Challenges in Gaining Visibility into Zero Trust Environments

02 Apr 2025 - joe

Executive Summary

Zero Trust security is becoming a priority across industries, but security and risk leaders (CISOs and others) face significant challenges in achieving visibility into these environments. Zero Trust assumes no implicit trust—every user, device, and network segment must be continuously verified and monitored. This paradigm shift introduces technical hurdles, organizational changes, and strategic considerations that affect all industries. Below, we outline common challenges in gaining visibility under a Zero Trust Architecture (ZTA), followed by industry-specific insights for finance, healthcare, and government. Each section is supported by recent findings (2023–2025) from experts, surveys, and case studies.

Technical Challenges in Zero Trust Visibility

Zero Trust often increases architectural complexity, which can create visibility gaps and blind spots for security teams. Key technical challenges include:

Organizational Challenges for Visibility

Beyond technology, CISOs face organizational and human factors that limit visibility in Zero Trust deployments. These include:

Strategic Challenges and Gaps

At a strategic level, security and risk leaders must align Zero Trust visibility efforts with business goals, compliance requirements, and long-term plans. Some high-level challenges include:

In summary, the strategic landscape requires leaders to invest in modernizing infrastructure, define clear objectives for visibility, insist on integration, and constantly balance security with business needs. No single solution or “silver bullet” exists; instead, a sustained multi-year effort is needed to close visibility gaps and mature a Zero Trust program.

Industry-Specific Insights

While the above challenges are common across sectors, different industries experience Zero Trust visibility issues in unique ways. Below we provide insights and data for finance, healthcare, and government. (If certain statistical or case study data is unavailable, we note it explicitly.)

Financial Services Industry

Financial institutions have been early adopters of Zero Trust concepts due to high stakes: they face stringent regulations, sophisticated cybercriminals, and insider fraud. One big challenge is achieving unified visibility for compliance and threat detection across sprawling IT environments. According to a 2024 study, 52% of financial services firms lack visibility across all their users, assets, and infrastructure, leaving critical blind spots (The Secret to Reducing Compliance Risk in Financial Services: Visibility Akamai). These blind spots are not just theoretical – nearly 9 in 10 financial institutions experienced a major operational incident in the prior 18 months that was often attributed to visibility gaps in their systems (The Secret to Reducing Compliance Risk in Financial Services: Visibility Akamai). Such incidents (e.g. undetected data exfiltration or system outages) underscore an urgent need for comprehensive, real-time monitoring in banking and finance.

Financial organizations also struggle with complex, fragmented environments. Large banks might run legacy core banking systems, numerous SaaS applications, public cloud services, and thousands of employee endpoints. Data and transactions flow across many platforms, making end-to-end tracking difficult. Many firms report that fragmented tools and silos lead to inconsistent oversight – for instance, different teams monitoring ATM networks vs. trading systems. It’s no surprise that 61% of financial firms cite fragmented tooling as a key barrier to full visibility (The Secret to Reducing Compliance Risk in Financial Services: Visibility Akamai). In addition, talent shortages hit this industry hard: that same survey found staff limitations (69% of firms) hinder efforts to monitor and secure everything (The Secret to Reducing Compliance Risk in Financial Services: Visibility Akamai). In practice, banks may have state-of-the-art security in one domain (like an anti-fraud system for online banking) but lack visibility in another (like internal employee access or third-party vendors), because they simply don’t have enough skilled personnel to deploy and manage a unified solution.

Insider threats further complicate visibility for finance. With thousands of employees and contractors, and high-value data, financial firms worry about malicious or careless insiders. Over 70% of financial services firms are considered at risk of insider threats, and an average insider incident costs $16 million ( Zero Trust: Redefining Security in Banking & Financial Services Ping Identity). Zero Trust principles (never trust, always verify) are meant to address this by monitoring user behavior continuously. However, implementing such monitoring without overwhelming analysts is difficult. Many banks are turning to user behavior analytics and identity-centric Zero Trust, but integrating these with network monitoring is an ongoing effort. It’s notable that lateral movement is a major focus now—firms recognize that once an insider or attacker gains a foothold, the next step is often moving silently through internal systems. As one expert noted, “Zero Trust is perimeter-less and only once CISOs prioritize lateral traffic monitoring can they truly [be confident]…” (Hybrid Cloud Security Trends 2024 Gigamon) (Hybrid Cloud Security Trends 2024 Gigamon). In practice, this means investing in tools that can inspect East–West traffic within data centers and cloud environments for anomalies, an area where visibility is often lacking.

