Every access request passes through the control plane before reaching the data plane. No exceptions.
The PDP evaluates identity, device posture, context, behavior, and threat intel. Binary: allow or deny.
PEPs sit between users and resources. They don't decide, they enforce decisions from the PDP.
Cloud identity providers like Entra ID, Okta, Google Workspace. MFA is minimum. Continuous auth validates.
A legitimate user on a compromised device is still a threat. Registration, compliance, certificates, risk scores.
Service accounts, API keys, pipelines, AI agents need identity management with equal rigor as humans.
Even if attackers compromise one workload, microsegmentation prevents lateral movement. Host or app-layer.
ZTNA replaces broad VPN access with identity+device application access. No port probing. No lateral movement.
SIEM, UEBA, SOAR. Behavioral analytics catches the unknown, compromised accounts with valid credentials.
Don't treat identity as solved. Don't ignore east-west. Zero Trust is a strategic multi-year initiative.