Zero Trust Architecture (ZTA) boils down to a deceptively simple mantra: Trust Nothing. Verify Everything!
When it comes to security,In ZTA, identities are validated and continuously verified, access is defined at every level, devices (regardless of type or location) are controlled, data is secured and encrypted, and all access is visible and real-time. It’s the current gold standard approach to security because it works. But there’s a catch: while Zero Trust thrives on granular, point-to-point security, enterprise networks are anything but point-to-point. They’re sprawling, messy, and riddled with legacy systems, stale permissions, and outdated controls.
Enterprise Networks: Castles with Open Bridges
Enterprise networks were built in the era of the Local Area Network (LAN), back when applications were hosted internally, users worked on-premises, and data resided safely within corporate walls. Perimeter defenses—firewalls, VPNs, segmented networks—were the trusty moats and drawbridges that kept bad actors out. For a while, it worked. This is the same approach medieval castles once relied on (high walls, moats and drawbridges, and archers) to keep invading armies at bay. The perimeter network kept companies [mostly] safe. Until it didn’t.
But here’s the problem: once an attacker breached the perimeter, they could move laterally, undetected. Active Directory (AD), being the backbone of identity and access control, was often the sole mechanism to enforce Role-Based Permissions (RBAC) and least privilege. And let’s be honest: Active Directory is a nightmare to manage. For one, you likely have stale Security Groups and group memberships that are rarely maintained. A user might have been added to a group years ago to work on a one-off project but was never removed. This means that when they log into the network, they often have broader access than they should. It’s a dreadful mechanism for applying least privilege. Just like the Trojan Horse, a hacker who gained access to the internal network was able to move around freely and siphon off data and corporate secrets with little chance of being discovered.
Remember the SolarWinds attack of 2020? Hackers slipped through the perimeter via a trusted vendor, moved laterally across networks, exfiltrated sensitive data for months, and siphoned sensitive or even classified information before anyone noticed. This isn’t an anomaly; it’s the rule. LANs are completely unprepared for any skillful breach of the perimeter defenses and, once inside, prone to unthinkable damage. So let me just say it: Perimeter-based security is dead.
Enterprise networks are blunt instruments. They were not designed for the granular control Zero Trust demands. Zero Trust, by contrast, is built on the principle of continuous, contextual validation of identity, device, and access. It’s surgical. To think that these government agencies that were breached as part of the SolarWinds hack (including the US Department of Homeland Security) are not adhering to Zero-Trust frameworks would be absurd. They are, but still constrained by the limitations of their internal network environment.
It’s time to ditch the castle-and-moat model and embrace a Limitless Infrastructure Trusted Ecosystem (LITE); a security paradigm built on identity, visibility, and control, without the baggage of traditional networks and embracing the power of the cloud.
It’s time to ditch the castle-and-moat model and embrace a LITE; a security paradigm built on identity, visibility, and control, without the baggage of traditional networks and embracing the power of the cloud.
Limitless Infrastructure Trusted Ecosystem (LITE)
If a chain is only as strong as its weakest link, Active Directory is by far the weakest link in the Zero Trust Architecture chain. To remove it, you rethink your new infrastructure as a cohesive ecosystem built around identity, security, visibility, and control. We call this Limitless Infrastructure Trusted Ecosystem (LITE). This idea is not revolutionary, but evolutionary – and it’s time to evolve. To achieve true Zero Trust, you must focus on four areas:
-
Cloud-Native ICAM
For true Zero Trust, we first need to ditch the traditional AD and adopt cloud-native Identity, Credential, and Access Management (ICAM). Cloud-native ICAM platforms operate on the principle that every access attempt, whether it’s to a cloud service, application, or piece of data, is an event that needs to be authenticated and authorized.
Centralized Identity: Derive user identities from a single source of truth, typically the HR system, ensuring consistency and accuracy.
Dynamic Access Control: Grant access based on real-time context, like role, device posture, and location. No more static security groups gathering digital dust.
Least Privilege, All the Time: Cloud-native ICAM systems authenticate and authorize every access attempt, ensuring users only have what they need when they need it.
