In the early 2000s, the move away from local networks and enterprise-controlled devices to remote and cloud-based business systems demanded a new approach to network security. The concept of zero trust—which assumes that all users, devices, and systems, whether inside or outside of a local or cloud network are potentially compromised—emerged as the firewalls and network-based access model of the previous era proved to be ill-suited to protecting and enabling new ways of working.
The idea of zero trust existed in nascent form as early as the late 1990s, but it was between 2010 and 2015 that the cybersecurity community started to really explore its potential in response to emerging cyber threats. When Google suffered a network breach in 2009, the company began moving to a zero trust architecture, and other organizations took notice. Over the next five years, zero trust gained traction, becoming a hot-topic strategy advocated for at board meetings. Solutions came onto the market to help companies put zero trust strategies into practice. In 2018, NIST published the first edition of its Zero Trust Architecture, cementing zero trust as a buzzworthy concept worthy of everyone’s attention.
And then the pandemic hit. All of a sudden, everyone was scrambling to secure remote workforces, grappling with how to handle home offices and personal devices. The pandemic permanently changed the way we work and, as a result, turbo-charged industry adoption of zero trust—it became a baseline security strategy seemingly overnight.
We’re now firmly in the era of zero trust: there are mature products in the market, a lot of technical understanding and approaches, and multiple definitions of pillars. The ubiquity of the model is proof of its effectiveness—and also why its effectiveness is starting to wane. Security approaches that work well will always have a shelf life, and zero trust is no different. Just as we had clues back in 2010 that novel threats would demand new security models, we’re seeing clues now that zero trust, while necessary, is not sufficient to keep our workforces secure.
The mounting evidence that zero trust isn’t enough
It’s not that zero trust doesn’t work. It does—really well. Organizations who put strong zero trust practices in place—like multi-factor authentication or passkeys, least privilege access controls, and regular user access reviews—do a bang-up job of protecting their virtual front doors and limiting access to sensitive resources.
But attackers are smart and relentless. They are now stealing (or purchasing stolen) session cookies and tokens and using them to pose as employees to authenticate to systems. Or they’re tricking employees with relatively crude social engineering attacks like phishing and pretexting (targeting users via existing email chains and context) into giving away sensitive information and access. Identity is vulnerable, and attackers are exploiting it.
IBM’s just-released Cost of Data Breach Report 2024 found that compromised credentials and phishing attacks were the top two initial attack vectors and root causes of breaches in the past year, together accounting for 31% of the breaches studied.
The report also found that breaches involving stolen credentials or social engineering–based exploitation of employee access took the longest to identify and contain (anywhere from 257–292 days)—and were among the most expensive.
It’s no surprise that phishing is a top breach tactic. Verizon’s 2024 Data Breach Investigations Report cites that, on average, it takes users less than 60 seconds to fall for phishing emails. And the sophistication of these attacks is swiftly improving with the help of AI. Soon, even the most skeptical, well-trained employees may find it nearly impossible to distinguish social engineering emails, texts, and phone calls from the real thing.
Credential stealing is also getting more sophisticated—and more subtle. Working in attackers’ favor is the fact that locking down employee devices to protect them from compromise creates too much of a productivity hit to be good for business—and with increasingly blurred boundaries between personal and business devices, it’s also unrealistic. At ConductorOne, our developers use Chromebooks and go through extra authentication steps to interact with our production environment. But this level of device control is only worth the efficiency tradeoff for the most sensitive access.
A just-published Wired article details how attackers are using infostealer malware to exploit this situation by harvesting huge amounts of stolen user data like passwords, cookies, browser history, and more—which is then combed through to find especially valuable credentials: “Infostealers have been especially effective with the rise of remote work and hybrid work, as companies adapt to allowing employees to access work services from personal devices and personal accounts from work devices.”
All of which adds up to a new era in which “trust itself is under attack,” as Ian Glazer—identity security veteran and founder of Weave Identity—noted in a recent episode of the All Aboard podcast. Zero trust as practiced today still involves some level of trust—trust that employees accessing systems are actually employees, for example. In this newly emerging era, even that level of trust is a risk.
From zero trust to zero standing privileges
It’s hard to predict what next-era tactics will be effective, but right now, the most promising contenders are those that help companies move to zero standing privileges (ZSP). Because if we assume that the identity of any user in our system is potentially suspect, then no user should have privileges on an ongoing basis. And with new technology and approaches, moving to ZSP is now a viable strategy. Here are some of the ZSP-related tactics that could become the pillars of the next era:
Just-in-time (JIT) access: Even in the early days of zero trust, we got clues about the need for more dynamic access policies and time-based access. But it can be a tough challenge to determine which access should be granted on a need-only, time-bound basis, and without granular access control and robust automation, efficient just-in-time (JIT) access is difficult to implement.
However, modern access control platforms now provide the technology to make enabling JIT access simple and efficient, and it’s clear that enforcing JIT access is key to lowering standing privileges and reducing a company’s blast radius. A 2023 phishing attack on Reddit is just one example of how effective limiting access can be at mitigating breach risk.
Multiparty authorization: Otherwise known as the “it takes two people to launch a nuke” approach to access control, multiparty authorization is a security strategy that, like JIT access, once felt hard to do. But with the help of modern access control platforms that can provide automation and AI-driven approval context, it should become an easy-to-implement gold standard. Multiparty authorization is a particularly useful defense against phishing attacks—if one user falls victim, others stand in the way of that user’s access or authority being exploited.
Multiparty workflows are already baked into the developer side of businesses—pull requests require two humans to agree that code is good. It only makes sense that this workflow should become integral to more parts of the business. Some ConductorOne customers, like Spotnana, are already employing this model for sensitive access, using our platform to set up self-managed groups that democratize—and secure—access control by requiring access decisions to be made by the group.
Continuous assessment of usage: Being able to understand—in real time and on an ongoing basis—how and when privileged access is used solves the issue of determining what privileges can be moved to time-based access. Ideally, even seemingly low-risk access should be moved to a just-in-time model if doing so doesn’t significantly hinder productivity. Assessing usage patterns also helps identify usage anomalies, which may indicate a breach, when they occur.
Automation: Cloud computing not only changed the way we approach network security but also exploded the number and types of accounts companies now manage. Access control is no longer a human-scale problem—so automation is crucial for staying secure. And as noted above, it’s a key component powering next-era tactics like just-in-time access and multiparty authorization. Previously considered to be necessary only for large, mature enterprises, identity security process automation will be critical for companies of every size and maturity stage going forward.
AI agents: Of course we have to address the AI in the room. To extrapolate what we’ve learned from the zero trust journey, in five or ten years it’s inevitable that we’ll have developed AI models that can tell us what users should have access to. AI agents, while presenting security challenges of their own, already show a lot of promise in this direction.
While it’s unclear which of these—or other—solutions will best secure identity (and open the door to the next attack vector…) in the coming years, right now a zero standing privileges approach seems to hold the most promise, and is gaining momentum—93% of respondents to ConductorOne’s 2024 Identity Security Outlook Report said they believe zero standing privileges is effective at reducing access risks. Wherever we end up, what is clear are the signs pointing us beyond zero trust and into the next security era.
Interested in learning how ConductorOne can help your company move to zero standing privileges? Talk to our team or check out our self-guided tour.
