Reseach Director, Cybersecurity - Industry Analyst at IDC
Vendor
2022-01-06T21:00:30Z
Jan 6, 2022
Hey like the new name.
My Zero Trust Predictions are largely more of the same. It's a desired state, but it requires other IAM prerequisites before it should be attempted or proclaimed. I've described these as a three-legged stool before:
1 Passwordless
2 Least privileged access
3 Network segmentation/proxy
Passwordless is defined many ways and getting easier. Registration and hide the password is pretty popular, but there are true PKI-based alternatives. Why do you need it? So you aren't prompting/challenging people for every single and somewhat sensitive login. Know thy users (or the clever ones will develop work-arounds).
LPA is a refinement exercise best done given rolling averages of 30-day user activity or any other available insights that tracks resource usage by ID. Those not using shouldn't have access.
Network segmentation is a final step that's not really identity-centric. I believe the reverse proxy approach (aka BeyondCorp) makes a lot of sense, but there are other methods.
More often than not, security teams have the budget to do one, maybe two of the above running more than pilot projects in any one year. Wait a few years for the remaining funding and ZTNA might become the rule rather than the exception.
Find out what your peers are saying about Presidio, ScienceSoft, Deloitte and others in Information Security and Risk Consulting Services. Updated: August 2025.
ZTNA as a Service enhances network security by granting secure access to applications based on user identity and context, replacing traditional VPNs. It offers granular access control, minimizing the risk of unauthorized entry and enhancing security postures. ZTNA as a Service redefines security by focusing on the secure access principle. Unlike VPNs, it doesn't grant broad network access but restricts application access based on user identity, device health, and location. This minimizes...
Hey like the new name.
My Zero Trust Predictions are largely more of the same. It's a desired state, but it requires other IAM prerequisites before it should be attempted or proclaimed. I've described these as a three-legged stool before:
1 Passwordless
2 Least privileged access
3 Network segmentation/proxy
Passwordless is defined many ways and getting easier. Registration and hide the password is pretty popular, but there are true PKI-based alternatives. Why do you need it? So you aren't prompting/challenging people for every single and somewhat sensitive login. Know thy users (or the clever ones will develop work-arounds).
LPA is a refinement exercise best done given rolling averages of 30-day user activity or any other available insights that tracks resource usage by ID. Those not using shouldn't have access.
Network segmentation is a final step that's not really identity-centric. I believe the reverse proxy approach (aka BeyondCorp) makes a lot of sense, but there are other methods.
More often than not, security teams have the budget to do one, maybe two of the above running more than pilot projects in any one year. Wait a few years for the remaining funding and ZTNA might become the rule rather than the exception.