From a regulatory standpoint, finance has little room for error. Regulators worldwide now expect robust audit logs, rapid breach detection, and proof of control over data access. Financial firms that cannot centrally report who accessed what data (and when) risk fines. Indeed, more than 60% of financial organizations have incurred compliance costs due to poor visibility and unchecked areas of their network (The Secret to Reducing Compliance Risk in Financial Services: Visibility Akamai). The industry is responding by prioritizing visibility in their budgets: in one survey, over half of financial institutions said they are increasing investment in “identity analytics and visibility” tools in 2025 (According to Cloud Security Alliance Survey More than Half of CSA). Case studies of banks adopting Zero Trust often highlight the need to unify data from many security tools. For example, a large bank might implement a Security Information and Event Management (SIEM) system to ingest logs from identity systems, cloud platforms, and on-premises servers, then layer behavior analytics on top. Such projects are complex and require executive support. (Specific case study data for individual banks is often kept internal for security reasons, so public statistics beyond surveys are limited in this domain.)

In summary, the financial services industry recognizes visibility as a linchpin of Zero Trust — both to stop advanced threats and to meet regulatory demands. Significant challenges remain in breaking down silos between systems and teams. However, recent trends (like consolidating tools and focusing on real-time monitoring of internal traffic) show that finance is actively tackling these visibility gaps, backed by budget increases and board-level attention.

Healthcare Industry

Healthcare organizations (hospitals, clinics, pharma companies) face a unique blend of Zero Trust visibility challenges driven by their mix of IT and life-critical systems. A standout issue is the prevalence of legacy and unmanaged devices. Medical devices such as MRI machines, IV pumps, and patient monitors are often running outdated software or are managed by external vendors, making it hard for hospital IT to monitor them. One cybersecurity study notes that blind spots in hospital networks often arise simply because IT teams “don’t know every device connected” to the environment (Overcoming the Challenges of Clinical Zero Trust Claroty). An accurate, real-time inventory is foundational to Zero Trust, yet many healthcare providers lack this. For example, biometric devices and medical IoT might not report into standard asset management systems. The governance challenge (who is responsible for securing and monitoring each device) is pronounced: Clinical engineering departments might manage medical equipment, while IT handles computers – a silo that Zero Trust strategies must bridge.

Insider risk and user monitoring are also critical in healthcare. Notably, healthcare is the one industry where insiders pose the greatest threat: 58% of healthcare security incidents involve internal actors, whether due to error, snooping, or malicious intent ([PDF] Protected Health Information Data Breach Report - Verizon). This statistic (from a Verizon data breach report) highlights why Zero Trust visibility is so important in healthcare – staff like nurses, doctors, or billing clerks already inside the network can be a source of breaches if their access is misused. Continuous monitoring of user activity (especially access to patient records or prescription systems) is needed to catch inappropriate access early. However, implementing this faces cultural and privacy hurdles. Care providers are concerned about productivity and patient privacy, so security teams must carefully balance monitoring with trust in staff. Some hospitals use analytics to detect anomalous behavior (e.g. an employee suddenly accessing far more patient records than usual), but these systems must be fine-tuned to avoid false positives that could impede healthcare delivery.

Another challenge is interoperability and third-party access. Hospitals often use multiple vendors for remote support of medical devices or for consulting services. According to a 2024 survey, 44% of hospitals have six or more different secure access solutions for third-parties, yet still lack a clear view of all remote connections into their network (Overcoming the Challenges of Clinical Zero Trust Claroty). This indicates a patchwork approach to vendor access: one vendor might use a VPN, another a remote desktop tool, etc. The result is that security teams cannot easily monitor what external technicians are doing on clinical systems. Zero Trust aims to enforce least privilege and session monitoring for every user, including external ones, but integrating these various access methods into a single monitoring dashboard is difficult. Some healthcare organizations are moving to standardized vendor access platforms (with recording and auditing), but not all have done so.

Visibility into network traffic and segmentation is also a healthcare concern. Traditionally, hospital networks were flat or only lightly segmented, which means an infected device could communicate freely across the hospital. Zero Trust pushes for micro-segmentation — for example, lab devices should only talk to lab systems, not the entire network. To implement and verify this, hospitals need granular visibility into network communications. Challenge #2 of “Clinical Zero Trust” (as one industry report dubs it) is having a “limited understanding of device communications” – knowing not just what devices exist, but how they normally communicate, how often, and with which systems, in order to spot abnormal patterns (Overcoming the Challenges of Clinical Zero Trust Claroty). Many healthcare providers lack this baseline knowledge. Network visibility tools (like traffic analysis appliances or deep packet inspection) may not be deployed widely in clinical networks due to cost or complexity. This gap means malicious activity could go undetected for longer. Indeed, the rise in healthcare cyberattacks is alarming: the U.S. health sector saw a 278% increase in large ransomware breaches from 2018 to 2022 according to HHS data (Federal agencies face zero-trust cybersecurity crunch as OMB deadline looms FedScoop). In several incidents, attackers had quietly obtained credentials or device access and lurked before launching disruptive attacks — underscoring that initial lack of visibility to detect the intrusions early.

