Written by Nick Kathmann, CISO at LogicGate, featured in the Cyber Defense Magazine September 2025 Edition
Just a few years ago, “Zero Trust” was the hottest buzzword in cybersecurity. In fact, it became so hot that every vendor wanted to use it—whether their solution adhered to Zero Trust principles or not. The result? The power of Zero Trust was significantly diluted. The term was manipulated by marketers and came to mean different things for different scenarios, creating confusion in the market and leaving customers uncertain about what Zero Trust actually means and whether it applied to them. Slapping the “Zero Trust” label on every security solution probably helped push product in the short term—but in the long term, it eroded confidence in Zero Trust principles themselves.
So, let’s clear it up with a simple analogy. Zero Trust is, basically, mirroring prison facility architecture. Zero Trust principles state that risk leaders should be designing their architectures with the goal of reducing the potential blast radius of a security incident. That requires tactics like micro segmentation, along with a strict and continuous approach to identity validation and data access privileges. High-security prisons are built on that same Zero Trust concept: access to the facility itself is extremely restricted, and even once inside, there are numerous security checkpoints, access barriers, and other safeguards designed to limit unauthorized movement or activity. Leaving one cell doesn’t immediately grant access to all cells—and organizations need to take that lesson to heart if they want to limit risk within their digital infrastructure.
How Prisons Mirror the Zero Trust Approach
Access restriction and segmentation each play an important role in keeping prisons secure. Individuals cannot enter a prison facility unless they are on an approved visitors (or vendors) list. Those incarcerated within its walls cannot move between living units, the law library, gym facilities and other approved areas, unless granted permission or at specific, predetermined times. Correctional officers themselves require keys or keycards along with IDs and other verification and authentication methods to pass through security doors. For most institutions, access to the internet is highly restricted or prohibited, and all institutions are on high-alert to mitigate smuggled-in contraband. These are just a few examples, but the point is this: within the walls of a prison, movement—both physical and digital—is monitored, managed, and restricted.
When you break it down, the entire architecture of a prison facility is designed to protect the incarcerated, protect correctional staff, and protect the public. But incidents still happen. And when a disruption occurs, there are protocols and procedures in place to contain the situation, communicate the impact, and conduct a postmortem to ensure it doesn’t happen again. To anyone in the cybersecurity field, that should sound pretty familiar—and it underscores the deep similarities between data security and traditional physical security. While it’s easy to view the two fields as distinct, the truth is there is a lot that cybersecurity professionals can learn from their counterparts in the physical security field.
Applying Zero Trust Principles to Digital Environments
That basic lesson should help security and risk leaders think differently about how they build their network architecture. First, consider what Zero Trust actually means. Ideally, it means access is never granted by default—identities are not “trusted,” they need to continuously prove that they have the right to access certain systems and data. What’s more, they should never have access to more data than they actually need and when they need it. This is referred to as the principle of least privilege: identities should have the minimum number of privileges needed to perform their essential functions, and nothing more. This helps significantly limit the impact of a potential breach: if a set of credentials is stolen, the attacker will only have access to a limited amount of data or systems, making it difficult for them to escalate the attack.
The parallel to a prison is clear. Incarcerated persons—and even guards—are not granted more access than they need. After all, if an incarcerated person could open every door in the prison with a single key dropped by a guard, that wouldn’t exactly be ideal. In the real world, different doors would require different keys and different sets of credentials, and an incarcerated person attempting to access restricted areas would be repeatedly challenged to prove their identity—even if they somehow got ahold of a corrections officer uniform. There are multiple layers of defense, and none of them involve trust. If you can’t prove who you are and why you should have access to an area, it simply won’t be granted.
That is the important point—the one that underscores why Zero Trust is still relevant today. By segmenting different areas of the network and constantly challenging visitors to validate their credentials, organizations can effectively reduce the blast radius of an incident. This requires close collaboration between security teams and network/systems/identity architects, who can work together to analyze and quantify incident “blast zones” for potential business-impacting threats and apply threat modeling principles to determine trust boundaries. This will enable organizations to design better network, data, and access boundaries across different trust zones according to the potential impact of a security. By applying those principles across COTS, developed, and deployed architectures, they can make it harder for attackers to get in—and harder for data to get out.
Zero Trust Remains as Relevant as Ever
While risk is ever evolving, the foundational elements of security and mitigating threats are tried and true. Prisons aren’t new—they have existed in some form for thousands of years. Admittedly, some need to modernize—but the security principles upon which they are built have not changed much over time. The importance of protection and emphasis on limiting surprises has never wavered, and even the most progressive and permissive prisons have multiple layers of security and authentication. Those are lessons that security teams and digital architects should take to heart. Embracing Zero Trust principles remains one of the most effective ways to limit risk in today’s digital threat landscape.