printer friendly version

Zero Trust access control

Today’s organisations face a security environment that is more dispersed and complex, with cloud services, flexible work setups, and advanced threats. Zero Trust has become a common term in the security world, designed to mitigate the risks of a breach and limit the damage if one occurs.

The Zero Trust Architecture (ZTA) enforces the rule of ‘never trust, always verify’. It changes an organisation’s security posture by assuming that threats exist both inside and outside the network perimeter, and it applies to both information and physical security. Ideally, ZTA converges the two into a single security policy, requiring that every access request be continuously authenticated and authorised, regardless of its origin or role.

Armand Kruger.

Armand Kruger, head of cybersecurity at NEC XON, explains, “Zero Trust is a security model built on the assumption that compromise may already exist. No user, device, workload, or connection is trusted by default. Instead, access is granted only after continuous verification, regardless of whether the request originates inside or outside the network.”

“The core principle of security is to safeguard corporate assets and ensure that access is granted strictly based on role requirements,” adds Ian Oelofse, CASA Software pre-sales solution architect. “Individuals and systems should only have the permissions necessary to perform their duties. These assets encompass people, applications, services, data, and other critical resources.

“Zero Trust is an architecture that can support modern-day cybersecurity requirements and is based on ‘never trust, always verify’. Older technologies assume internal traffic is safe; Zero Trust treats every user, device, and application as untrusted until verified, regardless of location or network.”

Ian Oelofse.

Oelofse continues that the Principle of Least Privilege (PoLP) specifically addresses access control within that broader framework. It ensures that users, processes, and systems only have the minimum permissions necessary to perform their tasks, reducing the attack surface and limiting potential damage from breaches.

Modern environments are no longer confined within a secure perimeter, and users access corporate assets from virtually anywhere. This shift makes traditional ring-fenced security models inadequate. Zero Trust addresses this challenge by enforcing continuous verification and eliminating implicit trust, while PoLP ensures that users and systems only receive the minimum access necessary to perform their roles.

What does ‘continuous verification’ mean?

Kruger defines continuous verification as meaning that trust is never granted once and assumed indefinitely. “Users, devices, and sessions are constantly re-evaluated based on risk, allowing access to be restricted or revoked the moment behaviour, identity, or device posture changes. This is precisely where attackers typically operate after initial access.”

Zero Trust can coexist with traditional perimeter security, he notes, but only if the perimeter is treated as a risk-reduction layer rather than a trust boundary. Firewalls and gateways help block commodity attacks and reduce noise, while Zero Trust controls access within the environment and limits blast radius when the perimeter is inevitably bypassed.

Oelofse agrees, stating, “Zero Trust is about continuous verification, it is not static, and evaluates access dynamically based on identity, device and integrity, location, behaviour, risk, and is ongoing rather than one-time authorisation. While Zero Trust can coexist with legacy ‘castle-and-moat’ defences, it shifts the focus from perimeter security to micro-perimeters around applications and data.”

Endless MFA prompts?

When considering the verification challenges in everyday work, some may believe that continuous verification means being required to enter a password or MFA (multi-factor authentication) code every few minutes. Thankfully, this is not the case.

In practice, Oelofse says continuous verification does not mean constant MFA prompts. Instead, it should be “adaptive authentication, contextual access, and behavioural analytics to maintain security without disrupting productivity. For IoT and autonomous devices, Zero Trust relies on device identity certificates, secure boot processes, firmware validation, and network segmentation to prevent lateral movement.”

In practice, Kruger states that Zero Trust avoids excessive password requirements and MFA prompts by relying on contextual, low-friction verification rather than constant user interruptions. Identity, device health, location, behaviour, and workload risk are assessed continuously in the background, with step-up authentication triggered only when risk meaningfully changes. ‘Verify explicitly’ means that every access decision is based on known, measurable signals at that moment, not on network location, IP reputation, or past authentication, and is enforced per session and per resource.

“For IoT, OT, and edge devices that cannot support passwords or MFA, Zero Trust applies non-human identity principles,” Kruger adds. “These include cryptographic device identity, firmware integrity checks, behavioural baselining, strict least-privilege communication paths, and continuous anomaly detection. Compromised devices are automatically isolated, rather than simply trusted because they are connected to the network.”

