Reseach Director, Cybersecurity - Industry Analyst at IDC
Vendor
Jan 6, 2022
Hey like the new name.
My Zero Trust Predictions are largely more of the same. It's a desired state, but it requires other IAM prerequisites before it should be attempted or proclaimed. I've described these as a three-legged stool before:
1 Passwordless
2 Least privileged access
3 Network segmentation/proxy
Passwordless is defined many ways and getting easier. Registration and hide the password is pretty popular, but there are true PKI-based alternatives. Why do you need it? So you aren't prompting/challenging people for every single and somewhat sensitive login. Know thy users (or the clever ones will develop work-arounds).
LPA is a refinement exercise best done given rolling averages of 30-day user activity or any other available insights that tracks resource usage by ID. Those not using shouldn't have access.
Network segmentation is a final step that's not really identity-centric. I believe the reverse proxy approach (aka BeyondCorp) makes a lot of sense, but there are other methods.
More often than not, security teams have the budget to do one, maybe two of the above running more than pilot projects in any one year. Wait a few years for the remaining funding and ZTNA might become the rule rather than the exception.
Find out what your peers are saying about Presidio, Deloitte, Accenture and others in Information Security and Risk Consulting Services. Updated: April 2026.
Access Management is a crucial component in safeguarding digital environments, ensuring that only authorized users can access critical resources. It facilitates secure access provisioning, reducing vulnerabilities and enhancing operational efficiency.Access Management solutions provide comprehensive tools to manage user identities and access rights within an organization. These tools support multifactor authentication, single sign-on, and policy-based access controls. Companies utilize these...
Hey like the new name.
My Zero Trust Predictions are largely more of the same. It's a desired state, but it requires other IAM prerequisites before it should be attempted or proclaimed. I've described these as a three-legged stool before:
1 Passwordless
2 Least privileged access
3 Network segmentation/proxy
Passwordless is defined many ways and getting easier. Registration and hide the password is pretty popular, but there are true PKI-based alternatives. Why do you need it? So you aren't prompting/challenging people for every single and somewhat sensitive login. Know thy users (or the clever ones will develop work-arounds).
LPA is a refinement exercise best done given rolling averages of 30-day user activity or any other available insights that tracks resource usage by ID. Those not using shouldn't have access.
Network segmentation is a final step that's not really identity-centric. I believe the reverse proxy approach (aka BeyondCorp) makes a lot of sense, but there are other methods.
More often than not, security teams have the budget to do one, maybe two of the above running more than pilot projects in any one year. Wait a few years for the remaining funding and ZTNA might become the rule rather than the exception.