* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Data Security](https://www2.paloaltonetworks.com/blog/category/data-security/)
* Why I Have Zero Trust Iss...

# Why I Have Zero Trust Issues

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F12%2Fwhy-i-have-zero-trust-issues%2F)  
[](https://twitter.com/share?text=Why+I+Have+Zero+Trust+Issues&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F12%2Fwhy-i-have-zero-trust-issues%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F12%2Fwhy-i-have-zero-trust-issues%2F&title=Why+I+Have+Zero+Trust+Issues&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2021/12/why-i-have-zero-trust-issues/&ts=markdown)  
\[\](mailto:?subject=Why I Have Zero Trust Issues)  
Link copied  
By [Riccardo Galbiati](https://www.paloaltonetworks.com/blog/author/riccardo-galbiati/?ts=markdown "Posts by Riccardo Galbiati")  
Dec 27, 2021  
7 minutes  
[Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown)  
[Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)  
[Zero Trust](https://www.paloaltonetworks.com/blog/tag/zero-trust/?ts=markdown)  
[Zero Trust Enterprise](https://www.paloaltonetworks.com/blog/tag/zero-trust-enterprise/?ts=markdown)  
[zero trust network security](https://www.paloaltonetworks.com/blog/tag/zero-trust-network-security/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/2022/02/why-i-have-zero-trust-issues/?lang=ja "Switch to Japanese(日本語)")

Trust was historically the barrier to widespread implementation of remote work. That is, employers wondered if they could trust employees to do the right thing when they weren't in the office, delivering the same level of performance or productivity when faced with the distractions of home. Until recently, working remotely in the comfort of home was perceived as a rare permission or privilege. As part of dealing with the challenges of the past 18 months, people adapted to completely different ways of living, learning and working. That missing trust in employees seems to suddenly be adopted and effectively so. But, trusting remote workers is very different from implicitly trusting the technology they use.

## **Trust and Implicit Trust**

What is "trust" if not an emotional brain state that is reached when there is belief that someone will behave in certain ways? Employers can and should trust employees. But, there's a second element of trust involved in remote work. We use technology to mediate between where workers are and where the information they need to access is stored. Trouble starts to appear when access from these users' devices is loosely granted to data, applications and IT systems.

In cybersecurity, for example, you'll often see mentions of trusted networks, channels, interfaces, devices, certificates, credentials and many other elements of the IT infrastructure that have been personified, in order to achieve simplification. This perception of trust comes from the implicit belief that these components have somehow earned the right to be used without restriction, most likely because of their present location or the fact they have proven their identity at least once, successfully.

This is what we call "Implicit Trust."

## **Implicit Trust and the Attacker**

Here are some of the most basic questions any attacker will go through while planning the compromise of an IT system:

* Where does the trusted network end?
* How many systems can be reached from this trusted device?
* What can I access by using this combination of trusted username and password?

What do these questions have in common? They all rely on the assumption that an implicitly trusted component can give an attacker a clear offensive advantage.

Attackers do indeed gain an advantage when they are able to take control of a machine that is implicitly trusted and therefore access other systems without any further security checks.

On the other hand, if adopted correctly, Zero Trust thwarts this advantage, by removing the concept of trust from the decision making related to accessing information and interacting with digital assets.

## **Zero Trust: A Strategy, Not A Tool**

Even though Zero Trust recently celebrated its 10th anniversary, why don't people and organizations fully understand what Zero Trust means and how it should be implemented?

This mostly has to do with the fact that the term Zero Trust tends to be misused or misinterpreted to fulfill the agenda of vendors looking to make their solutions more attractive and compelling. Products offering Zero Trust Network Access (ZTNA), software defined perimeters (SDP) or even identity defined perimeters (IdP) are attempting to claim their right to be listed as silver bullets of a Zero Trust architecture without really considering that in order to achieve [Zero Trust for the whole enterprise](https://www.paloaltonetworks.com/zero-trust), we need to strategically remove implicit trust from IT systems and constantly validate every digital interaction in the process.

This really means that specific capabilities are required to be successful in deploying Zero Trust strategically, but while adopting them, we need to carefully consider how we are going to deal with the myriad of individual products and vendors that claim to solve an individual problem related to implicit trust.

