In this sponsored podcast Patrick Gray chats with Knocknoc CEO Adam Pointon about why true Zero Trust architectures never really got there. Spinning up ZTNA access to core applications and slapping SSO prompts on everything else is great, but if we're honest, it's not really Zero Trust. So, how and why did we get here?
Security leaders should prioritize anomalous-activity detection and zero-trust principles, a new report recommends.
New Designation Enables Federal Agencies to Meet Zero Trust Goals, and Consolidate and Simplify their IT Infrastructure Versa, the global leader in unified networking and security, today announced that its Unified Secure Access Service Edge (SASE) products have achieved Federal Risk and Authorization Management Program (FedRAMP) Ready status at the...
AI agents now act, decide, and access systems on their own - creating new blind spots Zero Trust can't see. Token Security helps organizations govern AI identities so every agent's access, intent, and action are verified and accountable.
We've been working toward a Zero Trust model for a while, but it gets messy once you mix cloud and on-prem. Identity-based access works fine in cloud-native apps, but once you add legacy systems and unmanaged devices, the control gaps show fast. Curious if anyone here has managed to get true end-to-end Zero Trust working across hybrid setups. What did you prioritize first, identity, network segmentation, or workload security? submitted by /u/cheerioskungfu [link] [comments]
Seattle, WA - October 23, 2025 - The Cloud Security Alliance (CSA), the world's leading not-for-profit organization committed to AI, cloud, and Zero Trust cybersecurity education, today announced the official launch of STAR for AI, introducing the first global framework for AI assurance across both Level 1 and Level 2 tiers. This milestone builds upon CSA's AI Controls Matrix (AICM) and its newly released mapping to ISO/IEC 42001:2023, creating a cohesive, standards-aligned pat
Researchers reviewed 10 recent ZTA surveys and 136 primary studies (2022 - 2024) and found that 98% provided only partial or no real-world validation, leaving several core controls largely untested. Their critique proceeds on two axes: first, mainstream ZTA research is empirically under-powered and operationally unproven; second, generative-AI attacks exploit these very weaknesses, accelerating policy bypass and detection failure. submitted by /u/tekz [link] [comments]
arXiv:2510.16067v1 Announce Type: new Abstract: Static, long-lived credentials for workload authentication create untenable security risks that violate Zero-Trust principles. This paper presents a multi-cloud framework using Workload Identity Federation (WIF) and OpenID Connect (OIDC) for secretless authentication. Our approach uses cryptographically-verified, ephemeral tokens, allowing workloads to authenticate without persistent private keys and mitigating credential theft. We validate this...
We've been saying "Never trust, always verify" for more than a decade - but most of our industry still hasn't clearly defined what "verify" actually means. The original Zero Trust model (per NIST SP 800-207) focused on network segmentation, identity enforcement, and continuous authentication. That's all necessary - but it's not sufficient. Because even if you know who is connecting and where they're connecting from... you still don't know what state that system is in. And that's the gap...
To start, I know that Zero Trust is a framework and can't be bought. But some product make it way easier to implement. We have been attempting to implement Cisco ISE for about 4 years now. We are currently doing 802.11X w/ certificates and currently in monitor mode for 802.1X. The plan was that eventually, we'd be able to use ISE to only allow a subset of people access to specific servers. However, I'm questioning that feasibility so I'm hoping to get some feedback on my thoughts. One use case...
What Zero-Trust platforms are people here actually using and seeing results from? Every vendor claims to have it figured out but it's hard to tell what's real and what's just buzzwords. I've been reading a few comparisons, including the new Forrester Wave report on Zero-Trust platforms for 2025 but I'm way more interested in what's happening on the ground. Which approach worked best for your org identity-first, network-first or a hybrid setup? What went smoothly, what turned into a nightmare...
Do you guys always include NAC in your setups? Some say it's essential for Zero Trust others say it's overkill for SMBs. For anyone not familiar with the concept https://secithub.com/cloud-nac-roi-zero-trust-smb/ submitted by /u/Silly-Commission-630 [link] [comments]
arXiv:2510.09494v1 Announce Type: new Abstract: As cloud infrastructure evolves to support dynamic and distributed workflows, accelerated now by AI-driven processes, the outdated model of standing permissions has become a critical vulnerability. Based on the Cloud Security Alliance (CSA) Top Threats to Cloud Computing Deep Dive 2025 Report, our analysis details how standing permissions cause catastrophic cloud breaches. While current security tools are addressing network and API security, the...