INSIGHTS HUB

Zero Trust Isn’t a Product. It’s Seven Non-Negotiable Controls.

Zero Trust is not a product, but a system of security controls that protects access, identities, and corporate accounts from modern cyber threats.
This week’s SEG Weekly Briefing covered a campaign that pushed more than 81 million login attempts through a deprecated OAuth flow and quietly took over 78 Microsoft 365 accounts at 64 organisations (Huntress, 1 July 2026). Most of those organisations had MFA. It didn’t help.
The lesson has now been repeated enough times that we should stop calling it a lesson: MFA is one control. Zero Trust Architecture (ZTA) is the model that makes it worth having. Under a ZTA posture, no request is trusted based on network, credential, or authentication flow — every access decision is a fresh, context-aware verification of who is asking, from what device, for what resource, right now.
Here is what “implemented ZTA” actually means at the authentication and identity-governance layer. Not principles. Controls. If any of the below is missing, you don’t have ZTA — you have MFA and a Confluence page.

1. Phishing-resistant authenticators only.
FIDO2 / WebAuthn hardware keys or platform-bound passkeys as the sole permitted second factor for all privileged, administrative, and remote access. TOTP apps, SMS codes, email codes, and push-approval-only — banned for admin roles. Synced passkeys in a password manager are acceptable for standard users; hardware-bound only for anyone with administrative reach.
2. Legacy authentication flows disabled at the tenant.
ROPC (Resource Owner Password Credentials), basic auth, IMAP/POP/SMTP AUTH, and any non-interactive grant that bypasses the authorisation endpoint — off. Not “monitored.” Off. Device code flow restricted to specific device categories with named business owners. Where automation genuinely requires programmatic access, migrate to managed identities or certificate-bound service principals with scoped, auditable permissions.
3. Conditional access on every request — including the “internal” ones.
Access decisions evaluated per session on identity, managed-device posture, sign-in risk score, geolocation, and application sensitivity. Two rules you should never write: “MFA for admins only” and “MFA for untrusted locations only.” Both were the entry point in the M365 campaign referenced above. Enforce for all users, all cloud apps, all client types — unconditionally.
4. Zero standing administrative privileges.
No user, service account, or automation holds persistent Global Admin, Domain Admin, root, or equivalent. Elevation is just-in-time: time-bound to the task (four hours maximum, ideally less), approved through a documented workflow, MFA-rechallenged at activation, and fully session-recorded. Break-glass accounts exist, are stored offline, and generate a high-severity alert on every use.
5. Short-lived, context-bound tokens.
Access tokens no longer than one hour. Refresh tokens bound to user + device + IP context, and automatically revoked on any risk signal — impossible travel, new device fingerprint, sign-in from a previously unseen ASN, or a password change on the associated account. Continuous session validation, not one-and-done authentication.
6. Continuous credential-exposure monitoring.
Every workforce and service identity checked in real time against known breach corpora, infostealer logs, and combo lists. Confirmed exposure triggers an automatic reset, regardless of the credential’s age. Assume every password older than twelve months has already been posted somewhere. Design as if it has.
7. Identity governance with teeth.
Every application, permission group, and role has a named business owner. Privileged access recertified every 90 days maximum; standard access every 180. Deprovisioning is automated: within 24 hours of any HR event — leaver, role change, contract end — access is revoked across every connected system, not just the ones your HR platform natively integrates with. What isn’t integrated with your IdP shouldn’t be issuing credentials.
8. Detection tuned to the authentication layer itself.
Alerts on: a successful sign-in that did not trigger the expected MFA challenge; token issuance via legacy flows; admin role activation outside a JIT window; service principal credential creation; any authentication succeeding from a new ASN immediately after spray-pattern failures. If your SOC is watching endpoint alerts but not identity-layer telemetry, you are watching last decade’s attack surface.

None of the above is optional in 2026.
The NIS2 Directive (Article 21(2)(i)) makes access control and authentication explicit obligations for essential and important entities, with fines up to €10 M or 2 % of global turnover. NIST SP 800-207 gives you the architectural blueprint. ISO 27001:2022 Annex A (5.15 access control, 5.17 authentication information, 8.5 secure authentication, 8.16 monitoring) is the certifiable expression of it. DORA imposes equivalent expectations on the financial sector under Articles 9 and 17. And GDPR Article 32 requires “state of the art” security controls be applied to personal data processing — a bar that MFA-in-name-only no longer clears.
If your identity architecture cannot answer the question “which authentication flows in our environment can issue a token without a Conditional Access decision?” — you have work to do this quarter, not next year.

SEG helps clients close that gap through:
🔹 vCISO — Zero Trust roadmap, identity governance, board-level accountability under NIS2.
🔹 SaaS & Security Configuration Review — Conditional Access audit, legacy-flow retirement, JIT PAM design.
🔹 Third-Party Risk Assessment — because your identity perimeter is only as strong as the weakest credential in your supply chain.
📩 Contact SEG for a Zero Trust readiness assessment aligned to NIS2, ISO 27001, and NIST SP 800-207.

Stay informed. Stay secure.

Get 1–2 expert insights monthly — straight to your inbox.

Explore more insights and updates

Our Partners & Vendors

Scroll to Top