It’s worth noting that the healthcare industry has relatively less public statistical data on Zero Trust implementation progress compared to finance or government. Hospitals and healthcare systems are cautious about sharing security specifics. However, anecdotal evidence and expert opinions indicate that many healthcare providers are still in early stages of Zero Trust adoption. They often start with identity-centric controls (like multi-factor authentication and stricter access governance) and are gradually improving network visibility through solutions tailored to medical environments. For instance, some hospitals have adopted network monitoring tools that are aware of medical device protocols and can flag unusual behavior without touching the device (important because you can’t install typical security agents on an MRI machine). Case studies from late 2023 show health systems piloting “clinical Zero Trust” platforms that passively discover devices and segment them. The results are promising in finding previously unknown devices and connections. Yet, challenges remain in scaling these solutions system-wide and ensuring that security measures do not disrupt patient care.

In conclusion, healthcare faces a tough balancing act: securing highly sensitive data and systems in a Zero Trust model while preserving the continuity of care. Visibility is at the heart of this challenge. Progress is being made via better asset discovery and network analytics tools designed for healthcare, but many organizations have a long way to go. The high percentage of insider-related breaches and the explosion of connected medical devices make it clear that without comprehensive visibility, hospitals will remain vulnerable. We can expect to see continued investments in this sector on building centralized monitoring for both IT and clinical technology, although concrete industry-wide metrics on Zero Trust adoption in healthcare are not widely published as of 2025.

Government (Public Sector)

Government agencies, especially at the federal level, have been mandated to adopt Zero Trust architectures in recent years. This top-down push (e.g. U.S. Executive Order 14028 and OMB mandates) has driven agencies to develop Zero Trust strategies, but visibility into these complex environments is one of the hardest challenges. A primary issue is the prevalence of legacy systems and networks in government. Many agencies still run decades-old systems alongside modern cloud services. As noted in the CISA Zero Trust Maturity Model (2023), the federal government “faces several challenges in implementing ZTA” and legacy systems built on implicit trust are a major obstacle (Zero Trust Maturity Model Version 2.0). These old systems often lack telemetry or are not compatible with modern logging and analytics tools, creating blind spots. An agency cannot fully monitor what it cannot instrument; yet replacing these systems is slow. This means that, in the near term, agencies must find creative ways (such as proxies or network sensors) to gain visibility into legacy environments until they can be modernized.

Another challenge in government is the sheer scope of assets and data types. Agencies must monitor traditional IT (servers, workstations, databases) and a growing array of OT/IoT devices used in facilities, infrastructure control, and even defense systems. A recent FedScoop report highlighted that inventorying and monitoring the ever-expanding mix of IT, OT, and IoT assets is a “vexing requirement” for agencies striving for Zero Trust (Federal agencies face zero-trust cybersecurity crunch as OMB deadline looms FedScoop). For example, a federal energy lab might have to monitor office IT networks and specialized industrial control systems for the power grid. Merging visibility of these under one strategy is difficult. Data from OT systems may not feed into standard SIEMs, and the security teams for OT and IT historically have been separate. However, cyber threats now exploit any gap between these areas. The convergence of IT and OT means a breach in one can affect the other (Federal agencies face zero-trust cybersecurity crunch as OMB deadline looms FedScoop), so Zero Trust strategies in government are placing new emphasis on unified visibility across all systems. Some agencies are deploying enterprise asset management tools and network monitoring that covers both IT and OT networks, but maturity varies widely.

