Integrity: An Overlooked Foundation of Zero Trust

Published 05/15/2025

Written by Scott Fuhriman, CISM, CISSP, Invary.

Executive Summary

Zero Trust security models are designed to eliminate implicit trust and enforce strict, continuous verification across users, devices, networks, applications, and data. However, one foundational element remains largely unaddressed: the Runtime Integrity of the system kernel.

This is a critical oversight. The kernel acts as the root authority of every operating system. If the kernel is compromised via rootkits, BYOVD attacks, kernel exploits, privilege escalation, or other methods then every signal, log, event, and security function that higher-level Zero Trust tools and workflows depend on can be manipulated or falsified. This can undermine an entire security posture and Zero Trust implementation.

Key Insights:

Current Zero Trust architectures implicitly trust the OS kernel.
Advanced threats target the kernel to stay undetected.
Without validating the runtime state of the kernel, Zero Trust policies may enforce based on false premises.

What’s Needed:

Continuous, real-time measurement of the kernel against known-good baselines.
Integration of Kernel Runtime Integrity attestation as a required control before enforcing access, trust levels, or telemetry decisions.
Leadership recognition that system trust must begin with verified integrity at the lowest level.

Bottom Line: If the system that executes and enforces your Zero Trust capability has been tampered with, your entire security posture is compromised. Kernel Runtime Integrity must become a foundational layer of Zero Trust strategy.

graphic of a cloud over computer parts

Introduction

There is a continual increase in conversation, awareness, and adoption of Zero Trust (ZT) and Zero Trust Architecture (ZTA), and for good reasons. Focus and awareness currently appear to lean heavily on identity and network segmentation, even micro segmentation, which are key principles. However, one aspect that seems to be getting overlooked in conversation and focus is Integrity.

I will provide a perspective on why Integrity, and more specifically Kernel Runtime Integrity, should be a foundation, not a pillar, of Zero Trust and the critical role it plays in enhancing and strengthening the pillars of ZT. But first, a review of ZT and ZTA.

Traditional enterprise security relied on a “castle-and-moat” model: strong perimeter defenses (firewalls, gateways) protecting a trusted internal network. The assumption was that threats originate outside, so insiders could be implicitly trusted. Over the past two decades, this paradigm has eroded. The rise of cloud computing, mobile devices, partner networks, and remote work has “dissolved” the network perimeter[1]. Attackers have also evolved to exploit this gap, using stolen credentials and insider footholds to move laterally inside networks that lack internal segmentation[2]. As a result, once an attacker breaches a legacy perimeter, they often have free rein to access multiple systems – a weakness that has led to numerous high-profile breaches.

Zero Trust is a security model developed to address these shortcomings by eliminating implicit trust in any single network location or user credential. Instead, every access request is continuously evaluated and must be explicitly authenticated and authorized, no matter where it originates or what resource it tries to access. In essence, Zero Trust operates under the mantra: “Never Trust, Always Verify.” In a Zero Trust Architecture (ZTA), the enterprise’s internal network is no longer inherently trusted; protections are moved as close as possible to data, workloads, and user identities.

The basic tenets, or pillars, of Zero Trust[2] are:

All data sources and computing services are considered resources.
All communication is secured regardless of network location.
Access to individual enterprise resources is granted on a per-session basis.
Access to resources is determined by dynamic policy (including the observable state of client identity, application/service, and the requesting asset) and may include other behavioral and environmental attributes.
The enterprise monitors and measures the integrity and security posture of all owned and associate assets.
All resources authentication and authorization are dynamic and strictly enforced before access is allowed.
The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

One helpful model to utilize is the CISA Zero Trust Maturity Model[3] which can help organizations transition to ZT and is represented as follows:

A diagram of a building with columns

Image Source: “CISA Zero Trust Maturity Model” Version 2.0, April 2023; page 9.

The benefits of correctly implementing Zero Trust are that the security posture can be significantly strengthened. The elimination of implicit trust via ZTA provides:

enhanced threat detection and response
reduction of the attack surface and limiting lateral movement
minimized data exposure
adaptability to dynamic workflows
preservation of data integrity

All these benefits combined can greatly constrain security incidents and breach impact.[4] Even if an external or internal bad actor gains or has access to an environment, granular access controls and encryption minimize the data exposed. Organizations with mature Zero Trust programs experience lower breach costs (on average $1M less per incident[5]) and report improved threat detection and response times.

The Overlooked Blind Spot: The Kernel

Zero Trust has become a cornerstone of modern cybersecurity strategies, shifting the mindset from implicit trust to a philosophy of continuous verification. Yet, as organizations race to implement identity-based access controls, network segmentation, and application-aware policies, one critical layer is being overlooked and not adequately discussed, the integrity of the system kernel at runtime.

