Cybersecurity long ago stopped being a topic reserved for banks, military contractors, and companies with “classified” on the door. Attacks are making their way into healthcare, energy, hospitality, libraries, cloud services, and everyday office applications. Against this backdrop, Zero Trust keeps coming up more and more. It’s one of the most widely embraced responses to a reality where an employee might work from the office, home, an airport, or a coffee shop, applications live in the cloud, and part of the infrastructure is handed off to contractors.
A few striking examples worth calling up: In 2024, the attack on Change Healthcare disrupted payments, insurance verifications, and electronic prescriptions across the American healthcare system; the American Hospital Association described the scale of the disruption as “unprecedented” for the industry.
In 2021, a ransomware attack on Colonial Pipeline brought the largest fuel pipeline on the US East Coast to a standstill; the FBI confirmed that the group behind the attack was DarkSide. In 2023, the British Library was hit by a ransomware attack that left some services taking months to restore; the UK regulator ICO later noted that the incident was compounded by the absence of multi-factor authentication on an administrator account.
The corporate perimeter no longer looks anything like a fortress wall. We sat down with Chief Architect at Andersen Artem Golovachev to talk through what Zero Trust actually is, how complex it is to implement, and what challenges companies run into in practice.
2Digital: If you were to explain Zero Trust in plain terms, what is it — and why did the old perimeter model stop working?
Artem: What was the old cyber defense perimeter model, and why does it fall short today? It worked like this: if you were inside the perimeter — on the office network or connected via VPN — you were granted access to all the resources you needed. That access often turned out to be far broader than actually necessary. In other words, once you crossed the moat and were let inside the castle, you were trusted by default.
Zero Trust does away with that assumption. The concept doesn’t extend trust based on location alone. With every request to a specific resource, trust has to be earned and verified all over again.
To answer why the perimeter is dead, I’d put it this way: the very notion of “inside” no longer exists.
In the past, “inside” meant something like the office network. You badge through the turnstile, sit down at your desk, and your computer is on the local network. In today’s reality, “inside” encompasses company resources in the cloud, an employee’s laptop, and their phone — and that employee may not be working from the office at all. It could be a SaaS application — corporate email, a CRM, a task tracker, or cloud storage — running on an external provider’s infrastructure and accessible over the internet.
Then there’s the contractor who needs to be let into your environment via VPN. And by default, the contractor’s environment should be locked down more tightly than the one for employees. The perimeter hasn’t disappeared. It’s just become extremely blurred.
Zero Trust is the answer to a changed world — one where, you could say, there’s no perimeter left.
2Digital: What are the core principles of Zero Trust? And what does it look like for an ordinary employee?
Artem: The first principle of Zero Trust — as straightforward as it sounds — is no default trust: not in a user, not in a device, not in an application. It doesn’t matter whether they’re inside the network or outside it. Every request is treated as potentially untrusted.
The second is verification. Access is only granted after the context has been checked — not just based on credentials, meaning a login and password, but taking into account the device, time, location, and other factors. The number of metrics feeding into the decision grows significantly. The system evaluates whether to grant access or not, applies conditional access, and uses tools that allow those policies to be configured — Microsoft Entra ID, Okta, and other full-featured identity provider solutions, for example.
The third is least privilege. This principle didn’t originate with Zero Trust — it was formulated long before — but Zero Trust is where it really comes into its own.
Every user, device, or application on both the server and client side gets exactly as much access as is needed for their specific tasks. An accountant, for instance, can see financial systems and the ERP, but can’t touch the infrastructure. That means you can’t use their login and password to get onto a server — and beyond that, they have no technical means of connecting to the infrastructure whatsoever.
The same applies to IT teams. A developer can see the repository but can’t see the production database. These are foundational principles. They existed before, but they’ve become an integral part of Zero Trust.
If you dig into the details, I’d highlight one more principle: segmentation, or even micro-segmentation. The network and its resources are broken up into isolated segments to reduce the blast radius. If a specific node is compromised, the goal is to make sure the impact stays contained to that server — not allowed to spread beyond it.
