SoftwareOne logo

4.3 min to readThought Leadership

Zero Trust common misconceptions

Mario GamaPractice Leader

In this Zero Trust blog series, we’ve defined what the Zero Trust security model is; its core principles and benefits; how to implement a Zero Trust model including common challenges; and we walked you through a day in the life of an employee working in a high-performance workplace. Now we’re going to address some common misconceptions about Zero Trust.

Unless you work in IT security, the concept of Zero Trust may have caused misconceptions as to what it is, who it’s for, the implications and even the name of it! We clear things up with the most common misunderstandings around this topic.

Zero Trust means not trustworthy

Contrary to how it sounds, Zero Trust does not mean a security system that isn’t trustworthy. Quite the opposite. If you use a Zero Trust security model, you can have far more faith that your corporate systems will remain secure. It refers instead to the concept that every request to access a corporate system should be verified first, rather than trusted.

Zero Trust is a new technology

While there are several different types of technologies needed to create a Zero Trust security architecture - like Identity & Access Management (IAM), Multi-Factor Authentication (MFA), End Point Security, and secure web gateways - Zero Trust itself is a concept or framework only, not a specific technology.

Zero Trust will cost me more

Actually, implementing a Zero Trust model can save you money. Often organisations have multiple security tools that all perform the same job. By assessing what tools you already have, you can identify duplicates and remove them, saving on licensing costs. What’s more, many organisations already pay for Microsoft technologies that have the security features that can enable a Zero Trust model, they simply aren’t using them. Finally, Zero Trust will help reduce the risk of cyber-attacks and the related costs associated with ransomware, downtime, and reputation damage.

Zero Trust is a one and done solution

Unfortunately, Zero Trust is not a checklist exercise that can be done and forgotten. It requires constant monitoring and updating. Even if you followed best practice when setting it up, vendors regularly bring out new feature sets to support Zero Trust, which means constant improvements can - and should - be made to protect against evolving security threats.

This is particularly true when it comes to the ongoing challenge of securing legacy systems. As new technologies emerge, organisations need to consider how they can add things like identity and access management to legacy ERP systems, CRM, file servers or RDP farms. Luckily, the modern security tools automate a large part of the monitoring so while it can’t just be done once and left, the tools are designed to alleviate workload.

Zero Trust will negatively impact productivity

It can be easy to think that having to request access or go through MFA every time you try to log onto a system will impact productivity negatively. But Zero Trust architectures are actually a lot less complicated than legacy security architectures. If the planning stage of a Zero Trust framework is done well, with robust policies set up and with constant monitoring of the system, employees very quickly adapt to this new way of working. And the ability to work securely from anywhere on any device, rather than being tied to an office or being unable to access certain resources as needed, means employees can actually achieve more.

Zero Trust is only suitable for large enterprises

Various reports estimate that between 30% and 46% of SMEs have experienced a data breach in the last few years, which reinforces the need for these organisations to have the same level of protection as larger enterprises. SMEs are often in a better position to implement Zero Trust as they have less complex existing systems and often already have the relevant technologies in place.

Zero Trust requires a large team to run it

Zero trust should rely on automation and signals as much as possible, negating the need for a large team. In a legacy environment, if an account has been compromised, the IT team has to lock the account out and do their investigation, which takes time. In contrast, in a well architected Zero Trust environment, a signal would be picked up that the account was compromised and it would automatically check and resolve the issue.

Zero Trust needs multiple different security products

If anything, Zero Trust helps organisations eliminate duplicate security products. There are key technologies that are needed but the idea behind Zero Trust is to build a streamlined architecture that cuts out waste, making existing products work harder.

Want to keep learning?

Discover how the Microsoft security suite delivers a Zero Trust model.

blue digital waves

Envision the art of the possible

If you want to understand your current security score and how you can move towards a Zero Trust model, request a free one hour envision workshop with SoftwareOne.

Envision the art of the possible

If you want to understand your current security score and how you can move towards a Zero Trust model, request a free one hour envision workshop with SoftwareOne.



Mario Gama
Practice Leader