Zero Trust in Telecom: Why Execution Is Failing

Zero Trust in Telecom: The Industry Got It Wrong — and the Clock Is Running Out

9 mins read

  • Most telecoms have implemented the idea of Zero Trust, not the operating model—leaving legacy trust assumptions intact.
  • Perimeter-based security collapses in telecom environments that span cloud, edge, IoT, vendors, and remote access.
  • The threat has shifted from opportunistic cybercrime to long-term nation-state campaigns exploiting implicit trust.
  • Continuous verification, least privilege, and microsegmentation are widely referenced but rarely enforced with discipline.
  • IT/OT separation leaves Zero Trust structurally incomplete as attackers move laterally across connected environments.
  • Zero Trust can advance without infrastructure replacement by layering identity, access control, visibility, and analytics over existing systems.

The Wall That No Longer Exists

Most telecom companies have not implemented Zero Trust. They have implemented the idea, which is entirely different. Security teams can point to the right frameworks, vendor certifications, and maturity models. But look past the presentations, and you will often find old access assumptions still in place—credentials that have not been reviewed in years, IT and OT environments sharing more than they should, and alerts generated faster than they can be actioned. The gap between boardroom confidence and operational reality is one of the most serious risks facing the industry today.

Perimeter-based security once made sense. There was a clear structure. Employees worked from fixed locations, systems lived in data centers, and access paths were predictable. That world no longer exists. A modern telecom network spans thousands of kilometers of radio infrastructure, edge compute, cloud-hosted cores, IoT fleets, partner ecosystems, and remote operators. There is no meaningful boundary around this environment—and yet many networks continue to treat internal traffic as inherently safer than external traffic.

That assumption is exactly what attackers exploit. Once inside, the damage depends on how much trust the network grants by default. A single stolen credential can quickly become the starting point for a major incident. This is why zero-trust models explicitly reject location as a security signal and require access to be verified every time, not inherited.

In modern telecom networks, “internal” is not a security boundary. If trust is still inherited based on location, one stolen credential can become the start of something catastrophic.

The Threat Has Changed. The Response Remains the Same.

Telecom networks are strategic assets. Control of communications infrastructure enables access to call records, signaling systems, and metadata—information of immense geopolitical value. Recent investigations into state-sponsored activity, including campaigns publicly attributed to groups like Salt Typhoon, show the ways attackers operate today. They embed quietly, adjust systems just enough to avoid detection, and stay for months or years. By the time anomalies surface, attackers often understand the network better than the operators themselves.

This is not a problem solved by better firewalls. It requires a security model that assumes compromise, treats every access request as untrusted, and limits how far an attacker can move even after initial entry.

Three Things Telecoms Say They Do, But Don't

Most Zero Trust strategies revolve around three principles: continuous verification, least-privilege access, and microsegmentation. Telecom operators often reference them—but rarely fully execute them.

  • Continuous verification means more than authentication at login. Access decisions must adapt in real time based on behavior, device posture, and context. In practice, many environments still treat login as a one-time check. Credentials stolen or devices compromised after access has been granted often go unnoticed until damage is done.
  • Least privilege is conceptually simple but operationally neglected. Permissions accumulate as people change roles, vendors cycle in and out, and temporary access becomes permanent. Overprivileged accounts give attackers exactly what they need to move laterally without triggering alarms.
  • Microsegmentation reduces the blast radius of an attack by strictly controlling how workloads and systems communicate. While guidance is widely available, implementation requires deep visibility into network behavior and constant policy tuning. It is not glamorous—but it is often the difference between containment and catastrophe.

The IT/OT Problem Nobody Wants to Own

IT and OT security in telecoms still operate as largely separate domains, with different tools, teams, and priorities. Historically, OT systems relied on physical or logical isolation for protection.

That isolation is now mostly theoretical. Virtualization, cloud-native cores, and remote management have interconnected these environments without realigning security ownership. Many attacks on operational systems begin on the IT side and move laterally into infrastructure never designed for exposure.

Zero Trust cannot work in this split model. Shared visibility, unified policies, and coordinated incident response across IT and OT are essential. Without them, accountability gaps become attack paths.

Zero Trust breaks when accountability is split. If IT and OT operate with different tools, policies, and incident definitions, the gaps become the attack path.

Making Zero Trust Work Without Breaking Everything

Legacy complexity is a valid concern. Telecom networks run infrastructure spanning decades, much of it never designed for identity-aware access or continuous verification. Full replacement is neither practical nor necessary.

Zero Trust is not all-or-nothing. Operators can layer controls over existing systems:

  • Enforce centralized identity and multifactor authentication at access points
  • Wrap legacy assets with secure access gateways
  • Replace broad VPNs with session-based, verified access
  • Add monitoring and analytics without disrupting operations

Identity becomes the primary control when location is no longer meaningful. ZTNA limits lateral movement by default, and behavioral analytics highlight deviations that humans cannot realistically monitor at telecom scale. AI-driven analysis is no longer optional—it is essential for managing volume and complexity.

The Real Question

The industry has understood Zero Trust for years. The challenge has never been awareness—it is execution.

Within the first six months of focused implementation, tangible progress is visible: fewer standing privileges, reduced VPN exposure, faster detection, and quicker containment. For many operators, this also strengthens regulatory readiness by building real security capabilities rather than compliance theatre.

Zero Trust is not a product. It is an operating decision about how access is granted, reviewed, and revoked—consistently and without exception. Threat actors are already inside telecom networks, operating with levels of trust they should never have had. Operators who confront this reality will build resilient, defensible environments.

Those who continue to polish presentations while leaving implicit trust untouched will face consequences they were warned about.

The choice is no longer theoretical. It is time to make it.

TAGS: Network Services Cyber Security Communications

Frequently Asked Questions

Our FAQ section is designed to guide you through the most common topics and concerns.

Zero Trust is a security operating model that assumes no user, device, or system is inherently trusted. Every access request is continuously verified based on identity, context, and behavior, rather than network location. This approach reflects the reality of distributed telecom environments spanning cloud, edge, vendors, and remote operations.

Telecom networks no longer have a clear boundary. Cloud-native cores, IoT, remote access, and partner ecosystems make internal traffic just as risky as external traffic. Perimeter-based models rely on outdated trust assumptions that attackers routinely exploit once initial access is gained.

Common gaps include one-time authentication instead of continuous verification, excessive standing privileges, and inconsistent microsegmentation. These weaknesses allow attackers to move laterally after gaining access, even when Zero Trust frameworks are formally adopted.

Separate tools, teams, and policies for IT and OT create visibility and accountability gaps. As these environments become interconnected, attackers can move from IT systems into operational infrastructure. Zero Trust requires unified visibility and coordinated controls across both domains.

Telecom operators can layer identity controls, session-based access, monitoring, and analytics over existing infrastructure. This phased approach enables practical Zero Trust execution without disrupting critical operations and aligns with how Tech Mahindra approaches complex legacy environments.

References

  1. Australian Cyber Security Centre. (2025, August 28). Countering Chinese state‑sponsored actors’ compromise of networks worldwide to feed global espio…
About the Author
Ashish Mishra
Group Manager – Service Delivery, CSRM, Tech Mahindra
Follow

Ashish Mishra is an IT and cybersecurity professional with over 20 years of industry experience. His expertise spans IT, information security, cloud technologies, and network security, including SASE and Zero Trust. He has led large-scale IT operations, strategy, and transformation initiatives and holds 150+ professional certifications across multiple technologies.

author-icon

Author(s)