Many IT and security teams have moved beyond the basic question: “What is Zero Trust?”
Now they’re asking, “What is the best way to realize the goals of Zero Trust?” Even those who have been on the Zero Trust journey for years, are still saying, “We implemented Zero Trust, so why are attackers still getting in?”
Identity-Centric Zero Trust isn’t an off-the-shelf technology solution you can buy and implement. Instead, it’s a model that defines your approach to cybersecurity. It’s supported by capabilities of multiple identity security technologies as well as people, policies, and workflows.
In this blog, you’ll learn best practices and solutions for making Identity-Centric Zero Trust a reality in your organization.
Network-Centric vs. Identity-Centric Zero Trust
Historically, cyber leaders have relied on perimeter-based defenses, assuming that a network's users, applications, and services were trustworthy. This approach proved inadequate as threats became more sophisticated and cloud services, remote work, and interconnected devices eroded and pushed aside the secure network perimeter.
The Zero Trust framework was developed to address this, emphasizing continuous verification of all entities, regardless of location, and built on the principle of "never trust, always verify."
A network-centric approach is a fine start ... but it can’t be the end of your Zero Trust journey
Since the advent of Zero Trust, many organizations have chosen to begin their journeys with a network-centric approach, employing software defined perimeters and micro-segmentation strategies for their IT architecture and workflows. This on-ramp to Zero Trust is a fine start to lay the groundwork for limiting access to high-risk resources, but it can’t be the end of your Zero Trust journey.
Say a malicious insider or external attacker steals admin credentials that unlock high-risk resources. Even with the most robust network segmentation in place, that threat agent would be able to impersonate an authorized user and operate freely, under the radar.
What happens if an identity is misconfigured from the start, is missing multi-factor authentication (MFA), or is accidentally granted shadow admin access that’s inappropriate for their job function. Network segmentation won’t help you limit their behavior. You won’t be able to detect unexpected behavior that puts your organization at risk.
Identity-Centric Zero Trust ensures that both human and non-human entities, along with their access and privileges, are limited and continually protected.
Identity-Centric Zero Trust practices are designed to:
- Ensure only the right identities should have access to critical resources and sensitive data at the right time.
- Avoid dangers of identities that are overprivileged or have standing access, especially likely in a complex, dynamic, hybrid cloud environment.
- Interrupt the identity attack chain so that even if threat agents get through your initial defenses, their access is limited, and a cyberattack doesn’t become a cyber catastrophe.
Identity-Centric Zero Trust is the convergence of multiple disciplines
A holistic approach to Identity-Centric Zero Trust blends capabilities from several related security disciplines, and consolidates them in a coordinated strategy.
- Privileged Access Management (PAM) leverages policy-based access controls you can centrally define, manage, and track. It ensures that all identities should have access only to the resources, systems, and data they need, when they need them. With PAM, privilege elevation policies grant just-in-time (JIT), just-enough privileges, meaning privileges that exist only for a limited time, under limited circumstances. PAM considers not just whether a user or machine identity can access a certain IT resource but also what they can do once inside, including changing data, executing transactions, making configuration changes, and so on. That way, when access is limited to a least privilege state, if an attacker were to impersonate a user or steal credentials, they would only be able to get so far.
- Identity Access Management (IAM) manages access for identities to systems and apps at runtime using entitlements previously approved and provisioned.
- Identity Governance and Administration (IGA) streamlines identity management throughout the identity lifecycle, encompassing all the things that happen to an identity that need to be provisioned, tracked, and managed. For example, joining the organization, moving to a different role or leaving the organization. For example, a user shouldn’t be able to both create a new vendor and pay that vendor.
- Governance, Risk, and Compliance (GRC) manages identity-related governance, enterprise risk management, and compliance, such as Segregation of Duties (SoD), an internal control to distribute critical functions to more than one person and avoid toxic combinations of access rights.
- Cloud Infrastructure Entitlement Management (CIEM) manages identities and access privileges within cloud environments. It enforces least privilege by providing visibility into entitlements and detecting excessive permissions. By continuously monitoring and analyzing access rights, CIEM enhances your identity security posture, reducing risks associated with over-privileged accounts and potential security breaches.
- Identity Threat Detection and Response (ITDR): detects, responds to, and prevents threats targeting your identity systems and credentials. By continuously monitoring these systems and user activity logs, ITDR enhances your identity security posture, providing visibility into potential credential misuse and abuse of privileges.
Cybersecurity frameworks and regulatory requirements endorse Zero Trust
Zero Trust is a widely recognized cybersecurity best practice that’s endorsed by cybersecurity analysts, vendor-neutral reference architectures, compliance organizations, and regulatory frameworks.
For example, in the United States:
- NIST Cybersecurity Framework (CSF) 2.0 introduced the "Govern" function, emphasizing the integration of cybersecurity into organizational governance and risk management.
- Department of Defense (DoD) Zero Trust Strategy outlines 152 activities aimed at continuous monitoring and authentication to secure critical data, reinforcing the necessity of Zero Trust principles.
- Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model provides updated guidance across five pillars—identity, devices, networks, applications and workloads, and data—to assist agencies in transitioning to Zero Trust frameworks.
In addition to U.S. regulatory drivers, several international frameworks and directives have recently been updated to emphasize Zero Trust principles, underscoring the global shift toward more robust cybersecurity postures.
- Network and Information Security (NIS) 2 Directive mandates that organizations implement measures such as risk analysis, incident handling, and business continuity, aligning with zero trust's emphasis on continuous monitoring and verification.
- Digital Operational Resilience Act (DORA) emphasizes the need for robust access controls and continuous monitoring, which are core tenets of the Zero Trust framework.
- UK Cyber Security and Resilience Bill. This legislation aims to classify data centers as critical infrastructure and enforce stringent security measures, reflecting zero trust's principles of strict access controls and continuous verification.
How does Delinea's approach to Identity-Centric Zero Trust change the game? Delinea’s integrated identity security platform can support Identity-Centric Zero Trust with centralized management, adaptive access controls, and context-based monitoring and remediation.
Plus, because it’s a SaaS solution, Delinea supports rapid deployment, dynamic scalability, resilience, and vendor administration of the platform stack.
The Delinea Platform provides a comprehensive and robust security posture. It integrates credential vaulting, session monitoring, identity lifecycle management, access policy enforcement, access reviews, compliance reporting, access control within cloud platforms, and identity-based real-time detection and mitigation of threats.
By unifying these capabilities, Delinea enables you to manage human and non-human identities across on-premise and multi-cloud environments, reinforcing your Zero Trust strategy.
Don't gamble with identity security
Cybersecurity is a high-stakes game and attackers are stacking the deck in their favor, using AI-driven tactics and overlooked attack surfaces—like non-human identities—to tilt the odds their way. But just like in a casino, the house doesn't always have to win. By embracing modern identity security solutions, you can shift the balance, cutting down the attacker's advantage and forcing them to play a much riskier game.
The best way to beat the odds? Don't gamble with identity security—invest in it.
