Risky Bulletin: "Why You're Probably Doing Zero Trust Wrong"
Podcast: Risky Bulletin (Risky Biz)
Date: October 26, 2025
Guests: Patrick Gray (Host), Adam Poynton (CEO, Knock Knock)
Episode Overview
This sponsored episode dives into the current misconceptions and challenges around implementing Zero Trust security models, particularly critiquing how the term has evolved (and been diluted) in the cybersecurity industry. Patrick Gray and Adam Poynton discuss what Zero Trust should mean, where organizations are going wrong—especially with “add auth everywhere” thinking—and how new approaches (like nano-segmentation with products such as Knock Knock) might offer more practical, security-focused solutions.
Key Discussion Points & Insights
1. The Evolving (and Watered-Down) Definition of Zero Trust
- Marketing Buzzword Overload:
- The term “Zero Trust” has become a catch-all marketing phrase. Many vendors claim to implement it, but the architecture and intent have become muddled.
- Patrick Gray [01:15]:
"It turned into a marketing buzzword and everyone's like, we do zero trust. And it's like, well, no you don't."
- Original Intent Forgotten:
- Zero Trust originally focused on tightly controlling network access linked to authentication and user identity. The shift to “auth everywhere” was helpful but insufficient.
2. Misplaced Focus: 'Auth Everywhere' and Its Shortcomings
- Overreliance on MFA & Centralized SSO:
- While Multi-Factor Authentication and SSO solved identity issues, they don't address network-level controls.
- Adam Poynton [02:21]:
"That's just really adding authentication to as much as you possibly can, which is good... but clearly not... the premise of the architecture way of thinking in the zero trust architecture."
- Lack of Real Segmentation:
- The industry conflated centralized identity/auth with network segmentation, leading to overconfidence and missed gaps.
- Gray [03:21]:
"I think everyone went sort of octa crazy, you know, and thinking that was zero trust."
3. Current Zero Trust Implementations (ZTNA) – Partial Progress
- ZTNA (Zero Trust Network Access) Limitations:
- Current ZTNA solutions offer progress versus traditional VPNs, but they often fall short for legacy/internal systems (like KVM or lights-out management).
- Gray [06:16]:
"The problem that I've always had with ZTNA is what does it do to protect your lights out system on your internal network? What does it do to protect your KVM over ip? Like absolutely nothing."
- Implementation is Aging & Imperfect:
- While better than nothing, current vendor models are getting dated and have yet to experience a catastrophic breach—more by luck than design, the speakers believe.
- Poynton [04:51]:
"We haven't seen a breach. And it is better than having something sitting on the Internet... But... you need to assume that everything in your environment is brutal, breached, compromised, hostile."
4. The Real Zero Trust: Nano-Segmentation & Dynamic Control
- From Micro to Nano (or 'Pico') Segmentation:
- Instead of segmenting entire networks, focus segmentation at the device or application level and make access available only 'just in time.'
- Gray [07:34]:
"It's supposed to be a per device or per server. That's right. Segment. Like it's. Forget about micro segmentation. This is like... pico segmentation, if you will. Right, yeah, Nano. Nano segmentation."
- Poynton [09:30]:
"I think there's two lines, there's two axes, there's size of axis... and then there's time."
- Dynamic, Time-Bound Access:
- Access should be not just minimized in scope but granted only for specific, limited periods. This approach reduces the attack window and internal “soft targets.”
- Poynton [09:43]:
"So as soon as you add time into it, it's another dimension. So... not only reducing the exposure... but actually the time and amount of period that they do have access for."
5. Persistent Challenges and Real-World Progress
- Pre-Authentication Attack Surface Remains Large:
- Even with Oauth/SSO, many web applications still have significant pre-auth vulnerabilities.
- Gray [08:05]:
"There's an awful lot of pre auth attack surface in basically everything on an internal network still in 2025."
- Zero Trust Is "Hard":
- Transitioning to true Zero Trust—especially dynamic, granular segmentation—is a major undertaking still underway industry-wide.
- Poynton [10:35]:
"It's hard, like, to be fair, it is hard. Everybody should be doing it, but it is hard and take. Takes a long time."
- Still, the speakers are cautiously optimistic that the industry has made measurable progress, even if the full destination is distant.
Notable Quotes & Memorable Moments
- Patrick Gray [01:15]:
"It turned into a marketing buzzword and everyone's like, we do zero trust. And it's like, well, no you don't."
- Adam Poynton [02:21]:
"That's just really adding authentication to as much as you possibly can, which is good... but clearly not... the premise of the architecture way of thinking in the zero trust architecture."
- Patrick Gray [06:16]:
"The problem that I've always had with ZTNA is... what does it do to protect your KVM over IP? Like absolutely nothing."
- Adam Poynton [09:43]:
"So as soon as you add time into it, it's another dimension. So you've got a small amount of access, but it's not always on."
- Patrick Gray [11:08]:
"Slapping OAuth onto a vulnerable web application does not prevent remote code execution. That would be the last thing I would say about that."
Timestamps for Key Segments
- 00:03–02:21 — Defining Zero Trust & What’s Gone Wrong
- 02:21–04:06 — “Auth Everywhere,” MFA Hype, and where it's insufficient
- 04:06–06:16 — ZTNA's partial solutions and implementation issues
- 06:16–08:05 — The missing layer: Internal, legacy, and "nano-segmentation"
- 08:05–09:43 — Pre-auth vulnerabilities and dynamic, time-bound segmentation
- 09:43–10:35 — Dimensions of access: Size, duration, and tractable exposure
- 10:35–11:08 — Zero Trust’s difficulty and industry optimism
- 11:08–End — Closing thoughts: OAuth ≠ Security for vulnerable apps
Summary & Takeaways
- Zero Trust is misunderstood—often reduced to SSO/MFA everywhere, not true network segmentation or least-privilege access.
- ZTNA solutions help, but often leave legacy/internal systems at risk and are no panacea.
- Nano-segmentation and time-bound access offer a more practical path toward real Zero Trust, focusing on dynamically granting access only where absolutely necessary, and only for as long as necessary.
- Legacy issues, pre-auth vulnerabilities, and implementation complexity remain critical challenges, but progress is tangible.
- Key Message:
Adding authentication alone is not a cure-all; true Zero Trust demands dynamic, fine-grained, time-limited network access—especially for the most sensitive or legacy assets.