Resource and staffing constraints in the public sector also impede visibility efforts. Government CISOs have to work with fixed budgets and often cannot pay salaries competitive with the private sector for top talent. As one federal cybersecurity director observed, agencies often “don’t have enough time, [existing] tools are inefficient, and [have] limited resources to solve” the visibility challenges (Federal agencies face zero-trust cybersecurity crunch as OMB deadline looms FedScoop). This can result in agencies relying on a patchwork of older security tools that don’t integrate well. There is an ongoing effort, supported by CISA and federal funding, to provide agencies with centralized dashboards and shared services for certain aspects of Zero Trust (for instance, some agencies use CISA’s Continuous Diagnostics and Mitigation [CDM] program tools for asset management and vulnerability scanning). Still, capability gaps remain, and not all agencies are at the same level. (Precise statistics on how many agencies have achieved full visibility are not publicly available; internal scorecards exist but are not released due to security sensitivities. What is known is that as the 2024 OMB deadline approached, many agencies were still working on foundational steps like reliable asset inventories and log management.)

The strategic coordination required in government is itself a challenge. Unlike a private company, a federal department might contain dozens of bureaus with their own IT systems. Ensuring a “common architecture and governance policies” for Zero Trust across an entire department is difficult (Zero Trust Maturity Model Version 2.0). Some agencies have created Zero Trust task forces or working groups to standardize approaches, but others struggle with inter-office coordination. This can lead to uneven visibility—one sub-agency might have robust monitoring, while another has blind spots, creating overall risk. Additionally, government agencies must abide by strict privacy and civil liberty rules when monitoring users, especially in law enforcement or intelligence contexts. They have to draw clear lines between security visibility and improper surveillance, which adds complexity to how monitoring tools are deployed and what data can be collected.

On a positive note, government mandates have forced a focus on visibility outcomes. Agencies are required not just to implement tools, but to be able to detect and respond to incidents effectively. For example, OMB’s zero trust strategy requires agencies to “achieve centralized access to logs and visibility” across multiple domains (identity, devices, network, etc.) and to use automation for analytics where possible. While not all agencies met every goal by the FY 2024 deadline, there is now momentum and funding to continue improvements. The public sector also collaborates on challenges like this; best practices are being shared via the Federal CISO Council and in published guidance (CISA’s maturity model explicitly highlights Visibility and Analytics as one of three cross-cutting capabilities under Zero Trust (Zero Trust Maturity Model Version 2.0)). This means visibility is recognized as fundamental, not an afterthought.

In summary, the government sector’s challenges in gaining Zero Trust visibility revolve around outdated technology, massive scale, and coordination across diverse entities. Concrete statistical data on progress is limited publicly (and likely classified in parts), but numerous reports and official statements confirm these pain points. The strategy moving forward is clear: invest in modernizing systems, unify dashboards for enterprise-wide insight, and ensure every new system or cloud service an agency adopts has the hooks for centralized monitoring. Agencies that have embraced these steps are seeing improvements, whereas those that lag will remain at higher risk. The coming years (2025 and beyond) will likely bring more transparency about federal Zero Trust progress, as oversight bodies and Congress push for evidence that agencies can actually see and secure what’s happening in their environments.

Conclusion

Across all industries, one theme is evident: visibility is the foundation of Zero Trust, yet achieving it is easier said than done. Technical hurdles like encrypted traffic, multi-cloud complexity, and tool integration issues create blind spots. Organizational issues such as skill shortages, silos, and inadequate governance impede progress. Strategically, legacy baggage and the need to align Zero Trust with business objectives complicate the journey. The finance, healthcare, and government sectors illustrate these challenges in different ways – from banks juggling compliance and insider threats, to hospitals grappling with device management, to agencies contending with legacy systems and mandates. What they share is the imperative to close visibility gaps in order to make Zero Trust effective.

Recent expert opinions and surveys (2023–2025) reinforce that fact-based approach: leaders are investing in deep observability, consolidating tools, and seeking real-time insights. For instance, 84% of organizations agree that deep observability (comprehensive visibility) is fundamental to strengthening cloud security (Hybrid Cloud Security Trends 2024 Gigamon), and 80% have made Zero Trust a key priority for the next 18 months (Hybrid Cloud Security Trends 2024 Gigamon). These figures show momentum. Yet, the same research found over 75% of security leaders believe internal traffic visibility is even more important now than perimeter monitoring (Hybrid Cloud Security Trends 2024 Gigamon), reflecting how priorities have shifted.

In closing, CISOs and security leaders should approach Zero Trust not as a one-off project but as an evolving program that addresses visibility at every layer: device, user, network, application, and data. Success stories often involve incremental improvements—starting with gaining visibility into the most critical assets and expanding outward. By understanding the challenges outlined above and learning from cross-industry insights, organizations can better plan their Zero Trust roadmaps. The path is difficult, but with a combination of the right tools, skilled people, and executive support, the visibility gaps can be systematically closed, enabling the true potential of Zero Trust to be realized in a measurable, resilient security posture.

Sources: