7. Analysis: A company implements Zero Trust only at the network perimeter β external users are verified, but once inside, all internal traffic is trusted automatically. What critical Zero Trust requirement is missing, and what attack does this leave the organization vulnerable to?
Missing Requirement: Continuous, granular verification of all internal traffic. Zero Trust requires that EVERY access request β including lateral movement between internal systems β be authenticated and authorized, not just perimeter entry.
Resulting Vulnerability: Lateral Movement. If an attacker compromises one internal system (e.g., via phishing or a supply chain attack), they can freely move between internal systems, escalate privileges, and reach high-value assets. This is exactly the perimeter security model that Zero Trust was designed to replace. The missing control is per-resource PEP enforcement and per-request Policy Engine evaluation for all internal access, not just external.
8. Evaluation: A CISO argues: "Zero Trust is all-or-nothing β unless you implement it perfectly across every system simultaneously, it provides no security benefit." Evaluate this claim. Is Zero Trust an all-or-nothing proposition? Support your answer with reasoning about implementation approaches.
Disagree β Zero Trust is NOT all-or-nothing.
Zero Trust is a framework and philosophy that can be implemented incrementally. Each phase of implementation provides measurable security improvement:
β’ Phase 1: Implement strong identity verification (MFA, adaptive identity) β immediately reduces credential-based attacks
β’ Phase 2: Add device health validation β reduces risk from unmanaged endpoints
β’ Phase 3: Apply micro-segmentation to the most critical assets first β limits lateral movement in the highest-risk areas
β’ Phase 4: Extend PEP/PDP coverage incrementally across remaining resources
The security improvement at each phase is real and valuable, even without complete implementation. The CISO's "all-or-nothing" claim reflects a common misconception. In practice, Google's BeyondCorp and NIST SP 800-207 both describe phased Zero Trust adoption as the standard approach.