Perimeter-Based to Identity-Centric: Enforcing Least-Privilege Access Everywhere

Identity security weaknesses play a material role in nearly 90% of cyber incidents today, serving as the initial access vector, path to privilege escalation, or lateral movement mechanism. And while modern threats rarely stay isolated to a single attack surface, identity is by far the most commonly leveraged, involved in 89% of incidents investigated for the 2026 Unit 42 Global Incident Response Report.  

Meanwhile, the same report analyzed 680,000 identities and found that 99% of cloud users, roles, and services hold excessive permissions, often unused for 60 days or more. This highlights dangerous gaps in least privilege enforcement, leaving organizations vulnerable to identity-based attacks as adversaries target a boundary most environments weren’t designed to protect.  

Security leaders face a clear mandate: evolve beyond static, perimeter-based strategies and enforce dynamic, identity-based policies to prevent privilege escalation and lateral movement, even when attackers use valid credentials. Zero Networks’ VP of Customers, Nicholas DiCola, and Field CTO, Chris Boehm, discussed what identity-centric network controls look like in practice in a session on enforcing least privilege access everywhere.  

We’ll break down key moments from the webinar, share why real-time context and a three-dimensional approach to network security are key to stopping identity-based attacks, and give security teams tips for sifting through the acronym soup to select solutions that enforce least privilege at scale.  

Enterprise Identity Sprawl and Privilege Creep 

The old way of thinking about identity – as simple credentials tied to human users – has become far too narrow. Today, machine identities like service accounts make up more than 70% of networked identities, while modern ways of working have also contributed to the identity proliferation.  

Nicholas DiCola: Things like service accounts make up 70% of the IDs because there are more applications that require identity to be able to log in, do what they need to do, whether that’s connect to a database server or something else, just to run the application. So, we’re having this sprawl of identities beyond just the humans that actually work for the company.  

Chris Boehm: The other part of this is how the expansion of identity is occurring. Everyone’s probably seen Windows Hello – a face scan on your phone. I think about everything that’s processing that data, tokenization – it’s much more complicated than a single log on. All of a sudden, you have multiple identities that expose to you for each session, each application, each vendor you’re working with.  

Nicholas DiCola: And that’s just corporate IT stuff. Then I have my own Apple ID, and that’s tied to my face ID; then I have all these other accounts in the cloud. As a user, even though I have my corporate credentials and then all my personal stuff, the sprawl of identity is insane right now.  

The cumulative effect of this sprawl isn’t just complexity – it’s exposure. The average identity holds 96,000 permissions, even though 38% of all enterprise accounts are dormant. 

Identity Trust Risks: Third-Party Credentials, Detection Gaps, and LotL Attacks 

More than 80% of detections in CrowdStrike’s latest Global Threat Report were malware-free attacks, meaning cyber adversaries increasingly abuse legitimate tools, systems, files, or applications to compromise a network, move laterally, and steal data without triggering alerts.  

Chris Boehm: A lot of EDR tools out there are pretty good at responding to [known tactics] today. They’ve hardened. But they can’t know if you really are who you say you are … That’s why most payloads are now trying to phish and collect information from me, then they’ll try to learn my habits and act like me.  

While most organizations have invested heavily in detection and response, they remain vulnerable to malware-free tactics. In a Red Team Assessment Report, CISA concluded that over-relying on EDR creates insufficient protection to stop all living-off-the-land (LotL) attacks. In other words, it’s simply not possible to prevent LotL attacks with EDR alone.  

Similarly, third-party credentials create risk exposure that most environments aren’t built to address.  

Nichoals DiCola: RedHat announced a public breach due to some GitLab credentials that allowed hackers access to their internal systems … They were sharing the same GitLab repos or instance with some of their government contracts’ – now, attackers had access to those too. Why didn’t they have a separate instance? Every time you add an instance, that’s another identity. That’s another thing that becomes even harder to manage and secure.  

Identity-Based Access Control: What’s the Best Solution?  

The identity security market is a veritable battle of the buzzwords – IAM, PAM, IGA, ITDR, and more blend together into an acronym soup, but regardless of the exact articulation, every tool aims to solve the same underlying issue of excessive trust.  