2Digital: What’s the key difference between Zero Trust and the conventional VPN access that many companies have relied on for years?
Artem: The VPN model essentially assumes that once you’re inside a virtual private network, you have default access to all the resources available on that network. Going back to our earlier analogy, VPN is a kind of drawbridge over the moat. Cross it successfully, and you can roam the castle grounds with minimal restrictions. That’s lateral movement — especially when the corporate network isn’t sufficiently segmented.
Zero Trust issues separate passes for every street and every building inside the castle. The system checks whether you actually need to go there. And it does so for a limited time only.
With VPN, authentication typically happens once, at the point of connection. After that, you’re in — free to move around, scan, edit. With Zero Trust, context is reassessed continuously: who you are, which device you’re on, where you’re connecting from, what time it is, what exactly you’re requesting. The system generally issues tokens with a limited lifespan, while also checking whether the user’s laptop is infected, whether the antivirus is up to date, and whether the account has been compromised.
2Digital: What are the early signs that a company should be moving toward Zero Trust rather than simply reinforcing its existing infrastructure?
Artem: Having a VPN in itself doesn’t conflict with Zero Trust. But as I mentioned earlier, the problem with VPN is that to configure it securely for each group of users with their own set of permissions, you need a separate VPN for each group.
If you set up an individual VPN profile for everyone, you can implement Zero Trust through that VPN. But in large corporations, there are many employees with very different access requirements. Building out VPN profiles and networks for each one is expensive and often impractical. The VPN starts to buckle under the load and perform poorly.
So what happens instead? Typically, companies settle on the most common employee profile. The result is that individual employees end up with far more privileges than they actually need.
A good illustration is the Target attack. Target is a major US retailer. In 2013, a phishing email allowed an employee of a contractor to introduce malware into the corporate network. The contractor had access to a vendor portal — they were an HVAC maintenance company.
The compromised portal access gave the malicious code a way into the network. It ended with malware spreading across the retailer’s point-of-sale terminals and making off with payment card data. What followed were financial losses, reputational damage, fines, and investigations.
The second example is SolarWinds. The company built IT monitoring software that was widely adopted — used by thousands of companies and government agencies, including American ones.
In 2020, hackers broke into SolarWinds’ update pipeline. Malicious code was slipped into an update. This is what’s known as a supply chain attack: rather than coming after you directly, attackers go after a company you trust and whose software you’ve brought into your environment.
The SolarWinds Orion update was installed across thousands of organizations. US government agencies were among those affected. In some environments, the malicious code went undetected for months, quietly siphoning off data.
What does all this tell us? There’s not much point anymore in debating who needs Zero Trust and who doesn’t. It’s relevant for everyone. For large companies, it’s a matter of survival.
2Digital: Where do companies typically start when implementing Zero Trust?
Artem: The first and most straightforward step is rolling out conditional access policies and multi-factor authentication. This means deploying software that acts as an identity provider and makes authentication decisions based on multiple factors.
We’ve already touched on what those factors look like: the device, the location, whether the user has accessed that resource before, whether it’s within working hours, whether the device is trusted, whether it’s been compromised. Modern identity provider solutions can handle all of this. You can define and adjust access policies within them. Having this kind of software alongside multi-factor authentication is, first, relatively affordable, and second, it shuts down the majority of real-world attacks.
The second step is device control. At this stage, the company verifies not just the user, but the device they’re connecting from. The system can determine, for example, whether an Android smartphone has been rooted, whether an iPhone has been jailbroken, whether the latest security updates are installed, whether encryption is enabled, and whether the device meets corporate requirements. If a device fails that check, access to corporate resources is restricted or blocked altogether.
Laptops go through the same scrutiny: could it be infected, is antivirus installed, what version is it running, are there any signs of compromise or an insecure configuration. For the most sensitive resources, a company may set stricter rules — access only from corporate laptops managed by the IT department.
