In the digital age, it\u2019s too easy to impersonate a machine.\nHackers use this tactic to breach corporate network perimeter defenses and gain access to inside-the-firewall systems. Once inside, they move laterally from system to system, masquerading as a trustworthy entity logged on from a trusted device. In a ransomware attack, hackers seize and encrypt data then extort money to decrypt it. Others steal corporate assets to sell to the highest bidder on the dark web. Many do both.\nThe firewall isn\u2019t the only vulnerability to blame. It\u2019s also the legacy architecture itself. When enterprise network security is inexorably linked to a device, the network simply isn\u2019t secure. All it takes is one guessed password, one employee clicking on a link in a phishing email, one spoofed IP address, and the hacker is in...and everywhere.\nA zero trust architecture (ZTA) secures a cloud-first, device-agnostic, work-from-anywhere way of business. Fundamental to a zero trust architecture is identity, which serves as the new basis for conditional access, and is something all organizations\u2019 board of directors should understand and evangelize. Identity underpins zero trust and is the best way to manage secure connectivity to applications, destinations, and resources to protect the modern enterprise workplace.\nManaging conditional access with identity and context\nIn a ZTA, there's no longer the concept of a corporate network nor the burden of its costly, inefficient, and insecure infrastructure. Connectivity is direct and ephemeral: employees connect to applications or resources they need to conduct their work.\nA ZTA relies on business-defined, conditional access to resources. Identity becomes the basis for allowing that access. But identity is only the first facet of zero trust authentication and the business policies associated with access. Identity links a user to context, which contributes new validation layers to accurate identification. In establishing security and access, IT leaders can consider multiple types of context, including user, role, group, department, location, device, device status (e.g., managed or unmanaged, recognized or unrecognized, company-issued or employer-supplied, etc.), and many more.\nContext provides the necessary breadth and depth to identity-based access. An employee in a sales department, for instance, might have access to cloud and internal resources specific to fulfilling sales duties like Salesforce or a company quota-tracking application. Similarly, an engineer might have access to development tools like Github or Jira. But neither the salesperson or the engineer would have access to the other\u2019s systems, nor would the separate systems be connected or accessible to or from each other in any way.\nA ZTA solution employs context to signal compromise. If an identified employee is acting outside of expected norms, a ZTA solution can flag the unexpected behavior and take corrective action. Such out-of-expected-context behavior might be an employee accessing systems not required for doing their work, or trying to connect on a new device, or attempting to move proprietary digital assets to an external location.\nIn a ZTA environment, context governs connectivity. Context also limits potential \u201cblast radius.\u201d In the event a hacker compromises an individual ZTA-environment device, they cannot move laterally to adjacent systems, since there are none connected. Any subsequent access requests would be out of context and rejected. Contrast that with traditional security architectures: if hackers breach a legacy network environment, they can adroitly move along a network path from one system to another.\nBusiness policies define security (rather than the other way around)\nThe U.S. National Institute of Standards and Technology (NIST) ZTA standard notes that identity is \u201cthe key component of policy creation,\u201d with resource access based on business privileges assigned to a specific person. Business-defined policies govern access. For instance, this particular sales employee can access resources A, B, and C; that particular engineering employee can access resources D, E, and F, and so on.\nSuch validation requires Identity Access Management (IAM) services, ideally delivered via a cloud-based solution. IAM solutions\u2014available from vendors like CA, Microsoft, Google, IBM, Okta, and many more\u2014provide a scalable way to authenticate user access to resources outside the periphery of legacy corporate networks.\nWhy does context-based security matter?\nA ZTA provides an access model attuned to the modern method of work: outside the office, beyond the data center, and in the cloud. Security and policy follow the user and the user\u2019s data, wherever that user may be, wherever that data may reside, to whatever destination that user may connect, and on whatever device that user may employ.\nZTA context-based access improves upon a legacy network access model through:\n\nIdentity-based context, multi-factor authentication, and behavioral analysis that offer IT leaders better control of, visibility into, and ultimately governance over corporate resource access.\nRequired authorization\u2014users cannot access resources or destinations without permission.\nContext-based access solutions that easily scale to support governed access to cloud, data center-hosted, and on-premises resources.\nThe ability to set business policy at a macro or micro level, with resource access rules defined for both a group and an individual employee.\nAccess that is specific to the user and not the machine, meaning employees (and administrators) enjoy the same level of security regardless of the device used to access corporate resources.\nWork-from-anywhere capabilities\u2014users get the same access (and administrators ensure the same security) whether they work at headquarters, in a branch office, or from home.\n\nBoards of directors and technology decision makers have the opportunity to lead enterprises forward from legacy device-based security to zero trust context-based access. Understanding the importance of identity is the first step toward that objective.\nRead more about Zero Trust and how Zscaler helps organizations institute a ZTA.