
- Home
- Cybersecurity
- Zero Trust, an ambitious but complex approach
Zero Trust, an ambitious but complex approach


The fortress has crumbled. About fifteen years ago, the principles of cybersecurity policies were relatively simple. A company needed only to build walls around its information system to protect it. Workstations and servers hosting applications were securely tucked behind these barriers. Perimeter solutions such as antivirus software, firewalls, and VPNs acted as guards, analyzing inbound and outbound traffic.
This fortress-like model shattered with the rise of cloud computing. Today, corporate data is scattered across the shared environments of cloud providers or SaaS vendors. The Covid crisis, which popularized remote work, further weakened the perimeter approach. At home, employees lack the same level of protection as they do in the office. When they return to the workplace, they often use personal devices, amplifying the Bring Your Own Device (BYOD) phenomenon.
Finally, with digital transformation, businesses no longer operate in isolation. They exchange sensitive information with ecosystems of clients, partners, and subcontractors. This expanded information system increases the attack surface and exposes the company to supply chain attacks.
This paradigm shift compels companies to thoroughly reassess their cybersecurity strategy. In this context, the Zero Trust concept, popularized in 2010 by John Kindervag, then Chief Evangelist at Illumio, has gained growing attention. Recent regulatory frameworks like NIS 2 and DORA also implicitly encourage Zero Trust adoption by advocating for continuous monitoring and granular access control.
“Dynamic trust”
As the name suggests, Zero Trust entails granting no default trust. Every attempt to access by a user, device, connected object, or digital service, whether inside or outside the corporate network, must be meticulously verified. Rather than Zero Trust, Gérôme Billois, Partner at Wavestone, prefers the term “dynamic trust.” “Trust must be renewed every time a user accesses information,” he explains.
The Zero Trust model is based on three fundamental principles:
- Continuous verification, where every user or device must be authenticated regardless of location or access history,
- Least privilege access, which limits permissions to what is strictly necessary,
- Constant monitoring to detect and respond to threats swiftly.
These principles translate into various technological components, including microsegmentation of the information system, identity-based remote access through Zero Trust Network Access (ZTNA), and Multi-Factor Authentication (MFA). Lastly, with Security Orchestration, Automation, and Response (SOAR), companies can orchestrate and automate security responses.
Large enterprises lead the way
Costly and time-consuming to implement, the Zero Trust approach is not accessible to all organizations. Large enterprises, with their resources and expertise, have been early adopters. According to Wavestone’s latest cybersecurity maturity barometer in France, published in April 2023, 28% of large organizations have deployed MFA, 24% have implemented automatic microsegmentation, and 14% have adopted ZTNA.
“The Zero Trust approach targets large, complex information systems,” says Gérôme Billois. “Large enterprises are more mature in this area. They will adapt their architectural frameworks to integrate convergence principles and apply Zero Trust ‘by design’ in new projects.”
Ivan Rogissart, Sales Engineer Director for Southern Europe at Zscaler, agrees. “Large companies have a higher maturity level but also a greater exposure to risks. For instance, a retail network can become a domino effect for cybercriminals.” Nevertheless, he notes that “smaller companies, being more agile, can adopt Zero Trust and become resilient more quickly.”
MSSP and AI
The democratization of Zero Trust, according to Allan Camps, Senior Enterprise Account Executive at Keeper Security, depends on market offerings. “SMEs will embrace this model if they are offered simple and financially accessible solutions.” Promoting his own company’s solution, he highlights that Keeper Security’s identity and password management platform is available for as few as five users.
Lacking internal expertise, SMEs can turn to Managed Security Service Providers (MSSP). For a monthly fee, these providers ensure the remote security of information systems, from 24/7 monitoring to incident response.
Artificial Intelligence can also fill internal expertise gaps by automating certain tasks. “AI can detect patterns and provide preliminary assessments,” says Ivan Rogissart. “It can also analyze user behavior. For instance, if an employee secretly prepares a PowerPoint presentation on their personal device, AI can block access to confidentially tagged data.”
“Marketing effect”
Ivan Rogissart cautions against the marketing hype surrounding Zero Trust. “Providing firewalls and VPNs doesn’t qualify as Zero Trust,” he asserts. In a French note published in April 2021, ANSSI also highlighted the enthusiasm of specialized vendors who view Zero Trust as a potential new revenue stream.
More broadly, ANSSI considers the Zero Trust model as part of the “defense-in-depth” strategy it has historically advocated. However, its implementation must be gradual, integrating new security solutions into a global defense system without replacing it.
The National Cybersecurity Agency warns of the challenges associated with these solutions. Their deployment is not only complex but also prone to installation or configuration errors that could increase vulnerabilities or give businesses a false sense of security.
Resistance to change
Beyond implementation difficulties, Zero Trust faces other obstacles, starting with existing systems. “In terms of architecture, many organizations in France remain heavily on-premises,” observes Allan Camps. “Zero Trust will struggle to penetrate outdated environments.”
Another major barrier is resistance to change. For IT teams, it challenges decades-old cybersecurity principles. Users may also feel unsettled, transitioning from minimal authentication to MFA. “It’s important to take it step by step,” says Allan Camps. “Such a transformation requires raising awareness.”
According to Gérôme Billois, there is also a leadership gap. “I don’t know of any Mr. or Ms. Zero Trust in companies. The CISO sets the overarching principles, but on-the-ground responsibilities are fragmented across infrastructure, network, and identity management teams.”
The tough transition of legacy applications
Finally, Gérôme Billois notes that organizations often remain in limbo. He emphasizes that Zero Trust extends beyond remote access and microsegmentation and must encompass legacy applications. “For over 30 years, applications were designed for controlled environments with known networks and users.”
While SaaS applications benefit from cloud platform protection mechanisms, the focus must shift to data processing levels. This requires rewriting portions of the code and integrating authentication and access management mechanisms. Some vendors offer to place a “proxy” in front of applications, but this market is still nascent.
Ultimately, migrating critical applications to the Zero Trust model will be a lengthy and costly process. CISOs will struggle to “sell” the project internally due to the lack of clear ROI. “Once migrated, the application will function the same,” Billois explains. “There’s no added value for the business, just the promise of heightened security.” Which, in itself, is a compelling promise.
the newsletter
the newsletter