It all comes down to the risk tied to BYOD — the practice of employees connecting to work systems from their personal devices.
BYOD stands for “bring your own device.” In practice, it means an employee can access work email, a CRM, cloud storage, or internal services from their personal laptop, smartphone, or tablet. It’s convenient. But the risk is real: the company has less control over those devices and doesn’t always know whether they’re up to date, protected by antivirus, or have already been compromised.
Next comes access separation between the server-side and client-side components of specific applications — and this applies to users as well. The accountant sees the ERP but can’t see the source code repository. The developer has access to the source code repository but has no access to accounting systems, even at the network level.
The final tier is network architecture and data governance. This is high-level work that not every company can afford to take on right now. It involves data governance policies — where the concern isn’t just about who can access data, but about large concentrations of data being held in one place.
At this level, you can assess the blast radius and work out what happens if any given node — including a data node — gets compromised. This is the most expensive piece of the puzzle. It takes time, can require significant changes to the overall landscape, and typically emerges at a certain stage of organizational maturity.
2Digital: What mistakes do companies most often make when they’re just starting to implement Zero Trust?
Artem: The main mistake is treating Zero Trust as a product. You buy Microsoft Entra ID, Okta, or another identity provider, set up your policies, get them stable — and call it done. In reality, Zero Trust is an architectural strategy, not a boxed software solution.
So don’t stop at the first step. Once you’ve taken it, keep moving.
The second mistake is starting from the end. I’ve seen this at some of the banks I’ve worked with. Their Zero Trust implementation kicked off with a full reconstruction of the network infrastructure: micro-segmentation and isolation of network environments. When the groundwork hasn’t been laid, isolating networks and deploying inter-network firewalls typically breaks the company’s operational processes and makes rolling out new software significantly harder. It’s work that needs to get done — it’s just more sensible to tackle it once a certain level of maturity has been reached and the earlier steps are already behind you.
Then there’s the legacy problem. Every large corporation has old legacy systems that have been running for 10, 15, sometimes 20 years. They don’t support modern authentication protocols — SAML or OAuth2, for instance. Zero Trust principles are already fairly complex to implement. And where software has been around for 20 years, those principles tend to get forgotten entirely. Everyone understands that replacing these systems takes time and costs a lot. Many companies will probably never go down that road — or at least not until the first major incident.
But simply ignoring these systems means leaving a gaping hole in what otherwise looks like a well-secured architecture. The measures that can be applied at least at the network level — in terms of access controls and isolation from everything else — cannot be overlooked.
Network infrastructure implementation needs to be planned well in advance. Regulatory requirements matter too. The more oversight you’re operating under, the broader the set of principles you’re obliged to follow. But that doesn’t mean they’re not worth following when a regulator isn’t explicitly demanding it. We’re talking about security, after all.
2Digital: Doesn’t Zero Trust create a conflict with employee convenience and business speed? How noticeable is it for ordinary office workers?
Artem: I’d put it this way: at the start, things will probably be harder. By the end, they’ll be easier than they were before. When Zero Trust is first rolled out, companies often put in place broad exceptions and lenient conditional access policies to avoid disrupting operational processes. Those are easier to adjust to.
Later, once risk-based adaptive access is up and running, the job of the team managing Zero Trust is to gradually tighten those policies. That means assessing the company’s day-to-day operations, building up employee profiles, and training both the team and the conditional access system on the behavior patterns of specific employees. That’s how you learn to tell normal behavior apart from abnormal.
For example, an employee logging in from a corporate laptop in the office during working hours — minimal friction. If that same person logs in at two in the morning from an unfamiliar device in another country, the system asks for additional verification. Ideally, that’s exactly how it should work.
In large organizations, Zero Trust is often rolled out alongside SSO — a single entry point through one identity provider. For the end user, things actually get simpler: one account, one identity provider, Microsoft Entra ID for instance. Log in once, and you’re into all the applications you need with that token.
