By Anshuman Das in VULNCON 2025 —

ZTA: Implementing Continuous Verification in Complex Environments

ZTA: Implementing Continuous Verification in Complex Environments
The traditional perimeter-based security models have crumbled. With the explosion of remote work, cloud adoption, and hybrid systems, the industry has been forced to rethink the very concept of "trust".
At VULNCON 2025, we hosted a dynamic panel discussion titled "ZTA: Implementing Continuous Verification in Complex Environments." Moderated by Nikhil Prabhakar, the panel featured industry experts Jayesh Singh Chauhan, Amol Naik, and Praveen Nettimi. They dissected the journey of Zero Trust from a buzzword to a deployable reality.
👥
The Panelists
Nikhil Prabhakar (Moderator) - Founder @PodArmor

Jayesh Singh Chauhan - CEO &Founder @Cloudurance Security and Cloud Village

Amol Naik - Head of Security @Atlas Consolidated

Praveen Nettimi - Founder & CEO @AtyaSecure

Here are the key takeaways and strategies for security leaders looking to navigate the complexities of Zero Trust Architecture.

Zero Trust is a Mindset, Not a Tool

One common misconception about Zero Trust is its availability as a product. As the panellists emphasised, Zero Trust is fundamentally a mindset, not a tool or a specific piece of software.

While tool-based approaches exist, they often leave gaps if the organisational context is ignored. Mr Jayesh Singh Chauhan noted that implementation must start with the type of organisation you are securing. A fintech company, a crypto firm, and a B2B SaaS platform all require different approaches to "trust but verify". The goal is to cascade the strategy down to the specific lease privileges required without hampering the business.

Mr Amol Naik added that security must be positioned as a business enabler. Whether implementing ZTA or cloud security, CISOs must build a business case that justifies the ROI by proving that security builds customer trust.

The Implementation Strategy: Start Small

For many organisations, the prospect of implementing ZTA is daunting. The panel recommended avoiding a drastic approach.

Mr Praveen Nettimi suggested starting with a targeted application or a Proof of Concept (POC). The goal is to pinpoint a smaller environment and its business users, making sure that the transition doesn't negatively affect availability and user experience.

Crucially, organisations should not necessarily begin with their most valuable applications. Instead, it is often wiser to start with "low-hanging fruit". Such an approach allows the organisation to build the habit of Zero Trust without the risk of a critical business failure causing panic and derailment of the entire initiative.

Managing Culture and Friction: The Developer Dilemma

A major hurdle in ZTA adoption is cultural friction, particularly with engineering teams. Developers traditionally demand the highest possible privileges to do their jobs.To mitigate resistance, the panel recommended the following strategies:

  • Time-Bound Access: Move away from permanent standing privileges. Implement automated revocation where access is granted for a specific duration.
  • Seamless Automation: Friction kills adoption. Mr Jayesh shared a successful example where his team integrated access requests directly into Slack commands. This allowed developers to request and receive time-bound access to secret managers almost instantly, satisfying security requirements without slowing down development.
  • Leadership Enrollment: Buy-in must start from the top. However, leaders should be enrolled through awareness rather than scare tactics.

The Technical Engine: Policy, Signals, and Legacy Systems

Implementing ZTA requires a robust technical backbone. The core of this architecture is the policy engine, which must handle the speed and complexity of context-based decisions.

The Role of Attributes and Signals Zero Trust relies on attributes to build a dynamic trust score. These signals include the user, the location, the time of access, and significantly, device trust (OS version, antivirus status, etc.). For privileged users, behavioral analysis becomes critical—distinguishing between a human user and a bot.

The Legacy Challenge Legacy systems remain a "pain point" for ZTA. While cloud-native infrastructure is easier to adapt, legacy setups often require a risk-based approach. Companies need to determine their level of risk tolerance for these systems, as there is no foolproof solution for incorporating 20-year-old tech stacks into a contemporary ZTA framework.

Measuring Success: KPIs for ZTA

How do you measure the success of a Zero Trust implementation? The panel highlighted several key metrics:

  1. Policy Coverage: Tracking the percentage of departments or applications migrated to the new framework.
  2. MTDR (Mean Time to Detect and Respond): ZTA should theoretically lower these times.
  3. Automation Levels: Measuring how much of the verification and revocation process is automated.
  4. Privileged User Monitoring: Specific KPIs track the behaviour and policy adherence of high-privilege accounts, as these represent the highest risk.

Conclusion

💡
Zero Trust is a continuous process, not a final destination. It requires the regular enrolment of new people, the constant tuning of policy engines, and a relentless focus on visibility. As the panel concluded, you can only secure what you can see.

For organisations beginning this journey, the advice is clear: understand your context, secure your infrastructure, and do not attempt to implement everything on day one.