#zero-trust

#zero-trust

On the way to work, you see a TikTok video of the president admitting to a crime. In the elevator, you hear your favorite band, but the song is completely unfamiliar. At your desk, you open an email from an executive in another department. It contains valid sales information and discusses a relevant legal issue, but the wording sounds oddly wooden. After lunch, the CEO sends all managers a link to a new app she had casually proposed just a few days earlier.

The Office of Management and Budget (OMB) issued Memorandum M-26-05 (PDF) which officially revokes the 2022 policy known as M-22-18 and its 2023 companion policy, M-23-16. This reversal alters the governance landscape for enterprise architects and platform engineers who service federal contracts or align with federal standards. The previous directives mandated specific secure software development practices, including the widespread generation and maintenance of Software Bills of Materials (SBOMs).

Zero trust is not a thing; it is an idea. It is not a product; it is a concept - it is a destination that has no precise route and may never be reached. But it is described very succinctly: trust nothing until the trust is justified. Justification starts with verifying every subject's identity and authority. This is the single constant in all zero trust journeys: they start with the subject's identity. Zero trust's reliance on identity, and identity's reliance on AI Two questions. Can you have zero trust without effective identity verification? No. Can you have effective identity verification in the age of AI? Maybe, and maybe not.

We have enough difficulty getting the humans trained to be effective at preventing cyberattacks. Now I've got to do it for humans and agents in combination,

Unverified and low quality data generated by artificial intelligence (AI) models - often known as AI slop - is forcing more security leaders to look to zero-trust models for data governance, with 50% of organisations likely to start adopting such policies by 2028, according to Gartner's seers. Currently, large language models (LLMs) are typically trained on data scraped - with or without permission - from the world wide web and other sources including books, research papers, and code repositories.

The US National Security Agency (NSA) has published its latest guidance on zero trust to secure US federal government IT networks and systems. This is the first of two guidance documents coming out of the NSA, providing "practical and actionable" recommendations that can be applied as best practice to secure corporate IT environments both in the public and private sectors.

Traditional password-based protection is no longer sufficient, prompting organizations to adopt behavioral access control systems that continuously analyze user actions for anomalies. These platforms monitor keystrokes, mouse activity, application usage, and network patterns to detect suspicious behavior in real time. By combining machine learning, biometric verification, and zero-trust principles, companies enhance workforce protection while minimizing the risk of account compromise.

Zscaler enables organizations to bring their own IP addresses to its Zero Trust Exchange platform. With Bring Your Own IP (BYOIP), companies can maintain their network identity while leveraging Zero Trust architecture. For many organizations, static IP addresses remain operationally important, despite the shift to Zero Trust architectures. SaaS platforms, partner networks, and regulatory agencies often still rely on IP address whitelisting for access control. Zscaler now supports both customer-assigned dedicated IPs and customer-owned dedicated IPs through BYOIP.

Identity security fabric (ISF) is a unified architectural framework that brings together disparate identity capabilities. Through ISF, identity governance and administration (IGA), access management (AM), privileged access management (PAM), and identity threat detection and response (ITDR) are all integrated into a single, cohesive control plane. Building on Gartner's definition of " identity fabric," identity security fabric takes a more proactive approach, securing all identity types (human, machine, and AI agents) across on-prem, hybrid, multi-cloud, and complex IT environments.

Illumio has struck a new partnership with enterprise technology services provider Kyndryl to help organizations bolster security and speed up zero trust adoption. The collaboration sees Illumio's AI-powered breach containment capabilities paired with Kyndryl's Microsegmentation Implementation Services to create a new, scalable Zero Trust solution. Illumio said the offering will help businesses reduce the spread of cyber attacks, minimize business disruption, and improve their overall cyber resilience.

"With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems," Andersen said. "This guidance empowers organizations to proactively mitigate threats, protect enterprise assets, and ensure the resilience of their operations." Anderson added that CISA recommends organizations also "evaluate the use of cloud-based email services" rather than "managing the complexities" of hosting their own.

The browser has quietly become the nerve centre of modern business. It's where we access our CRM, collaborate on documents, check financial dashboards, and run customer calls. Yet while companies spend millions securing networks and devices, the browser, the window through which almost every work app is opened, is often left unguarded. That oversight is proving costly. The more we rely on cloud software, the greater the risk of session hijacks, data leaks, and compromised credentials.

Organizations are heavily investing in zero trust, a security framework that requires strict verification and ongoing monitoring of every user, device, and application. As of 2025, the size of the zero trust market is estimated at $38.37 billion USD and is projected to grow to $86.57 billion USD by 2030. Investmentsinclude not only tools but also organizational transformation, policy overhaul, and long-term architectural changes. When combined with strong, phishing-resistant multi-factor authentication (MFA) and AI-powered threat detection, a move toward zero trust will significantly enhance cybersecurity. However, help desks often lack robust identity verification, creating a critical vulnerability.

JLR was attacked earlier, too. In March 2025, JLR was targeted by the HELLCAT ransomware group, which compromised Atlassian Jira credentials to steal hundreds of gigabytes of sensitive data. This new attack, leading to the systematic shutdown of production facilities and retail systems, suggests either a ransomware attack or a significant system compromise. Clearly, JLR needs to immediately implement capabilities to prevent lateral movement that attackers resort to after an initial breach, among other cybersecurity controls.

The 'castle and moat' idea has gone from outdated to outright dangerous as applications and users have scattered across public clouds, SaaS platforms, and more.

Virtualized environments are prime targets for cyberattacks due to their centralized nature and the potential vulnerabilities inherent in remote access protocols. Common Security Risks in Virtualization include credential-based attacks and exposure of RDP ports.

Hollebeek argued that this is the right move, given that "many of these applications need no communication outside of the company network and will therefore be more securely protected on an internal PKI, where the organization can configure certificates as they see fit."

Zero-trust principles are crucial in modern cybersecurity yet CI/CD pipelines often ignore them by assuming automation is inherently trustworthy, creating security vulnerabilities.

HPE announced new security features focusing on Zero Trust access and expanded functionalities in HPE Aruba Networking and HPE GreenLake during the RSAC 2025 Conference.