Zero Trust Step 5B: Maintain Controls

Infographic On2it Banner

Find Threat Talks on

Zero Trust Step 5B: Maintaining Security Controls

Breaches aren’t shocks; they’re late-stage symptoms of control decay. Drift turns “temporary” access into standing exposure and quietly erodes assurance. In this Threat Talks episode, Lieuwe Jan Koning and Rob Maas show how leaders keep Zero Trust Step 5 (Maintain) from undermining the entire program.

For CISOs and CIOs, this is assurance work, not housekeeping. Treat vendor features that ship disabled by default as unmitigated risk until validated. Reconcile expected vs. observed flows as a standing control test to surface lateral movement early. Close exceptions with expiry and evidence. The outcome: audit-ready proof that controls deliver their intended effect, even as cloud, Kubernetes, and service-mesh changes shift the ground beneath you. Step 5 is leadership—the discipline that proves security works before the board, the regulator, or an incident asks.

We cover:
• Policy validation that kills stale rules
• Feature activation: URL categories, EDR/XDR knobs
• Flow integrity: defend protect surfaces with reality checks
• Change triggers: cloud, Kubernetes, service-mesh shifts

Zero Trust Series:

• Zero Trust Step 1
Zero Trust Step 2 
Zero Trust Step 3
Zero Trust Step 4A
Zero Trust Step 4B
Zero Trust Step 5A 

    Your cybersecurity experts

    Lieuwe Jan Koning

    Co-Founder and CTO
    ON2IT

    Rob Maas, Field CTO, ON2IT

    Rob Maas

    Field CTO
    ON2IT

    Episode details

    Temporary access becomes standing exposure unless you enforce expiry by design. In this episode, Lieuwe Jan Koning and Rob Maas show how small exceptions harden into standing privileges, turning today’s quick fix into tomorrow’s exposure—and how to arrest that decay.


    Skip the paperwork theater. Focus on the operational policy surface where risk is created or reduced: firewall rules, EDR allowlists, proxy categories. Every change requires validation and evidence. Temporary exceptions get an owner, an expiry, and a rollback—then they close. When vendors ship new capabilities—like “newly registered domain” categories—assume off by default means unmitigated risk until you evaluate and stage-enable with monitoring.


    Then run the reality check: do expected transaction flows match observed traffic? If not, you’re either misconfigured—or compromised. Treat architecture shifts (cloud moves, Kubernetes, sidecarless service meshes) as triggers to loop back to Steps 1–3: re-baseline protect surfaces, re-map flows, and re-architect controls with intent.


    For CISOs, CIOs, and security leaders, Step 5 isn’t tactical maintenance. It’s control assurance—how you prevent drift, demonstrate resilience, and show the board, auditors, and the business that your security works by design, not by luck.

      Infographic On2it Banner

      Get your Hacker T-shirt

      Join the treasure hunt!

      Find the code within this episode and receive your own hacker t-shirt for free.

      2 + 6 =

      Christmas Hacker