The Path to Zero Trust Starts with Identity

September 20, 2021

  • Businesses are prioritizing Zero Trust more than ever before.
  • Hybrid and distributed workforces require a seamless blend of flexibility and security.
  • The first step on the Zero Trust journey is identity.


In the past, security was built around fixed, physical networks that kept trusted individuals in and untrusted individuals out. But as companies have transformed their digital environments and enabled remote work from any device – trends that were significantly accelerated by the pandemic – security has had to evolve to treat people as the new perimeter. That’s where Zero Trust comes in.


Today, organizations are prioritizing Zero Trust security more than ever before. In fact, in 2021, almost 90% of companies are implementing or planning their Zero Trust initiatives. That’s a significant jump from the 41% who claimed they were making these efforts in 2020. Now, as organizations continue supporting a dynamic work model, they need the right systems and technologies to offer seamless flexibility alongside robust security and access policies.



A Look at the Evolution of Zero Trust

While the pandemic has certainly put more pressure on security leaders to prioritize Zero Trust, it’s not a new concept. For the past decade, security experts have been shaping and refining what Zero Trust looks like and how companies can implement it.


  • 2009: During his time at Forrester, John Kindervag introduced the term, which was based on the idea that all network traffic should be untrusted.

  • 2014: Google’s BeyondCorp model shifted access controls from the network perimeter to individuals and their devices.

  • 2017: Gartner’s CARTA framework added to Kindervag’s concept by suggesting that authentication and authorization should be exercised throughout the user experience, not just at login. Forrester has since updated its model to reflect this.

  • 2019: NIST released its Special Publication 800-207, defining what should be included in a Zero Trust architecture.

  • 2021: President Joe Biden signed an executive order on cybersecurity, putting a comprehensive focus on building security models that protect individuals in both the public and private sectors.


Today, Zero Trust continues to adapt alongside technologies and business operations. As companies work to improve their Zero Trust maturity and gain access to new tools that can support their initiatives, it’s likely the Zero Trust model will continue to evolve.



Where Zero Trust Is Going

The most recent industry Zero Trust frameworks and best practices all align on one thing: identity is the new perimeter. With users now accessing work systems from their phones on a coffee shop’s network or at home from their corporate laptop, it’s vital to ensure that everyone is who they say they are. As companies continue to build and refine their dynamic and hybrid work environments, they need an identity-centric approach to security that ensures the right people have the right level of access to the right resources, in the right context.


This can be done by implementing a Zero Trust architecture that has identity at its core – but getting this right won’t happen overnight. Achieving Zero Trust maturity takes time and requires organizations to work their way through various stages and identity-focused initiatives:


Unified Identity
Secure user identities by eliminating poor password hygiene, deploying single sign-on (SSO) and rolling out multi-factor authentication (MFA) for employees, partners and contractors. This should be supplemented by unified authentication policies that span cloud and on-premises applications.


Contextual, Secure Access
Layer in context-based access policies that analyze a user’s device, location, network and more at each access request. By deploying multiple factors across user groups, you can ensure that there are additional authentication opportunities for users in unusual contexts (e.g. signing on from a different device). These added authentication features can then be extended across resources, including APIs.


To help prevent unwanted access to sensitive resources, automated provisioning and deprovisioning ensures that a user only has access to the tools they need to do their work — nothing more.


Adaptive Workforce
Extend the reach of authentication and authorization beyond the front gate. This means deploying contextual, risk-based assessments that track users throughout their interactions with the company’s systems and proactively identifying potential threats. In practice, companies can deploy a risk engine that allows IT or security teams to set policies based on risk tolerance and scores each access request against it.


At full Zero Trust maturity, trust is no longer assumed. Instead, risk is continuously monitored and users may be asked to reauthenticate should an aspect of their context change.



Getting Started with Zero Trust

Many organizations are still at the early stages of their Zero Trust journey and don’t quite know where and how to begin – but that shouldn’t stop them. Leaders in the identity and access management, cybersecurity and privacy spaces have been working hard to develop comprehensive, easy-to-deploy solutions that integrate seamlessly with other components in a Zero Trust architecture.


Working with a trusted partner in this space will go a long way toward lowering a security solution’s total cost of ownership while also accelerating adoption. And as the workplace continues to evolve, having a reliable identity partner in your corner can only be a plus.

Amanda Rogerson
Director, Solutions Product Marketing | OKTA
Amanda Rogerson is a change agent who wants to disrupt the way you think about digital security. Having worked with organizations globally across industries in various roles throughout her career, she is mindful of the impact new security practices have across organizations. As a self-proclaimed nerd, she likes to weave pop-culture references into her discussions to make security relatable.