What’s Next for Zero Trust?


The days of explaining Zero Trust (or scoffing at it as just a buzzword) are pretty much done. We’ve reached critical mass where Zero Trust is accepted as a superior security architecture for the world outside the corporate network. Furthermore, barriers to adoption are melting away as technology vendors offer a wide range of solutions to solve problems in the space. So where do we go from here?

Where Are We Today?

A study done by Okta (my and my co-founder Paul Querna’s alma mater), found 275% year-over-year growth in the number of North American organizations that have or plan to have a defined Zero Trust initiative on the books in the next 12-18 months. In a similar report by Forrester, commissioned by Cloudflare, 82% of respondents said their organization is committed to migrating to a Zero Trust security architecture.

Security solutions of the past assumed locked-down environments with lots of restrictions. This meant visibility was the mode of operation— make sure you have access to all logs and then parse through that data to determine if something looks suspicious or anomalous. This was followed by heavy-handed operational changes to environments that made it harder to get work done.

The Zero Trust approach, on the other hand, is about shifting to prevention controls. Overwhelmingly, the teams I’ve talked with view Zero Trust as a way to improve security by incorporating it into everyday experience—it’s about operational risk management. Adaptive MFA is a good example of this—when an employee tries to log in to Gmail from a different country, access isn’t necessarily automatically denied. Instead, they might be asked to re-authenticate or use a stronger credential.

The Zero Trust Stack

Certainly there are different interpretations of the Zero Trust stack (every vendor would be happy to give you a reference architecture), but my simplified model is:

  1. Strongly authenticated users and devices (with continuous security evaluation)
  2. Brokered access to resources
  3. Right amount of access (with the shortest amount of time necessary)

There are a host of solutions out there to help you with 1 and 2. Lot’s of access brokers across SSO, VPNs, databases, etc. Name the resource, and there’s a credentialing product out there to give you a federation experience into it. This is the space Duo, Okta, OneLogin, HashiCorp, Tailscale, and others play in.

Least Privilege and Just-in-Time Access Is the Next Piece of the Zero Trust Journey

We believe least privilege access is the next big rock to move in Zero Trust. This is #3 on my simplified list above (“the right amount of access, for the shortest amount of time to do the job”).

Least privilege access has long been understood as a key tenant in Zero Trust, but it’s been hard for vendors to deliver. It’s at the convergence of the traditional IGA and PAM categories, but with new approaches needed given the shift in security architecture and the proliferation of cloud.

For example, privilege access management (PAM) as a category has traditionally been focused on credentials. Requesting access to sensitive, on-prem resources meant checking out the password to a server from a vault, like it was a library book. But for today’s cloud apps and infrastructure, the difference between a privileged user and a user is just “privilege.” It’s no longer about credentials. For IT teams thinking about access to critical infrastructure or customer data, they want that access to be authorized, and also attenuated if it’s no longer needed after it’s been used.

In the cloud, privilege now just comes in the form of permissions. In turn, privileged access is really just about the permission lifecycle. And managing permissions, in the face of increasing cloud apps usage and growing number of users, is really hard. People are waiting too long to get the access they need, they end up over-permissioned, and too often they’re provisioned with access for way longer than they need it.

So what does ConductorOne need to get right to finally make least privilege happen for the enterprise? Here’s my take:

  • We’ll make it seamless and painless to manage permissions on identities.
  • We’ll make integrations into your environment super easy.
  • We’ll create a delightful user experience for everyone involved (tons of people have a stake in this i.e. IT, security, employees, and individual system owners within an org).
  • We’ll make birthright and static long standing permissions a pattern of the past.

This is the problem we created ConductorOne to solve. We’re really excited to help companies on their Zero Trust journey by automating identity and permission management in the cloud. If this is something that sounds like your company needs help with, email us so we can chat.