What is a firewall, if not a tool to remove implicit trust among networks and IP addresses? But, for any traffic allowed by the firewall, should we trust the identity of the user or device behind it? We need an identity solution to solve that implicit trust problem. But then, what about the devices users are connecting from? Can we trust that they have not been compromised? This is when, historically, endpoint security solutions were introduced to remove another layer of implicit trust.

The problem with this approach is that it never ends and every implicit trust problem generates the need for an additional product or solution that will try to mitigate it.

Can we trust the actual traffic from authenticated users? We need IDS/IPS for that. What about files sent between devices? Network Anti-Virus and Sandboxing are required and so on...

Based on the above, it is not a mystery that businesses adopting cyber-security solutions are forced to do so in a very piecemeal approach and proceeding in a tactical, disjointed fashion.

When every single solution in the market solves a small piece of the big trust problem, how many do we have to adopt and how do we manage to make them all work together?

## **Sorting the Issues with Zero Trust**

This perspective needs to be reversed and in order to solve the issues with Zero Trust that have been pervading cybersecurity for over a decade, we require to focus on the strategy first, and the technology later. Understanding that identity, device integrity, access control and continuous inspection are required at all times to [achieve Zero Trust](https://www.paloaltonetworks.com/resources/whitepapers/architecting-zero-trust-enterprise), is very different from adopting and deploying products that only tackle an individual cybersecurity issue, without aligning to the bigger picture of a strategic approach. Cybersecurity itself should always align to business outcomes, and practitioners should realize that their goal is not to catch the bad guys, or prevent the next 0-day, but to keep the business running at all times even when swamped in a myriad of cyber attacks on a daily basis.

This is why at Palo Alto Networks we have [developed specific design services around Zero Trust](https://www.paloaltonetworks.com/resources/datasheets/zero-trust-design-service) that take care of understanding business priorities and critical assets, even before discussing the correct architecture and capabilities required to achieve Zero Trust, shifting the conversation from "what product should I buy to get to Zero Trust?" to "how mature are my Zero Trust capabilities, and where am I applying them?"

In conclusion, if we approach Zero Trust with a strategic mindset, instead of technology adoption, all the issues and misunderstandings around its nature are bound to disappear and the ultimate goal of cybersecurity -- maintaining business continuity in spite of cyberattacks -- becomes a realistic and achievable outcome.

## **I Have Zero Trust Issues Blog Series**

For all the reasons outlined, I started the "I Have Zero Trust Issues" blog series that covers misconceptions around Zero Trust and how the term is inaccurately used throughout the cybersecurity industry to sell individual point products that have created a fragmented market, too difficult to consume and always a step behind in removing implicit trust.

My intent is to ensure that we help both the cybersecurity industry and its practitioners get it right with Zero Trust, once and for all. We will demonstrate that a Zero Trust strategy is not only achievable, when approached from the correct angle, but also cost-effective and frictionless to both established and future environments.

Through the series, be prepared to explore use cases, scenarios, technologies, platforms and discuss how they complement or contradict the design and capabilities Zero Trust requires. In doing so, I am confident we will be able to bring back the focus and true value of the most effective cybersecurity strategy available today.

Have a look at the first follow-up blog: ["I Have Zero Trust Issues with ZTNA,"](https://www.paloaltonetworks.com/blog/2022/03/i-have-zero-trust-issues-with-ztna/) which covers the contradictions of a set of products that were accidentally named after Zero Trust to begin with.

*** ** * ** ***

## Related Blogs

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### The Zero Trust Enterprise --- What We Learned on Our Own Journey](https://www2.paloaltonetworks.com/blog/2022/05/what-we-learned-on-our-zero-trust-journey/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Zero Trust Roundtable -- The CISO Consensus](https://www2.paloaltonetworks.com/blog/2022/03/the-ciso-consensus/)

### [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Make Internet Access Safe - Adopt Zero Trust Network Security!](https://www2.paloaltonetworks.com/blog/2021/06/make-internet-access-safe/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### It's Time for Zero Trust](https://www2.paloaltonetworks.com/blog/2021/05/time-for-zero-trust/)

### [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Bringing Zero Trust SASE to Your Doorstep with SASE Private Location](https://www2.paloaltonetworks.com/blog/sase/bringing-zero-trust-sase-to-your-doorstep-with-sase-private-location/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Achieve True Zero Trust and Peak Performance with Prisma Access 6.1](https://www2.paloaltonetworks.com/blog/sase/achieve-true-zero-trust-and-peak-performance-with-prisma-access-6-1/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language