Nicholas DiCola: There are a lot of [solutions] around identity because of this expansion and thought around identity being a new perimeter for enforcing access – whether that’s from SaaS, all the way down to on-prem workstation access – but ultimately, it’s back to a Zero Trust model where you have to enforce with some type of identity segmentation, using these capabilities to say ‘these accesses can only log into these certain places where they’re needed, especially with machine accounts.’  

Chris Boehm: There are different approaches to handle it. I don’t think everyone should go in saying ‘deny everything unless they verify.’ You’re going to break some stuff in your business. So, the first thing is really knowing what’s going on on each asset. Think of the key things in your environment and then grow from there. Control, bubble, contain, and go in that approach versus just blocking and creating friction, then killing the entire idea of Zero Trust.  

Enforcing Least Privilege Access with Identity Segmentation  

By tying granular access controls to identity, protection dynamically adapts to every connection – not just login or role – to contain breaches in real time rather than simply managing credentials or policies.

Nicholas DiCola: When we were at Microsoft, we had a really good model in mind. It was never really something you could implement, but it was a great model on paper, which was what they called a tiered model. A domain admin credential should never log in to anything but a domain controller. It shouldn’t be able to log in to servers. It shouldn’t be able to log in to workstations … the whole point was that if you limit where these credentials can actually log in, you prevent the attacker from being able to get the credentials. That’s essentially what identity segmentation is.  

Chris Boehm: There are things in Microsoft, AWS, GCP, or whatever that require certain elevated privileges to make certain actions. That gets really complicated when you mix in hybrid workloads, cloud SaaS platforms, and then you have your on-premises … that control segmentation was really complicated [to manage] manually.  

So, while the philosophy underpinning identity segmentation is well established, it’s not operationally feasible without automation.  

How does automated learning remove the manual overhead of identity-based access enforcement?  

Deterministic, human-on-the-loop automation makes identity segmentation practical. By observing normal network behavior and generating granular, identity-aligned access policies based on confirmed operational need, automated solutions enable organizations to enforce fine-grained controls without disrupting normal traffic.  

Chris Boehm: You want something that recognizes normal behavior and then enforces it – it should dynamically adapt versus just segmenting and saying, ‘port 3389 should be authorized for this one port over here’ and that’s it.   

Three-Dimensional Network Security: Dynamically Protecting Access, Identities, and Devices 

Stopping lateral movement and scaling least privilege across the entire network requires a unified set of capabilities across dimensions – not distinct point solutions operating in isolation.  

Nicholas DiCola: There’s North-South protection – that’s blocking access with your firewalls or perimeters. You have East-West protection, which is locking down lateral movement from a network perspective. Then there’s Up-Down protection, which dynamically limits traffic between network layers using identity. If you combine all of these, it can really help you think about how to stop lateral movement in your environment.  

Chris Boehm: The real challenge I find is that most people, even with identity tools, don’t know what’s going on in their environment or what those assets are doing … There are different types of automation out there, even for legacy things. So, East-West protection is definitely doable for legacy to modern today.  

Critically, this multidimensional approach means that threat containment is proactively built into the network architecture, so every initial foothold is automatically constrained before it escalates into a business-disrupting event.  

Nicholas DiCola: Once [attackers] are on a machine, most of the time, they can get a credential. They can use that credential to laterally move if you haven’t segmented identities and networks. But if you actually segment all identities, they’re not able to spread. It’s like going into your house, and you don’t have the key to open each of the bedroom doors.  

Dynamically Enforce Least Privilege Access Everywhere with Zero Networks  

Zero Networks unifies network and identity controls with automated, identity-based microsegmentation, delivering a dynamic defense fabric that enforces least privilege across the entire network.  

Zero unlocks multi-dimensional protection by securing every axis of network traffic:  

• Automated microsegmentation isolates every asset within its own secure perimeter, closing unnecessary communication paths and blocking unauthorized lateral movement. 
• Identity segmentation enforces granular access rules for users, devices, and applications, ensuring every identity receives only the necessary permissions – nothing more.  
• Just-in-time network-layer MFA adds adaptive authentication at the moment of privileged access, turning static permissions into temporary elevated access.   
• Deterministic, human-on-the-loop automation learns all network behavior to create and enforce least privilege policies at scale, ensuring no coverage gaps emerge as the network changes.  

Find out how you can proactively strengthen your organization’s cyber resilience and put the principle of least privilege into practice everywhere – request a demo.