Kernel Runtime Integrity is not just another control or feature to add to the Zero Trust stack. It is the root of trust upon which all other security assurances depend. If your system's kernel, the heart of the operating system, is compromised, then everything above it, from logs and processes to security tools and identities, can be manipulated.

Security minded professionals accept that no user, device, or network segment should be trusted by default. Yet many continue to implicitly trust the underlying system kernel—the very component that mediates every action on a machine. That’s a dangerous assumption.

Advanced Persistent Threats (APTs), rootkits, and Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques all target this layer. Once an attacker compromises the kernel, they can:

Falsify or suppress system logs
Hide their processes and connections from endpoint detection tools
Bypass access controls and identity validations
Interfere with forensic tools and SIEM event pipelines
Subvert security agents and APIs that higher-layer Zero Trust tools rely on

Even the most mature ZTA becomes blind if the underlying kernel cannot be trusted in real time. What good is continuously verifying identity, devices, applications, data, and network if you aren’t continuously verifying the core dependency those all have?

Zero Trust Starts with Verifying the Core

Each element of a Zero Trust strategy—identity, device, application, data, network—relies on the system behaving predictably and securely. But how do you verify that?

Kernel Runtime Integrity Measurement provides an answer. By continuously comparing the live state of the kernel against a known-good reference (a baseline measurement or attestation of the OS kernel runtime), organizations can validate whether a system remains in a trustworthy state. This validation can occur as frequently as every few minutes, giving security teams early warning of compromise and faster decision making to reduce impact, even if the attacker has avoided detection by traditional means.

This security mechanism also doesn’t rely on having to keep up with ever changing attack techniques, tactics, and procedures. No need to rely on the historical behavior, event, or signature based detection methods that always lag behind what may be currently happening, especially as we contemplate the future of adversarial AI.

With a state based approach to detection, even novel attacks that tamper with or modify the kernel can be detected immediately as the attack method, or methods, used are irrelevant.

This capability ensures:

Trustworthy system telemetry: Logs, metrics, and alerts are only reliable if generated from uncompromised systems.
Enforcement confidence: Security policies and agents cannot be subverted silently if the kernel is continuously measured and verified.
Early breach detection: Kernel-level tampering can be flagged before threat actors can move laterally or exfiltrate data.
In essence, Kernel Runtime Integrity enables Zero Trust systems to “watch the watcher.” Having a third-party view and audit that doesn’t rely on the very system that can lie or deceive.

Why Today’s Zerto Trust Conversations Fall Short

Current Zero Trust implementations rely heavily on identity governance, network controls and endpoint detection and response (EDR). While these are vital, they depend on signals and trust assertions made by the system itself. If that system is compromised, ZTA becomes susceptible to misinformation.

Consider this scenario:

An attacker exploits a kernel-mode vulnerability, installing a rootkit.
The system continues operating as normal. EDR receives no alerts. Logs look clean. Security tools believe the system is healthy.
Meanwhile, the attacker is capturing credentials, pivoting to other machines, and exfiltrating data.

Without runtime attestation of the kernel the ZTA is being fed false data, and no amount of policy enforcement can fix that.

Why Leaders Must Act Now

Nation-state actors and organized threat groups have already operationalized kernel-level attacks. As these techniques become more commoditized, the integrity of the kernel must no longer be assumed, it must be verified.

Technical and security leaders should take the following steps:

Recognize Kernel Runtime Integrity as a core pillar of Zero Trust—not an afterthought.
Require verifiable runtime integrity as a precondition for policy enforcement across identity, access, and workload protection.
Adopt or evaluate kernel runtime integrity measurement tools that can be deployed with minimal performance overhead and maximum OS compatibility.
Ensure your Zero Trust architecture includes the ability to detect kernel compromise in real time, not just after forensic investigations.
Educate teams that trust must be rooted in verifiable system integrity, starting at the operating system’s core.

The following figure provides an updated CISA Maturity Model depiction that adds Integrity as part of the foundation to help keep this critical component top of mind. This approach shows how Integrity applies across ZT and hopefully enables more conversation with Integrity as a part of the ZT foundation.

A diagram of a building with columns

Image Source: “CISA Zero Trust Maturity Model” Version 2.0, April 2023; page 9. Modified by Scott Fuhriman

Conclusion

Zero Trust isn't just about denying access, it’s about continuously verifying trust before granting it. And that trust must start at the lowest level that controls and influences all other levels and puts us closest to the asset and data we are ultimately trying to protect.

Integrity is the foundation upon which modern trust must be built.

If your security architecture doesn’t verify the state of the kernel in real time, you’re building on sand. In a world where attackers have proven they can operate beneath the radar of traditional tools, only by protecting and measuring the core can Zero Trust truly live up to its name.

The future of trustworthy computing starts at the kernel. Let’s make sure Zero Trust does, too.