Ask the Expert: A Field CTO’s Guide to Identity Security, Access Controls, and Zero Trust

Identity is now the most common attack surface, involved in almost 90% of incidents investigated for the 2026 Unit 42 Global Incident Response Report – no surprise considering 99% of cloud users, roles and services hold excessive permissions, with some unused for 60 days or more.  

For security leaders, the takeaway is clear: granular, identity-based controls are more urgently needed than ever. But translating that strategic lesson into real-world enforcement can prove challenging.  

To help cut through the complexity, Chris Boehm, Field CTO at Zero Networks, answered some of the most commonly asked questions surrounding granular access controls, least privilege, and Zero Trust. Get Chris’ candid takes on practical strategies for strengthening identity security in an era of rapidly evolving threats.  

How can enterprises implement role-based access controls at the network connection level?  

Chris Boehm: [Implementing] role-based access controls at network level is quite complicated because you have to understand your scope and have visibility of everything that's happening in your environment. So, it's very hard unless you have something in place today that could learn, assess, analyze, provide identity context and then build that in place.  

What’s the best way to enforce granular access to servers based on user role and identity?  

Chris Boehm: There are a few approaches taken today. One would be using a cloud workload. They're managing everything for you, including the identity, and then they grant you access through a just-in-time. That's not a bad approach. That is something that's completely out of your scope – you don't know the username or password; it’s just managed for you. That's like a privileged access management tool with a password key vault, for example.  

Another approach, which is more common if you have an on-prem environment, you might have to have a multi-tiered aspect of privileged access management, key vaulting (if you can even gain access to it) … It starts getting complicated very quickly.  

Then you can look at how Zero Networks approaches it – we approach it as a manner of hardening your environment. We allow you to use your existing credentials, and you can gain access if you are authorized and you prove you are who you say you are. Sounds simpler – way more information we had to collect beforehand, but we make it easy for you. 

What tools help automatically generate least-privilege policies based on observed traffic?  

Chris Boehm: When it comes to least privilege policies or understanding traffic and information in general, there are a lot of tools in place out there today and there's a lot of different approaches. It could be your firewall, it could be something that's monitoring your network traffic, could be network packet sniffing. It expands very far into possibly UEBA technology – learning what an entity does, what it accesses, and how it communicates. Their scope is wide. You can even argue a SIEM tool could bleed into this because it's a bunch of data; you can compile all that data together and use an LLM or something similar to analyze it.  

But with that said, there is a lot of nuance and things that could be missed. So that's where you need to narrow down the scope of every entity in your environment, understanding the visibility of what the user is doing, what the machine's doing, what the application's doing, and then bridge that all together into a beautiful map. And that's where things start shifting – as a business, I can understand what is communicating to what, how it's talking.  

As a simple example, let's just say you have an AI in your environment. What AI are you using? Do you know what is talking to your machine? Could I tell you today that you're using 12 different AI agents on your machine, and you feel confident knowing which ones and what applications are using those? Most people don't know that, so that's a concern that might be addressable in this fashion. 

How can organizations transition from perimeter-based firewalls to identity-centric controls?  

Chris Boehm: It has to be done in multiple levels. You have to have something that's doing enforcement for you on that machine on the identity level. So that could be a process, that could be down to application layers, that could be to the whole machine as a whole. There are multiple approaches to this.  

In simple terms, you can use your identity provider and then you can get down to an application layer, and then you can get down to network layers in scope. With that said, there are simpler ways to be managing that. There are tools out there today that can help you automatically do this.  

For example, Zero Networks is doing a lot of this for you automatically. It is vendor agnostic and it's hardware agnostic. We don't require a firewall in order to make an identity level perimeter, but we do require your identity provider to do the communication in some form or fashion so we can have some correlation of who you are and who you say you are. It's just a different approach – everyone kind of does it differently, but I would say the identity level being identity first is a key element here because as you may or may not be aware of, 90% of incidents start on the identity level. 

What are practical steps to stop credential theft from leading to lateral movement?   

Chris Boehm: There’s proper hygiene, there's least privilege access, it's really the Zero Trust mindset. That's why Zero Trust is becoming huge in the market today – why do you need to be overprivileged? You should be least privileged and then ask for elevated privilege when necessary. So, that's the common approach. Is that doable today? Not always.  

Every industry, every market is a little bit different. I've worked with companies – let's just say school districts – and professors were unwilling to do multifactor authentication because it was just too complicated for them. So, they said, “Write everything down on a piece of paper.” That is more secure in their mind – until someone steals that paper and changes the grades or something. But in the end, Zero Trust is probably the approach I would recommend today.  

How can security teams simplify access reviews and entitlement audits using zero trust tools?  

Chris Boehm: When it comes auditing, visibility, and control, Zero Trust has a natural byproduct of ‘never trust, always verify.’ Because of that, it has to have a methodical approach of understanding your whole entire communication flow. Me as a user, for example, should I be talking to this application? Yes or no? Should I be talking to this network asset, yes or no? Should I be connecting to a cloud asset, yes or no? 

So, if you do it appropriately, you’ll see that breadcrumb trail. And that breadcrumb trail provides this beautiful image to auditors, cyber insurance, compliance regulations – all of the sudden you could just say, “I know exactly what Chris talks to. I know what he works on.” It's not a bad thing. It's just I can prove that Chris is doing what he's supposed to do, and I can prove that we’re protecting these key company assets.  

Now, think of the master database for all your source code, and all the spicy information for your business is now contained appropriately because I can prove it. That's the main thing. That's a huge factor right there, and that's where Zero Trust and the concept of least privilege comes into play. 

Strengthen Cyber Resilience with Adaptive, Identity-Aligned Controls  

The tools to meaningfully reduce identity risk exist today, but complexity, inconsistency, and organizational friction keep most environments over-exposed, often leaving security strategies misaligned with business priorities.  

Zero Networks helps security teams protect business continuity and proactively minimize blast radius with identity-based microsegmentation, where identity governs reachability at the network layer and enforcement holds up in real-world attacks. 

Zero provides immediate visibility into every identity and asset on the network, then automatically enforces adaptive, identity-aligned policies that prevent lateral movement by default, enabling organizations to engineer resilience Zero Trust architectures without manual rule-writing or adaptive sprawl.  

Learn more about how you can tightly couple network and identity enforcement with Zero to make breach containment an automatic feature of your network architecture – request a demo.