There’s another layer worth mentioning: passkeys. Zero Trust doesn’t inherently require a password. The authentication factor can be any number of things — a fingerprint, a push notification, a hardware key, facial biometrics, a one-time code.
This cuts down on the number of steps a user has to take and reduces the amount of data that can be stolen. A password can be stolen. A fingerprint is a much harder thing to lift.
And from the user’s perspective, a fingerprint is faster. So Zero Trust isn’t about maximum friction for everyone. It’s about the right friction at the right moment. In the end, it can make life easier for the user — not harder.
2Digital: How does Zero Trust change the work of the security team? What processes become automated, and where is a human still needed? Lately we’re seeing a push to minimize the human factor in cybersecurity.
Artem: I’d agree that the human role in many areas is shrinking. And that’s a good thing — it frees people up for work that’s more intellectually demanding and less routine.
Security analysts used to spend a large part of their time on grunt work: combing through logs, checking who connected to the VPN, investigating why a firewall had fired. When you’re dealing with hundreds of near-identical notifications, it’s very easy to let something slip through.
That’s roughly what happened with the Target attack we discussed earlier. The FireEye software the company had in place did detect the problem: unusual activity had been picked up in network traffic on the internal servers of the payment network. It notified the monitoring team in Bangalore. The monitoring team passed it on to the information security team in the US. But with such a high volume of alerts coming in, the analyst in the US simply ignored the signal — writing it off as a routine event.
One of the security team’s goals here is to cut down the false positive rate and strip out some of the routine work. With Zero Trust, handling that routine gets automated.
The system checks every access request against conditional policies on its own and picks up on suspicious behavior — but it doesn’t have to reject the request outright. It doesn’t lock everyone out at the first sign of suspicion, the way things sometimes worked before.
Conditional access policies can prompt for additional verification instead. If a behavioral pattern looks suspicious, the system asks for a second factor — an extra check via email, device, or another channel.
The upshot is less of a headache for the user. Less manual work for the security team.
Humans stay in the picture where automation still can’t keep up: working through complex incidents that require context a behavioral AI model may simply not have access to. Information security professionals are gradually moving away from the role of firefighters rushing in to put out flames. They’re becoming the people who build the policies that stop those fires from breaking out in the first place.
2Digital: Let’s talk about metrics. How do you measure whether Zero Trust is actually working?
Artem: Let’s start with attack detection speed. When an attack isn’t discovered until days, weeks, or months later — as was the case with SolarWinds — it creates an enormous amount of risk. Implementing Zero Trust generates a continuous stream of data on every access request. That data is centralized and analyzed, which means anomalies can be detected much earlier.
Blast radius matters too. With Zero Trust in place, it should shrink down to a specific node. If a particular element of the infrastructure is compromised, Zero Trust should contain the spread to the rest of the infrastructure.
If that can’t be achieved straight away, the average blast radius across all infrastructure elements should still be trending downward. This is measured through threat model updates.
Another metric is excessive privileges. It’s very straightforward to measure: you look at how many users have more access rights than they need. As Zero Trust is rolled out, that number should be moving toward zero.
Regulatory compliance is less of a metric and more of an outcome — the ability to meet regulatory requirements. For banks and fintech, there’s PCI DSS for handling card data, and DORA, which applies to the digital operational resilience of the financial sector across the EU.
Implementing Zero Trust makes it considerably easier to stay on top of these requirements. For example, how many findings came up in the last security audit, and how many have been closed out. That’s a language you can use not just with the information security team, but with senior management and the board of directors.
If the Zero Trust implementation consistently delivers strong results in security audits, makes certifications smoother, and keeps you on the right side of regulators, that’s a very compelling metric to bring to a business conversation.
And finally — the cost of incidents. The key question here isn’t just how many attacks occurred, but how much each successful attack ultimately cost the business. That includes downtime, recovery time, fines, and reputational damage.
Zero Trust should be driving that number down directly.