Zero Trust Step 5B: Maintain Controls
Find Threat Talks on
Zero Trust Step 5B: Maintaining Security Controls
Breaches aren’t shocks; they’re late-stage symptoms of control decay. Drift turns “temporary” access into standing exposure and quietly erodes assurance. In this Threat Talks episode, Lieuwe Jan Koning and Rob Maas show how leaders keep Zero Trust Step 5 (Maintain) from undermining the entire program.
For CISOs and CIOs, this is assurance work, not housekeeping. Treat vendor features that ship disabled by default as unmitigated risk until validated. Reconcile expected vs. observed flows as a standing control test to surface lateral movement early. Close exceptions with expiry and evidence. The outcome: audit-ready proof that controls deliver their intended effect, even as cloud, Kubernetes, and service-mesh changes shift the ground beneath you. Step 5 is leadership—the discipline that proves security works before the board, the regulator, or an incident asks.
We cover:
• Policy validation that kills stale rules
• Feature activation: URL categories, EDR/XDR knobs
• Flow integrity: defend protect surfaces with reality checks
• Change triggers: cloud, Kubernetes, service-mesh shifts
Zero Trust Series:
• Zero Trust Step 1
• Zero Trust Step 2
• Zero Trust Step 3
• Zero Trust Step 4A
• Zero Trust Step 4B
• Zero Trust Step 5A
Your cybersecurity experts
Lieuwe Jan Koning
Co-Founder and CTO
ON2IT
Rob Maas
Field CTO
ON2IT
Episode details
Temporary access becomes standing exposure unless you enforce expiry by design. In this episode, Lieuwe Jan Koning and Rob Maas show how small exceptions harden into standing privileges, turning today’s quick fix into tomorrow’s exposure—and how to arrest that decay.
Skip the paperwork theater. Focus on the operational policy surface where risk is created or reduced: firewall rules, EDR allowlists, proxy categories. Every change requires validation and evidence. Temporary exceptions get an owner, an expiry, and a rollback—then they close. When vendors ship new capabilities—like “newly registered domain” categories—assume off by default means unmitigated risk until you evaluate and stage-enable with monitoring.
Then run the reality check: do expected transaction flows match observed traffic? If not, you’re either misconfigured—or compromised. Treat architecture shifts (cloud moves, Kubernetes, sidecarless service meshes) as triggers to loop back to Steps 1–3: re-baseline protect surfaces, re-map flows, and re-architect controls with intent.
For CISOs, CIOs, and security leaders, Step 5 isn’t tactical maintenance. It’s control assurance—how you prevent drift, demonstrate resilience, and show the board, auditors, and the business that your security works by design, not by luck.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
