There’s a line from Forrester analyst John Kindervag’s original 2010 paper that still lands with surprising force: the traditional security model trusted a lot and verified very little. Fifteen years later, that observation has become the founding principle of one of enterprise security’s biggest structural rewrites.
Zero trust — “never trust, always verify” — spent a decade as a theoretically sound idea that proved maddeningly difficult to operationalise at scale. What’s shifted is that enterprises are no longer just planning it. They’re building it.
The Problem With Trusting the Network
The old model had a simple logic: build a strong perimeter, and everything inside it can be trusted. It was the security equivalent of a hard shell and a soft centre — if you got past the firewall, the inside was relatively open.
The pattern worth noting is how predictably that model breaks down. Once an attacker — or a compromised credential, or a misconfigured device — clears the perimeter, lateral movement becomes easy. The blast radius of a breach grows fast.
Zero trust removes the assumption entirely. It treats every access request as potentially hostile, regardless of whether it originates inside or outside the network. Users authenticate continuously. Devices verify compliance at each session. Applications check authorisation at every call. Network location offers no assurance — and geographic proximity offers none either.
“Never Trust, Always Verify” — In Practice
The phrase is clean. The implementation is not.
Building zero trust requires assembling several layers that most enterprises don’t have in a unified state: identity infrastructure capable of continuous verification, device security that can enforce compliance checks in real time, network micro-segmentation that limits lateral movement, and comprehensive monitoring that makes anomalous behaviour visible quickly.
The transition is significant. VPN-based architectures — which granted broad access once a user authenticated once — are increasingly being recognised as a liability rather than a control. The Zscaler ThreatLabz 2025 VPN Risk Report found that 56% of organisations reported breaches exploited through VPN vulnerabilities last year alone. The same report found that 81% of organisations now plan to implement zero-trust strategies within the next twelve months.
Those are not small numbers.
Why the Security Advantage Is Real
The conversation worth having isn’t whether zero trust reduces breaches — the data on that is fairly settled. IBM’s 2025 Cost of a Data Breach report found breach costs running 38% higher for organisations without zero-trust implementation.
The more interesting signal is what happens after a breach in a zero-trust environment. Micro-segmentation — one of the core structural elements — limits lateral movement significantly. An attacker who gains access to one identity or one device segment hits a wall rather than a corridor. The blast radius shrinks. Containment time shrinks with it.
As one security architect described it: the question is no longer “how do we keep them out?” but “what do they actually get if they succeed?” Zero trust is an architectural answer to that second question.
An Idea That Took Fifteen Years to Land
Kindervag himself noted that the early reactions to zero trust were dismissive — the concept seemed too radical a departure from perimeter-based thinking. The 2015 Office of Personnel Management breach, which exposed the records of more than 21 million people, shifted the conversation. When the federal government began endorsing zero trust as a response framework, the enterprise world started paying closer attention.
Google’s BeyondCorp initiative — built internally to allow employees to work without a VPN — gave the concept its first large-scale proof point. NIST formalised the architecture guidance in SP 800-207. Gartner found that 63% of global organisations have now at least partially implemented a zero-trust strategy.
Fifteen years from whiteboard to mainstream is a long runway. But the architecture thread running through this blog series — from the AI readiness bottlenecks explored in earlier posts to the composable enterprise and multi-cloud governance challenges — keeps arriving at the same underlying reality: the infrastructure decisions made a decade ago are setting the ceiling for what’s possible today. Zero trust is no different.
The Transition Is the Hard Part
The pattern worth watching isn’t the conceptual adoption — it’s the operational gap. Gartner’s research shows that while 63% of organisations have started, full implementation remains rare. The honest diagnosis is that zero trust is often adopted in patches — identity here, segmentation there — without a unified architecture connecting the pieces.
That gap is exactly where the implementation work gets interesting. The organisations moving deliberately through the maturity curve — building identity infrastructure, enforcing device compliance, tightening segmentation, wiring in continuous monitoring — are finding that each layer compounds the previous one.
The concept was never the problem. The commitment to building it all the way through is the conversation still worth having.
What’s the hardest layer to get right in a zero-trust implementation — identity, segmentation, or the cultural shift of assuming breach as a design principle?
Let’s keep learning — together.
harish.balasubramanian 
Share your thoughts