-
Modernizing Legacy Systems and Applications
Legacy applications tied to AD are like anchors dragging your organization into security oblivion. You start by treating them as just another cloud location and evaluate whether they adhere to modern authentication and security standards that drive modern cloud.
Migrate or Rebuild: Transition systems to cloud-native environments or rebuild them with modern security standards. Embrace Infrastructure as Code (IaC), Containerization, IaaS & PaaS solutions as your new standard.
Upgrade to DevSecOps: Integrate security into every stage of development and make it the cornerstone of your systems and apps, not an add-on.
This isn’t a weekend project. Replacing a 27-year-old monolith like AD is messy, complex, and guaranteed to surface unexpected challenges. Trust me, I’ve done this. It presents you with problems you couldn’t have even known existed and you must overcome each one for success. Plan meticulously, test thoroughly, and lean on experts. And the payoff? True freedom from legacy constraints.
-
Zero Trust Network Access (ZTNA)
Zero Trust Network Access (ZTNA) redefines security by assuming no user or device is inherently trusted. Access is granted only after strict authentication and continuous verification, embedding security throughout the network. This approach is ideal for today’s world of remote work, cloud adoption, and mobile devices, where traditional boundaries no longer apply.
Firewalls, too, have evolved. They now enforce identity-aware policies, enable micro-segmentation to limit lateral movement, and integrate with ZTNA gateways for secure remote access. In cloud and hybrid environments, cloud-native firewalls and Firewall as a Service (FWaaS) extend security across decentralized architectures.
Together, ZTNA and advanced firewalls provide end-to-end protection, adapting to the demands of modern, dynamic networks.
-
Universal Device Management
One of the tenets of Zero Trust Architecture is device management. In a BYOD, remote-work world, device management is non-negotiable. While companies currently rely on a mixture of AD policies, internal and external Mobile Device Management (MDM) tools, and corporate policies, modern and comprehensive control over device security is a must. I recommend consolidating control with a robust Mobile Device Management (MDM) platform, like Microsoft Intune. This allows:
Device Posture Assessment: Ensure endpoints meet security standards, from patching to malware scans.
Real-Time Remediation: Flag non-compliant devices and enforce automated security actions to minimize risk.
Once devices are known, secured, and managed, the threat landscape shrinks. So long drawbridge!
Welcome to Your Zero-Trust Ecosystem
When done right, a LITE environment achieves the core principles of Zero Trust:
- Identity and Access Management
- Continuous Verification
- Device Security
- Application Security
- Data Security
- User Context and Risk-Based Policies
- Visibility and Analytics
- Zero Trust Policy Engine
Notice anything missing? That’s right, perimeter security, network segmentation, and infrastructure integration become relics of the past. In a LITE enterprise network, there’s no castle, no moat – just a seamless, secure ecosystem where everything is verified, and nothing is inherently trusted.
What jumps out at you in the enterprise diagram below:
That’s right, there is no On-Prem, no LAN, and no internal network (we’ll talk about the role of IPv6 in another article). Welcome to the security and freedom of point-to-point.
A Vision for the Future
Imagine an enterprise where breaches aren’t just contained but prevented; where identity, not location, defines access; and where security isn’t a patchwork quilt of expensive and complex tools but an elegant, integrated system. That’s the promise of a LITE environment.
The journey won’t be easy. But the alternative? Clinging to a crumbling fortress while bad actors waltz through your open drawbridge. It’s time to evolve.
The castle has been breached so let’s build something better.
Read another article by Allen Firouz:
Allen Firouz: Your Identity on Blockchain: Now Your Personal Data is Finally Safe
I am the Chief of Operations at Hekima Business Solutions, and an experienced operations and technology executive focused on advancing capabilities and performance. I’m a focused, driven leader who builds strong, ethical teams and aligns technology initiatives with organizational priorities. I’ve been credited with driving improvements in operational efficiency, risk management, cloud adoption, DevSecOps, innovation, enterprise architecture, identity management, governance, cybersecurity, and modernization across industries and government agencies. As a fiscally-minded global program leader, I help executives make informed decisions with both domestic and international impact.