Zero Trust Is Not a Product: Building a Mature Access Control Program

The Misconception

Walk through any security conference expo hall and you’ll find dozens of vendors claiming their product “delivers zero trust.” Firewalls, VPNs, identity providers, SaaS platforms — all slapping the same label on products that in many cases do the opposite of zero trust.

Zero trust is not a product. It is an architectural philosophy that states: no user, device, or network should be implicitly trusted based on its location relative to a defined perimeter. Every access request should be authenticated, authorized, and continuously validated against dynamic policy — regardless of where the request originates.

This matters because the concept of a “trusted internal network” has been dead for years. Remote work destroyed the perimeter. Cloud services moved workloads outside any boundary you could defend. And the most damaging breaches of the last decade didn’t involve attackers breaking through the perimeter — they involved valid credentials used from inside it.

The Five Pillars

The CISA Zero Trust Maturity Model provides a practical framework across five pillars. Understanding where your organization sits on each pillar — from Traditional to Initial to Advanced to Optimal — gives you an honest picture of your actual posture.

Identity is the foundational pillar. Before you can make an access decision, you need to know who (or what) is making the request. This means strong authentication (phishing-resistant MFA for all privileged access), centralized identity management, and lifecycle management that ensures accounts are provisioned and deprovisioned in sync with HR processes.

Devices are the second pillar. An authenticated identity on an unmanaged, compromised device is still an unacceptable risk. Device trust means knowing that the device has current patches, is running managed EDR software, has full-disk encryption enabled, and hasn’t been flagged for anomalous behavior. This state should be continuously verified, not just checked at enrollment.

Networks in a zero trust model support microsegmentation — the enforcement of access policy at the workload level rather than at the network boundary. East-west traffic between internal systems should be subject to the same scrutiny as north-south traffic from the internet.

Applications and Workloads require their own identity, separate from the infrastructure they run on. Workload identity systems (SPIFFE/SPIRE, AWS IAM Roles for Service Accounts, etc.) provide cryptographically verifiable identity to services and enable fine-grained service-to-service authorization policy.

Data is ultimately what zero trust protects. Data classification, rights management, and monitoring data access patterns are the final layer — ensuring that even if all other controls fail, sensitive data cannot be exfiltrated without detection.

Where Organizations Actually Are

In our experience assessing enterprise security programs, most organizations are in the “Initial” tier across most pillars. They have MFA deployed (often inconsistently), some form of endpoint management, and perimeter-based network controls with limited internal segmentation.

The jump from Initial to Advanced requires genuine architectural investment, not tool purchases. It requires integrating your identity provider with your network access decisions in real time. It requires building device posture signals into your access policy. It requires instrumenting your network well enough to define what “normal” traffic looks like and alert on deviations.

Most organizations skip this investment and instead buy a product that a vendor calls “zero trust” and declare the job done. The result is a security posture that looks better on paper than it is in practice.

Practical Starting Points

If you are starting from a conventional perimeter-based model, the highest-ROI first steps are:

Phishing-resistant MFA everywhere, starting with privileged accounts. Hardware security keys or passkeys are the gold standard. TOTP apps are acceptable. SMS is not acceptable for anything sensitive.

Privileged Access Workstations for all administrative access. Domain admins should only ever authenticate from PAWs, never from general-purpose workstations. This single control defeats the most common lateral movement technique we observe in red team engagements.

Conditional Access policies that incorporate device compliance. Deny access from unmanaged devices to sensitive applications. Require re-authentication when device posture changes.

Inventory your service accounts. Most organizations have dozens of service accounts with excessive privilege, stale passwords, and no monitoring. These are among the most common targets for lateral movement.

Measure lateral movement risk by mapping which credentials, if compromised, would give an attacker access to which resources. This “blast radius” analysis is the foundation for prioritizing segmentation investments.

Zero trust is a journey, not a destination. The organizations that succeed at it are the ones that treat it as an ongoing architectural program rather than a procurement initiative.