The Pragmatic Path to Zero Trust: Lessons from the Field

In a recent episode of the Socializing Security podcast, Zentera's Chief Evangelist Nathanael Iversen shared fascinating insights about implementing Zero Trust security. While many view Zero Trust as a modern buzzword, Nathanael revealed that its core principles date back to 1973, when they were first outlined in a Department of Defense research paper.

The Three Pillars of Effective Risk Reduction

According to Nathanael, the NSA identifies three fundamental elements that actually reduce (rather than just manage) security risks:

1. Identity and Access Management
2. Segmentation
3. Patching

While other security tools like EDR, XDR, and intrusion detection systems help manage risk, these three pillars actually eliminate vulnerabilities. "If you did an awesome job at those three things, a nation state would struggle to break into your environment," Nathanael emphasized.

The Power of Imperfect Progress

"If you secure your three most critical things first, that would be huge, because most people haven't done it."

One of the most compelling insights from the discussion was that security improvements don't need to be perfect to be effective. Nathanael shared how attempting to achieve 100% perfect security often leads to paralysis and project failure. Instead, he advocates that organizationst:

• Focus on achieving 80-85% risk reduction rather than perfection
• Target the most critical assets first
• Embrace incremental progress over comprehensive overhauls
• Celebrate meaningful improvements rather than waiting for perfect solutions

Real-World Impact

To illustrate the practical value of Zero Trust implementation, Nathanael shared a striking example of two law firms in the same city. One implemented Zero Trust segmentation while the other didn't. When both were attacked:

• The protected firm contained the breach to just three machines
• The unprotected firm suffered complete compromise, leading to data exfiltration and eventual closure due to reputational damage

Starting Your Zero Trust Journey

For organizations beginning their Zero Trust journey, Nathanael recommends three manageable first steps:

1. Modernize IAM: If you haven't updated your identity and access management in the past 6-7 years, start there. Implement modern IAM solutions and secure admin access.
2. Automate Patching: Manual patching is virtually impossible to maintain. Implement automation to achieve >90% patch compliance without manual intervention.
3. Strategic Segmentation: Rather than trying to protect everything at once, focus on your 20 most critical applications. This alone can eliminate 80-90% of potential compromise paths for those systems.

The Path Forward

The key message throughout the discussion was clear: don't let perfect be the enemy of good. Start with what you can manage, focus on your critical assets, and build momentum through achievable wins. As Nathanael noted, "If you secure your three most critical things first, that would be huge, because most people haven't done it."

For organizations looking to enhance their security posture, the message is clear: the best time to start your Zero Trust journey is now, and the best place to start is with what you can actually accomplish in the next 90 days.

Watch the full discussion below to hear more insights from Nathanael Iversen on implementing Zero Trust security, including detailed examples and practical advice for organizations of all sizes: