Zero Trust push intensifies

A company can spend millions on a firewall, force everyone onto a virtual private network, and still hand an attacker the keys if one employee signs in from a compromised laptop with a valid password. The shift now underway is away from trusting where a connection comes from and toward checking who is asking, what device they are using, and what they are allowed to touch each time they ask. (nist.gov) That idea has a name: Zero Trust. The National Institute of Standards and Technology defined it in Special Publication 800-207 in August 2020 as a model that gives no implicit trust based on network location and requires authentication and authorization before a session to a resource is established. (nist.gov) The old model treated the corporate network like an office building with a strong front door. Once you got inside through the firewall or the virtual private network, many systems assumed you belonged there, which made lateral movement easier after one account or one machine was compromised. (nist.gov) Zero Trust flips that logic. Instead of granting broad access to a whole network, it evaluates each request to an application, database, or service, and it can factor in user identity, device health, location, time, and other policy signals before allowing or blocking the request. (nist.gov) That is why identity has moved to the center of security strategy. The Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model organizes adoption around five pillars, and the first two are identity and devices, with visibility, analytics, automation, and governance running across the whole system. (cisa.gov) Identity in this context means more than a username and password. It includes proving the user is who they claim to be, checking whether the device is managed and up to date, and enforcing least-privilege access so a payroll worker cannot automatically browse engineering systems or cloud administration tools. (nist.gov) Device trust matters because attackers increasingly log in rather than break in. NIST’s June 2025 practice guide on implementing Zero Trust describes architectures that combine identity governance, device checks, microsegmentation, and policy enforcement to limit internal lateral movement after an initial foothold. (nist.gov) Microsegmentation is the part that changes the blast radius. Instead of one large internal network where a compromised workstation can probe dozens of servers, organizations carve access into much smaller zones so one infected asset cannot freely wander into finance systems, developer environments, or industrial controllers. (nist.gov) This gets more urgent as information technology and operational technology are merged. Information technology runs email, cloud apps, and business systems, while operational technology runs physical processes like factory lines, water treatment, and power equipment, and connecting the two creates efficiency at the cost of a much larger attack surface. (cisa.gov) Operational technology failures are different from office network failures because the consequence can be stopped production, damaged equipment, or disrupted public services. In August 2025, CISA and partner agencies warned that many operational technology environments are increasingly connected to business applications and specifically called out insufficient network segmentation as a path for attackers to move from information technology into operational technology. (cisa.gov) That is where the “permanent backdoor” fear comes from. If an attacker reaches an industrial environment, plants remote access, and survives routine information technology cleanup, the organization may be left with hidden persistence inside systems that cannot be patched or rebooted as easily as office laptops. That risk is an inference from the way CISA and allied guidance emphasizes insecure remote access, weak authentication, legacy protocols, and poor segmentation in operational technology. (cisa.gov 1) (cisa.gov 2) The procurement side is changing too. In January 2025, CISA’s “Secure by Demand” guidance told operational technology owners to ask vendors hard questions about authentication, logging, vulnerability handling, and secure default settings before buying industrial products, which pushes cyber controls into purchasing and board oversight rather than leaving them to plant engineers after deployment. (cisa.gov) So the current push is not really about replacing firewalls with a buzzword. Firewalls and virtual private networks still exist, but the center of gravity has moved to continuous verification, device posture, narrow access, and segmentation, especially in organizations where a compromised login can now reach both cloud software and physical operations. (cisa.gov) (nist.gov)