not integrated security checks.
  • Federal government: In the federal sector, agencies often grapple with old infrastructure built over decades without coherent cybersecurity strategies. These legacy systems hold a vast reservoir of public information and are known to have compliance constraints that do not align well with new cybersecurity frameworks.

Recommendations

It's important to consider a few strategic recommendations for organizations that want to integrate legacy systems within a zero trust framework:

  • Selective isolation: If upgrading isn't possible, isolating the legacy systems to reduce risk exposure becomes vital. This is very common in healthcare use cases. 
  • Incremental upgrades: Develop long-term upgrade plans that incrementally replace outdated components with more secure alternatives, ensuring that core operations remain uninterrupted.
  • Programmatic approach: Remember that new devices and tooling will continue to become unsupported. Build a process to catch these and figure out what part of your standard process those devices will follow.

These insights echo that integrating legacy systems into a zero trust environment requires not only technical adjustments but also a visionary approach — balancing modernization with operational continuity. The collective wisdom from industry experts underscores a common theme: It's less about imposing immediate changes and more about navigating a conscientious path toward a secure future.

Precise access policies

Crafting detailed access policies is a pivotal challenge when transitioning to a zero trust architecture (ZTA). The traditional model of broad permissions, where users and their devices are often presumed trustworthy once inside the network perimeter, starkly contrasts with zero trust's principle that requires stringent and precise access controls. Crafting access policies under zero trust involves more than just technology — it demands an institutional shift toward understanding the granularities of every user interaction.

Industry examples:

  • Financial services: In this sector, firms must navigate complex compliance landscapes while crafting access policies. The challenge lies in reconciling regulatory requirements with the technical rigidity needed for continuous authentication and authorization. Financial institutions tread a fine line between policy precision and meeting rapid transaction demands.
  • Transportation: For the transportation industry, especially with large-scale logistics companies, the challenge is managing access to an intricate web of interconnected systems — from cargo tracking to fleet management systems. Broad access might lead to inefficiencies and security vulnerabilities.
  • Utilities: Utility providers face the difficulty of integrating access control systems across dispersed infrastructure locations — often involving legacy equipment. The decentralized nature of facilities complicates efforts to maintain uniform access policies.

Recommendations:

To address these challenges and effectively implement robust access controls within a zero trust framework, organizations should consider the following strategic recommendations for those prioritized protect surfaces:

  • Role-based access control (RBAC): Implement RBAC to ensure that individuals have access only to the information and resources essential to performing their specific job functions. Start broad with overall application access. Focus on applications that would have high impact if compromised.
  • Consider just-in-time provisioning: If access is difficult to revoke, consider workflows where access is provisioned only when needed, using quick automation with approval workflows.
  • Contextual and behavioral analysis: Utilize contextual data and patterns of behavior to dynamically adjust access controls based on user actions, ensuring that each request aligns with organizational security policies.
  • Regular policy review: Establish a routine for auditing and revising access policies to reflect changes in personnel roles, cybersecurity threats or operational processes.
  • Investment in identity and access management (IAM) solutions: Leveraging advanced IAM technologies helps create a scalable and adaptable policy infrastructure capable of supporting zero trust tenets.

By addressing these aspects head-on, organizations can maneuver the complexities of access policy creation under a zero trust paradigm. The transition requires not merely upgrading technology but also fostering a culture of vigilance and adaptability, ensuring security postures that effectively anticipate and respond to evolving threats.

Continuous monitoring

It is a constant challenge to effectively supervise data flows and transaction patterns across vast network landscapes without overwhelming security teams with extraneous information. Continuous monitoring in the context of zero trust is akin to watching every needle in a forest of haystacks — precision is key, but so is practicality.

Industry examples:

  • Military defense: Military networks are global, intricate and crucial for real-time decision-making. Here, the challenge lies in constant, real-time monitoring of classified communication channels while ensuring operational readiness.
  • Geospatial satellites: In the realm of satellite operations where geospatial data is continually collected and processed, there's a relentless stream of information to monitor. Integrating continuous security monitoring without interfering with data accuracy and transmission rates is a complex puzzle.
  • Manufacturing: The manufacturing sector faces challenges around industrial control systems (ICS), where integrating continuous monitoring can be invasive and disrupt production lines. Misleading or excessive alerts could critically affect workflow efficiency.

Recommendations:

In light of these challenges, here are some strategic recommendations to enhance continuous monitoring capabilities as part of a zero trust strategy:

  • AI and machine learning (ML) integration: Leverage AI and ML technologies to automate the detection of anomalies and contextualize monitoring data, improving response times without overwhelming personnel.
  • Prioritize critical systems: Focus monitoring efforts primarily on the most critical systems, applying resources where they are needed most and minimizing unnecessary data collection.
  • Customizable alert systems: Deploy systems that allow customization of alert thresholds and tailor responses according to specific operational contexts, enhancing relevance and reducing noise.
  • Regular training and simulation: Conduct regular training sessions and simulate potential breach scenarios to refine monitoring solutions, ensuring teams remain sharp and capabilities align with evolving threats.

By addressing these complexities and implementing strategic monitoring solutions, organizations can effectively navigate the intricacies of a zero trust environment, ensuring robust security that aligns with operational demands. As industry needs evolve, so too must our approaches, setting the stage for innovative yet pragmatic security practices.

The rewards of zero trust are attractive. To deal with its difficulties, what is required is strategic planning, sensible prioritization and good old-fashioned collaboration across departments. It necessitates breaking down silos to have the IT team work in tandem with business units to define, defend and constantly adjust the organization's critical protect surfaces.

To sum up, the secure road to zero trust implementation is dotted with obstacles, yet moving toward maturity in this architecture depends on three things: strategic foresight, technical rigor and a steady, inarguable commitment to maintaining a growing security posture in an organization. These efforts have taught us that it's not just about adopting new technology; it's about realigning strategies, understanding business priorities and creating tailored solutions that work for each organization. 

In part three, we will explore how enterprises can move beyond past pitfalls. We'll look at what WWT can do to help enterprises achieve this transformational process and, in effect, navigate a course through this re-envisioned Zero Trust landscape that leads to both compliance and proactive reduction of the attack surface — which I formerly referred to as "risk mitigation."