15 Years of Zero Trust: Why It Matters More Than Ever
Summary
John Kindervag — the analyst who coined the term zero trust — reflects on how the model moved from a contrarian idea to a dominant security strategy over the past 15 years. He explains the core principle — never trust, always verify — and why perimeter-based defence failed as attackers moved laterally inside networks. The 2015 OPM breach is highlighted as an inflection point that pushed zero trust into policy and boardroom discussions.
Kindervag outlines the enduring five-step approach (define protected surfaces, map transaction flows, architect inside-out, write policy, monitor/maintain) and stresses that zero trust is a strategy, not a product. He also emphasises the growing role of automation and AI to enforce policy at machine speed and argues that cultural and leadership barriers, not technology, remain the biggest obstacles.
Key Points
- Zero trust began as a challenge to perimeter-based security: “never trust, always verify” is the core principle.
- The 2015 OPM breach exposed the dangers of implicit trust and accelerated federal and organisational adoption of zero trust.
- Effective zero trust follows five steps focused on protecting DAAS elements (data, applications, assets, services) one protected surface at a time.
- Zero trust is a strategic mindset, not a single product; treating it as a checkbox leads to failure.
- Automation and AI are essential for enforcement at machine speed and for containing the blast radius of attacks.
- Cultural resistance and lack of executive sponsorship are the biggest hurdles to successful zero-trust programmes.
- The model remains relevant for future threats — AI-driven attacks, quantum risks, and vast device growth — because it emphasises resilience, visibility, and control.
Context and Relevance
The article matters because zero trust is now embedded in national policy and enterprise strategy, yet many organisations still struggle to implement it correctly. As threats accelerate with AI and as network perimeters dissolve, Kindervag’s reminder — focus on strategy, protect what matters, and automate enforcement — is highly practical. For CISOs, security architects and board members, the piece ties historical lessons (like the OPM breach) to present-day priorities and future risks.
Why should I read this?
Short version: if you care about keeping your organisation off the front page for the wrong reasons, read this. Kindervag wrote the playbook — this is a brisk, no-nonsense refresher on why zero trust still matters, what usually trips teams up, and what to prioritise next. It’s quick, practical and cuts through vendor hype.
Author (style)
Punchy. Kindervag writes as an evangelist: clear, direct and strategic. He isn’t selling a product — he’s insisting organisations stop treating security as a set of boxes to tick. If this topic affects your risk profile, his view deserves attention.
