Zero trust has dominated cybersecurity conversations for over a decade, but it's time someone said the quiet part out loud: true zero trust is impossible. Every system, at every layer, must trust something. When organizations chase the zero trust label — whether as a philosophy or a product — they risk misallocating resources, over-consolidating vendor dependency, and leaving dangerous gaps in their actual defense posture.
In this session, we deconstruct the zero trust myth and replace it with something more actionable: a rigorous, architecture-driven approach to trust boundary mapping and layered defense-in-depth. We'll trace the evolution of trust models from username/password and Kerberos token authentication to machine-level, location-based, and heuristic trust, and expose the implicit assumptions baked into each one. From there, we move into the technical realities of building a security architecture that acknowledges trust exists, instruments it deliberately, and compensates for its vulnerabilities through SIEM integration, anomaly detection, and identity and access validation workflows.
Attendees will leave with a clear-eyed framework for auditing their own trust boundaries, a sharper vocabulary for evaluating vendor claims, and a defensible architectural model they can bring back to their teams and apply immediately.
Learning Objectives
1. Reframe zero trust as a spectrum, not a destination. Understand why absolute zero trust is technically unachievable, how implicit trust assumptions are embedded at every layer of a modern security stack, and why recognizing this is a prerequisite for building a stronger architecture.
2. Map and instrument trust boundaries across the enterprise. Learn a practical methodology for identifying where trust is granted — by user, device, location, process, and data flow — and how to layer compensating controls (including SIEM, Kerberos, NTFS, and anomaly detection) to monitor and challenge those trust decisions in real time.
3. Evaluate zero trust vendor claims with technical rigor. Develop a framework for stress-testing vendor and product claims against architectural reality, so security teams can make procurement and implementation decisions that strengthen, rather than consolidate or obscure, their actual defense posture.