Assume you are breached

Depending on whose research you are reading, detecting breaches to your company and its data can take days or months. If hit with ransomware, on the other hand, you know very quickly. However, even ransomware criminals are now taking their time first to exfiltrate data before they encrypt it and demand money - this allows them to blackmail companies to decrypt their data, and then do it again to stop them from publicising the data they stole.

ZTA assumes the company is already breached. “Adopting an ‘assume breach’ mindset means designing infrastructure on the basis that initial access has already occurred,” explains Kruger. “The environment must therefore be able to detect, contain, and limit damage automatically.

“This requires strong identity-centric controls such as a central identity authority, conditional access, least privilege, and just-in-time permissions, combined with deep visibility across endpoints, workloads, and networks. Segmentation and policy enforcement must apply everywhere, including user-to-application, workload-to-workload, and east–west traffic. Critically, access must be revocable in real time as risk changes.”

[East-west traffic management refers to traffic within a data centre, between devices within it; north-south traffic refers to data flowing to or from a system physically located outside the data centre. - Ed.]

“Equally important,” he says, “are hardened backups, immutable logging, and well-tested incident-response processes.” When compromise does not immediately enable lateral movement or privilege escalation, breaches become manageable incidents rather than existential business threats.

Oelofse echoes this, noting that Zero Trust assumes breaches are inevitable. “To minimise impact, organisations should adopt micro-segmentation, enforce least privilege access, implement best of breed data-protection solutions, and deploy continuous monitoring with automated threat response.

“Perimeter defence alone is insufficient; visibility and control must extend across endpoints, cloud environments, and applications.”

Security is no longer something business leaders need to apply in their own companies. Oelofse says that ZTA should be extended to the supply chain by requiring strong identity verification for suppliers and partners, securing APIs, and least privilege access for third parties. “Continuous assessment of vendor security posture and compliance is essential to reduce risk.”

Trust is earned

Kruger expands on extending ZTA to the supply chain, “Extending Zero Trust to the supply chain means treating suppliers and customers as untrusted by default, even where contracts, approvals, or long-standing relationships exist. Access is granted based on identity, context, and risk, not assumed trust.”

In practice, he says this involves identity-first access via federated identity, strong authentication, device or workload identity, explicit least-privilege access to defined resources, and continuous verification of behaviour and posture rather than blanket VPN or network access.

“Because third parties are a common attack vector, Zero Trust focuses on isolating integrations, segmenting access per supplier, monitoring activity in real time, and revoking access immediately when risk changes. This approach enables collaboration and revenue, while preventing a third-party compromise from becoming your breach.”

Pursuing a Zero Trust Architecture

Kruger says NEC XON assists organisations in pursuing Zero Trust by starting with real-world attack paths rather than tools or buzzwords. “Our approach focuses on understanding how organisations are actually compromised, then designing controls that disrupt those breach paths.

“In practical terms, this means assessing identity, access, and lateral-movement risk first, tightening who can access what, from where, and under which conditions, and embedding continuous verification, least privilege, segmentation, and automated response into existing environments rather than replacing them wholesale.

“From a security perspective, this reduces blast radius and dwell time by making stolen credentials, compromised devices, and third-party access far less useful to attackers. From a business perspective, it translates Zero Trust into measurable outcomes: reduced breach impact, faster containment, audit-ready controls, and a pragmatic roadmap aligned to operational reality rather than theoretical ideals.”

ZTA in access control

While ZTA originated in the information security world, its applicability to physical security is equally important, as traditional IT and physical security technologies have converged. Physical security systems may even be more vulnerable because readers or cameras are perceived as less of a target for attack. These devices, however, are all IoT systems that can provide easy access to corporate networks if not adequately protected.

In other words, physical security systems (PACS) must be treated as critical IT assets, with cybersecurity best practices applied and aligned with the central identity and access management control platform. The goal is to enforce continuous verification for physical access points (doors, readers, devices) and expand this to all physical security devices.

ZTA-aligned PACS must continuously authenticate and authorise all devices and credentials, regardless of their network origin. This requires mutual validation protocols that verify both the user’s identity and the legitimacy of the requesting device, such as the host system, the controller, and the edge components. Access policies should also be enforced locally (at the edge) to ensure system resilience, enabling continuous access even during network disruptions without reliance on centralised control.

PACS telemetry should be integrated into broader enterprise security tools, such as Security Information and Event Management (SIEM) systems. This allows correlating physical access patterns with digital threat indicators (e.g., an unusual badge entry correlated with a suspicious network login) to support faster, more informed incident response.

Share this article:

Further reading: