Identity and Access Management - The Cornerstone of Zero Trust

Why Identity is the New Perimeter

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

Digital estates no longer end at a neatly drawn network boundary. Cloud workloads spin up and down in minutes, partners plug into APIs, and employees authenticate from cafés, co-working spaces, and smart phones. In this borderless topology the only reliably enforceable control plane is identity. Zero Trust therefore begins—and succeeds or fails—with the strength of an organisation’s Identity and Access Management (IAM) fabric. CISA’s updated Zero Trust Maturity Model v2.0 makes this explicit: every pillar of Zero Trust is predicated on “authoritative, continuously evaluated identity assertions.”

🛡️ From Castle-and-Moat to Identity Fabric

Traditional security models trusted anything inside the network. Zero Trust inverts that assumption: never trust, always verify. The trust broker is no longer a firewall rule but a policy decision point that weighs who (user or workload identity), what (device posture), when (temporal context), and where (network & geo signals) before granting least-privilege access. NIST SP 800-207 calls this shift “identity centric,” mandating that every request is authenticated, authorised, and encrypted—regardless of origin.

🔑 Multi-Factor Authentication: Raising the Cost of Compromise

Compromised credentials remain the root cause of more than 60 % of breaches. MFA dismantles single-factor failure by requiring attackers to defeat at least two independent factors—something you know, have, or are. Modern best practice is to:

• Prefer phish-resistant FIDO2/WebAuthn authenticators over OTP, SMS, or push notifications.
• Adopt adaptive MFA, elevating factors dynamically when risk signals spike (impossible travel, device jailbreak, TOR usage).
• Enforce token binding and cryptographic attestation to prevent token replay.

Enterprises that migrate all user populations—including admins and B2B/B2C identities—to MFA typically see a 90 %+ reduction in credential-stuffing success rates, materially increasing adversary cost and dwell time.

🧩 Role & Attribute-Based Access: Least Privilege at Cloud Scale

MFA verifies who you are; granular authorisation decides what you may do. At hyperscale, static role hierarchies quickly ossify. Mature IAM combines Role-Based Access Control (RBAC) for coarse entitlements with Attribute-Based Access Control (ABAC) for context-rich policies (e.g., “finance analysts in Germany may access ledger micro-service only from managed macOS endpoints during CET business hours”). This composability enables:

• Continuous alignment with business changes through declarative policies.
• Reduction of “role explosion” by externalising conditions out of roles.
• Fine-grained entitlements in containerised and serverless workloads via service-to-service OAuth 2.0/OIDC tokens.

The result is surgical enforcement of least privilege without the burden of manual role choreography.

🔄 Continuous & Contextual Authentication: Trust That Expires by Design

Zero Trust rejects “one-and-done” login events. Instead, continuous authentication re-evaluates trust throughout the session—revoking or step-up-challenging in near real-time when telemetry changes. Methods include:

• Session token shrinking (short-lived JWTs plus silent refresh on positive risk posture).
• Behavioral biometrics (keystroke dynamics, pointer movement) to detect credential misuse.
• Server-side attestations of device security posture (patch level, EDR signals).

NIST’s 2024 NCCoE practice guide shows that combining token-based auth with real-time risk engines can cut lateral-movement windows from hours to minutes.

☁️ IAM for Remote & Cloud-Native Realities

Remote work collapses the last vestiges of perimeter defence. A June 2024 industry review found that organisations lacking IAM alignment for distributed workers experienced breach costs 43 % higher than those with adaptive identity controls.  Key control imperatives are:

1. Identity-Aware Proxies (IAP): tunnel traffic through an auth-z gate that injects user & device context into every request—ideal for SaaS and legacy private apps.
2. Just-in-Time (JIT) Access: issue ephemeral privileges for admins and DevOps pipelines, auto-revoked after a defined TTL.
3. Cloud Infrastructure Entitlement Management (CIEM): continuously discover, right-size, and remediate excessive permissions across AWS, Azure, and GCP accounts.

🪛 Implementation Blueprint – Aligning with CISA & NIST

⚙️ Phase 1 – Baseline Hardening

• Enforce MFA everywhere; retire legacy protocols lacking modern auth (POP, IMAP basic).
• Deploy conditional access rules using device and location signals.

⚙️ Phase 2 – Policy Automation

• Model business policies in a central Policy Decision Point; externalise from applications via OPA, XACML, or proprietary engines.
• Integrate SIEM/SOAR to feed risk intelligence into the PDP for step-up or revoke decisions.

⚙️ Phase 3 – Continuous Validation & Feedback Loops

• Instrument every deny and grant event; export to data lake for trend analytics.
• Map findings to CISA Zero Trust Maturity levels to quantify progress and prioritise backlog investments.

🚦 Metrics & Telemetry: Measuring What Matters

Zero Trust outcomes must be evidenced:

• Mean Time to Revoke (MTTRv): interval from threat detection to session kill.
• Standing Privilege Ratio: percentage of accounts with always-on admin rights vs. JIT elevation.
• Credential Compromise Rate: detected illegitimate authentication attempts per 10 000 logins.

Tracking these KPIs monthly provides an empirical baseline for board-level risk reporting and drives incremental improvement.

🚀 The Road Ahead: AI-Driven Identity Threat Detection & Beyond

The convergence of AI and IAM is accelerating. Gartner predicts that by 2027 over 40 % of IAM policy decisions will be autonomously generated by AI models trained on historical access patterns. Expect:

• Identity Threat Detection & Response (ITDR) platforms that correlate identity telemetry with network and endpoint data to surface privilege escalation attempts in seconds.
• Decentralised Identity (DID) leveraging verifiable credentials to let users carry their own portable, cryptographically signed identity—reducing password surface area to zero.
• Passwordless by default: FIDO2 + device attestation become table stakes, relegating passwords to legacy compatibility modes.

Enterprises that invest now in robust IAM foundations will be strategically positioned to exploit these innovations without wholesale re-architecture.

💡 Five Takeaways for Security Leaders

1. MFA is necessary but not sufficient—elevate to continuous, context-aware authentication.
2. Authorisation granularity is your blast-radius brake; combine RBAC & ABAC to enforce dynamic least privilege.
3. Remote/hybrid work makes IAM non-negotiable; adopt identity-aware proxies and JIT privileges to tame distributed risk.
4. Measure identity performance—MTTRv and standing privilege ratio speak the language of business risk.
5. Plan for AI-native IAM—building clean identity telemetry today is the prerequisite for tomorrow’s machine-generated policies.

Identity is not just the first Zero Trust pillar—it is the load-bearing wall. Fortify it, instrument it, and let every other control inherit its assurance. Your perimeter may be gone, but with robust IAM, your security posture stands stronger than ever.

Publication Note & Disclaimer
This article was originally published on LinkedIn on May 1, 2025 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.