Zero Trust is the hot security framework of the moment, built on a simple premise: Trust no one, verify everything. It flips the traditional security model on its head by assuming that threats exist both inside and outside the network perimeter. To Zero Trust, everyone and everything is sus.

Sounds bulletproof, right? Well, not exactly!

Zero-Trust Principles

Zero Trust is about ensuring that every access request, whether to a system, data, or application, is verified in real-time, regardless of where the request comes from. The main principles are:

• Validate User Identity: Constantly verifying who you are.
• Least Privilege Access: Users only have access to the bare minimum they need to do their job, no more.
• Continuous Monitoring: Just because you’ve authenticated once doesn’t mean you’re in for good—each access attempt must be reevaluated.

These are the foundations of Zero Trust… and good ones at that. Yet, many organizations still run their environments on AD and local networks, which can be an Achilles’ heel to these principles.

The AD and Local Network Conundrum

Active Directory has been the cornerstone of corporate networks for years, used to manage identities and control access to resources. Unless your organization is small or new, you have AD. The problem? It’s built on a centralized model that was great when corporate networks were confined to office buildings. But now, with cloud services, remote work, and the increasing sophistication of cyberattacks, AD falls short of providing the continuous validation and least-privilege access Zero Trust requires.

Here’s just what we all know but refuse to believe; that AD is not really manageable. For one, you have stale Security Groups and group memberships that are rarely maintained. A user might have been added to a group years ago to work on a one-off project but was never removed. This means that when they log into the network, they often have broader access than they should. It’s a nightmare for applying least privilege.

Traditional AD access gives users the keys to the castle. When a user logs into the network through AD, they often gain access to a wide range of resources based on group membership, some of which they might not even need. Once they’re in, there’s little control over where they go and what they can access. It’s like giving someone the keys to the castle and trusting they’ll only visit the rooms they’re supposed to.

Then, there is the lack of visibility. AD and local network security often provide limited visibility into user activity. Sure, you can track login events, but once someone is on the network, it’s hard to see where they’re going or what they’re doing without specialized tools. This lack of insight directly contradicts the Zero Trust principle of continuous monitoring.

Cloud-Native ICAM to the Rescue

For true Zero Trust, we need to ditch the traditional AD and local network setup and adopt cloud-native Identity, Credential, and Access Management (ICAM). When I say ditch, I mean to completely get rid of it, not just augment it! Cloud-native ICAM platforms operate on the principle that every access attempt—whether it’s to a cloud service, application, or piece of data—is an event that needs to be authenticated and authorized.

Dynamic Access Control: Cloud-native ICAM enables real-time verification of a user’s identity each time they request access to a resource. Rather than relying on outdated security groups, policies can be dynamically assigned based on the user’s role, context, and even risk factors like location or device.
Least Privilege, All the Time: Since cloud-native ICAM systems are designed to constantly evaluate access requests, they enforce least privilege by default. Users only get access to what they need when they need it, and their access is revoked as soon as they no longer require it.
Direct Visibility: To me, this is the big one. Administrators have a clear view of who accessed what and when – in REAL TIME. This level of visibility is crucial for spotting anomalies and enforcing compliance with Zero Trust policies.

The promise of Zero Trust is a great one, but as long as organizations remain tethered to Active Directory and local networks, they’re not getting the full benefits. Only by systematically removing the walled-in garden that AD creates and evolving to Limitless Infrastructure Trusted Ecosystem (LITE) establishing ICAM as the authoritative manager of access, with dynamic, real-time access controls and continuous monitoring, can we finally realize the Zero Trust dream.

In short: You think you have Zero Trust? Not if you still have AD!

Allen Firouz
EVP, Chief of Operations
Hekima Business Solutions