Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Zero trust access control for compliance: are legacy models enough?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Legacy VPN and firewall models leave audit gaps because they cannot continuously enforce context-aware, least-privilege access, according to Appgate’s webinar on modern compliance. The control problem is not just perimeter weakness; it is the mismatch between static access assumptions and dynamic regulatory expectations.

NHIMG editorial — based on content published by Appgate: Access Control, the Core of Modern Compliance

Questions worth separating out

Q: How should teams implement zero trust access control for compliance?

A: Start by replacing network-level trust with resource-level policy decisions that account for identity, device posture, and session context.

Q: Why do legacy VPN models create compliance risk?

A: Legacy VPNs often grant broad connectivity after a single login event, which makes it hard to prove least privilege, segmentation, and continuous enforcement.

Q: What do security teams get wrong about least privilege?

A: They often treat least privilege as a provisioning decision instead of an ongoing control.

Practitioner guidance

  • Replace flat network reach with resource-level policies Document which applications, data stores, and administrative interfaces still inherit broad VPN reach.
  • Make device posture part of the access decision Require patch status, encryption state, and MDM enrollment to influence whether access is granted, reduced, or revoked.
  • Turn access logs into audit evidence Capture who, what, when, where, how, and why at the resource level so reviewers can trace every decision without log reconciliation across multiple systems.

What's in the full article

Appgate's full webinar covers the operational detail this post intentionally leaves for the source:

  • A practical view of how dynamic access policies are evaluated at connection time and during the session.
  • Examples of resource-level audit logging that support compliance review without cross-system log reconciliation.
  • How endpoint posture checks and adaptive authentication interact when a device falls out of policy.
  • The webinar transcript and live discussion around compliance, productivity, and zero trust implementation choices.

👉 Read Appgate's webinar on zero trust access control and compliance →

Zero trust access control for compliance: are legacy models enough?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Static network trust is no longer a viable compliance premise. The access model described here assumes that a network boundary can still separate trusted from untrusted activity. That assumption breaks once users, devices, and sessions move across hybrid environments where access must be justified at the resource level. The implication is that compliance teams need to evaluate whether their controls are still built around location rather than identity and context.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Another finding from 52 NHI Breaches Analysis shows how weak lifecycle control extends exposure well beyond initial detection.

A question worth separating out:

Q: Who is accountable when access decisions fail compliance checks?

A: Accountability usually sits with the IAM, security architecture, and control owners who designed the access model, not just the operators who use it. If the organisation cannot show why access was allowed, it is the governance model that failed, not only the audit.

👉 Read our full editorial: Zero trust access control is becoming a compliance requirement



   
ReplyQuote
Share: