Zombie Technology Needlessly Applied #ZTNA – #DhananjayRokde #iManEdge
EXECUTIVE SUMMARY
The global cybersecurity industry is in the grip of a structured, institutionalized delusion. The commoditization of Zero Trust Network Access (ZTNA)—a philosophy originally articulated by John Kindervag of Forrester Research in 2010 as a fundamental architectural overhaul—has been grotesquely mutated into a perimeter appliance: a glorified, cloud-hosted Virtual Private Network (VPN) with a marketing rebrand. The names on the boxes have changed. The underlying failure has not.
Commercial ZTNA solutions marketed by Zscaler, Palo Alto Networks (Prisma Access), Cisco (Duo/Umbrella), Netskope, and Cloudflare Access are, at their architectural core, identity-aware edge proxies. They authenticate a human identity at the boundary and grant access to an application segment. The moment that session is established, these platforms become architecturally blind to the vast, dynamic, unmanaged topology that actually governs modern enterprise infrastructure: the Non-Human Identity (NHI) fabric.
For every human identity operating in a modern enterprise environment, there are an estimated 45 Non-Human Identities . These include machine identities, service accounts with Administrator-level privileges, hardcoded API keys committed to version-controlled repositories, OAuth 2.0 Bearer tokens with multi-year expiration windows, JSON Web Tokens (JWTs) with no continuous validation, and SAML assertions that can be forged entirely if the signing key is compromised. Commercial ZTNA solutions, by design and by product charter, do not inspect, rotate, validate, or govern any of these identities.
The consequences of this architectural gap are not theoretical. They are documented, catastrophic, and recurring. The Lapsus$ extortion group’s infiltration of Microsoft, NVIDIA, Okta, and Samsung in 2021-22 did not involve zero-day exploits—it involved token theft, session hijacking, and the harvesting of hardcoded internal credentials. The SolarWinds SUNBURST attack—the most consequential espionage campaign in the history of American digital infrastructure—propagated through compromised service account tokens and forged SAML assertions. Microsoft’s Storm-0558 breach of 2023 pivoted on a forged OAuth token. CircleCI’s 2023 breach exposed customer secrets via a compromised employee machine token. Every single one of these incidents occurred in environments where expensive commercial ZTNA or enterprise IAM solutions were deployed.
This report implicates not only the Original Equipment Manufacturers (OEMs) who sell architecturally incomplete products but also the analyst ecosystem—Gartner, Forrester—whose Magic Quadrant and Wave frameworks crown these products as ‘Leaders’ while systematically ignoring their most critical blind spots. Most culpably, it indicts the Big 4 consulting firms—Deloitte, PwC, EY, KPMG, and their proximate peer Accenture—whose implementation practices amount to a structured delivery of false security assurance at enterprise scale, billed at rates that would fund multiple genuine security engineering teams.
The result is an industry that has built, at a cumulative cost measured in the hundreds of billions, an elaborate steel door on a house with no walls. The breaches will continue. They must, because the incentive structures of the OEM-analyst-consulting complex are optimized for audit checkbox compliance, not adversarial resilience. This report is a reckoning.
1. THE GREAT PERIMETER LIE: COMMERCIAL ZTNA ARCHITECTURALLY DECONSTRUCTED
1.1 The Kindervag Mandate vs. the Commercial Product
John Kindervag’s original Zero Trust formulation in 2010 was architecturally radical: eliminate the concept of a trusted internal network entirely. Every packet, every session, every workload communication must be authenticated, authorized, and continuously validated—regardless of whether it originates from inside or outside a nominal perimeter. The model demanded microsegmentation at the workload level, mutual TLS (mTLS) for service-to-service communication, and a control plane that could evaluate contextual signals—device posture, behavioral anomaly, time-of-day, geo-location—on a continuous, real-time basis .
What Zscaler sells as ‘Zero Trust Exchange,’ what Palo Alto Networks markets as ‘Prisma Access,’ and what Cisco packages as ‘Duo + Umbrella + SASE’ is structurally divergent from this mandate. These platforms operate as secure web gateways and application-layer proxies. A human user authenticates via SSO and MFA at an edge Point of Presence (PoP). The platform validates identity, enforces application access policy, and tunnels the session to the destination application. The authentication is real. The problem is what happens next.
Once the session is established and the tunnel is live, traffic inspection is application-layer at best and often stateless beyond the initial authentication event. The platform has no native capacity to inspect the internal API calls generated by the application on behalf of that session, no visibility into the microservices that the application invokes, and no mechanism to validate the NHI credentials those microservices use to communicate with downstream databases and cloud services. The Zero Trust perimeter ends at the gateway millisecond the session is authorized.
| ⚠ The ZTNA Oxymoron A perimeter appliance cannot, by definition, enforce Zero Trust inside the network it protects. Calling an identity-aware edge proxy ‘Zero Trust’ is architecturally equivalent to calling a locked front door a ‘secure building.’ Both ignore the existence of other entry points, internal movement, and the reality that the threat may already be inside. Zscaler’s own architecture diagrams acknowledge the gap by deferring internal segmentation to ‘partner solutions’—an elegant way of admitting the product does not solve the problem it is sold to solve. |
1.2 What Commercial ZTNA Actually Protects Against
To be precise and fair: commercial ZTNA platforms are effective tools for a specific, bounded problem set. They eliminate legacy VPN sprawl, enforce application-level segmentation from unmanaged devices, and provide audit logs of human access events. These are genuine improvements over MPLS-based hub-and-spoke topologies and flat VPN architectures.
The vendor fraud is not in what these products do. It is in what they claim. When Zscaler’s marketing materials state ‘Zero Trust for all users, devices, and workloads,’ and when Palo Alto’s Prisma Access is positioned as a comprehensive Zero Trust implementation, those claims are materially false against the reality of internal workload-to-workload trust, NHI lifecycle management, and token validation. The gap between marketing claim and architectural reality is where breaches live.
| Capability Domain | Commercial ZTNA Coverage | Actual Gap |
| Human Identity Auth (Edge) | HIGH — SSO/MFA/SAML enforced | Session token theft post-auth bypasses entirely |
| Device Posture Assessment | MODERATE — Agent-based checks | Ephemeral containers & CI/CD runners excluded |
| Application-Layer Access Control | HIGH — URL & app segmentation | Internal microservice-to-microservice traffic invisible |
| Non-Human Identity Management | NONE — Out of scope by design | 45:1 NHI-to-human ratio entirely unmanaged |
| API Key Lifecycle Governance | NONE | Hardcoded keys in repos, containers, and pipelines |
| OAuth / JWT Token Validation | NONE — Trusts IdP assertion | Forged or stolen tokens accepted as legitimate |
| Service Account Privilege Control | NONE | AWS AdministratorAccess service accounts commonplace |
| Lateral Movement Detection | NONE post-gateway | East-west traffic invisible after tunnel establishment |
| SAML Assertion Integrity | TRUSTS IDP ENTIRELY | Golden SAML attacks fully successful against ZTNA |
2. THE 45:1 PROBLEM: NON-HUMAN IDENTITY PROLIFERATION
2.1 Taxonomy of the NHI Landscape
The term ‘identity’ in cybersecurity discourse has been colonized by the human authentication paradigm. Identity and Access Management (IAM), Privileged Access Management (PAM), and Identity Governance & Administration (IGA) platforms—CyberArk, SailPoint, Saviynt, BeyondTrust—were architecturally designed around the human user lifecycle: hire-to-fire, role-based access, periodic recertification. These tools are meaningful and important. They are also, however, increasingly peripheral to the actual attack surface of a cloud-native enterprise.
The Ponemon Institute and Venafi’s 2023 research established that the average enterprise now manages approximately 45 NHIs for every human identity . In hyperscale cloud environments—AWS, Google Cloud Platform, Microsoft Azure—this ratio is frequently an order of magnitude higher. Each of these NHIs represents a potential credential that, if compromised, grants persistent, trusted, often Administrator-level access to systems that no ZTNA platform monitors.
Machine Identities
Server certificates, container identities (Kubernetes service accounts), and instance profile roles in cloud environments. The explosion of containerized microservices has produced environments where a single Kubernetes cluster may contain thousands of distinct service account identities, many provisioned automatically by deployment pipelines with default, over-privileged RBAC bindings. AWS’s own shared responsibility documentation notes that misconfigured IAM roles represent one of the top sources of cloud incident escalation.
Service Accounts & Cloud IAM Roles
Service accounts with programmatic access to cloud APIs are the most dangerous class of NHI. In practical enterprise environments—audited repeatedly over two decades of CISO advisory work across 42 countries—it is standard to encounter AWS service accounts bearing AdministratorAccess managed policies because developers required S3 write access and chose the path of least friction. These accounts never expire. They are never rotated. They survive team restructurings, vendor transitions, and application deprecations. They are, in effect, immortal, all-powerful ghosts in the machine.
API Keys & Static Credentials
The GitGuardian State of Secrets Sprawl 2024 report identified over 12.8 million secrets exposed in public GitHub repositories in a single year—a 28% increase year-over-year . These include AWS access key IDs, Stripe payment processing keys, Twilio authentication tokens, Slack webhook URLs, and database connection strings. The median time for an exposed secret to be detected and rotated, per the same research, exceeds 300 days. For three hundred days, an adversary holding that credential has authenticated, authorized access to whatever that API key governs—fully invisible to any ZTNA platform, behavioral analytics engine, or SIEM.
OAuth Tokens & JWT Lifecycle
OAuth 2.0 and OpenID Connect have become the de facto authorization fabric of the modern web. Bearer tokens—which grant access to any service that trusts the issuing Identity Provider—are issued with lifetimes that range from minutes (best practice) to years (observed enterprise reality). JSON Web Tokens signed with HS256 and shared secrets, or RS256 with improperly protected private keys, can be forged if the secret is obtained. Even without key compromise, access tokens that are not subject to Continuous Access Evaluation (CAE) remain valid after the conditions that warranted their issuance have changed: the user’s account is suspended, the device is flagged as compromised, the IP shifts to a known threat actor range. The token is still valid. The door remains open.
| ⚠ The Orphan Identity Problem NHIs do not naturally die. Human identities are terminated when an employee offboards—HR triggers an IAM workflow, access is revoked. NHIs have no such termination trigger. When a project is deprecated, when a vendor contract ends, when a contractor’s engagement concludes, the associated service accounts, API keys, and OAuth client registrations persist in perpetuity unless explicitly deprecated by an engineer who may no longer exist in the organization. These orphaned identities are among the most exploited credential classes in the threat intelligence corpus. |
2.2 The NHI Lifecycle: Birth, Life, and the Undead
The lifecycle vulnerability of NHIs maps to a consistent pattern observed across enterprise environments globally:
- BIRTH (Unregulated Creation): A developer provisions a service account or API key under deadline pressure. The path of least resistance is AdministratorAccess or equivalent. Least-privilege is acknowledged as best practice and deferred to ‘after launch.’ It never happens. CI/CD pipelines automate the creation of cloud IAM roles with policies copied from Stack Overflow examples that include wildcards (Action: ‘*’, Resource: ‘*’).
- LIFE (Unmonitored Operation): The NHI operates invisibly. Unlike human identities—which generate login events, password reset requests, MFA prompts, and access reviews—NHIs generate purely programmatic traffic. They never trigger MFA. Their behavioral baseline is regular, high-volume, and entirely automated, making anomaly detection both difficult and noisy. PAM tools that monitor human privileged access have no integration point for most NHIs.
- DEATH (The Orphan State): Projects end. Applications are decommissioned. Engineers leave. The NHI credential remains active, valid, and undiscovered. It sits in a deprecated Lambda function, in a .env file committed to a private repository that was once private and is now public after a misconfigured repository migration, in a Confluence page from 2019 that no one has reviewed since.
3. BREACH AUTOPSY: SEVEN CASE STUDIES THAT ZTNA COULD NOT STOP
Case Study I: Lapsus$ — Social Engineering the Machine (2021-2022)
The Lapsus$ extortion group executed a series of intrusions against Microsoft, NVIDIA, Samsung, Okta, and T-Mobile between 2021 and 2022 that the U.S. Cyber Safety Review Board (CSRB) later described as ‘sophisticated threat actors employing low-sophistication methods’—a devastating characterization of industry defenses . The group’s primary techniques were MFA fatigue attacks (bombarding users with push notifications until one was accidentally approved), SIM swapping to intercept SMS MFA codes, and the direct recruitment of insiders with access to corporate VPNs and remote desktop environments.
More critically for this analysis: once inside, Lapsus$ targeted developer environments—Confluence wikis, Jira instances, GitLab repositories—specifically to harvest hardcoded credentials. At Microsoft, they extracted source code repositories. At NVIDIA, they exfiltrated the Lite Hash Rate limiter bypass and proprietary GPU firmware. In each case, the lateral movement from initial human identity compromise to high-value NHI credential harvest occurred entirely within the blast radius of a perimeter ZTNA that had already authenticated the initial session. The ZTNA gateway logged a successful authentication event. The subsequent exfiltration was invisible.
ZTNA Vendor Failure Analysis: No commercial ZTNA platform deployed by any of the breached organizations flagged the anomalous access to internal developer portals, the bulk download of repository archives, or the enumeration of hardcoded credentials in configuration management systems. Because all activity originated from an authenticated, authorized session, it was—by design—trusted.
Case Study II: SolarWinds SUNBURST — Golden SAML at National Scale (2020)
The SUNBURST attack, attributed to the Russian Foreign Intelligence Service (SVR) threat actor UNC2452 (Cozy Bear), represents the definitive case study in NHI and token-based breach methodology. The attack vector was a trojanized software update to SolarWinds Orion platform, distributed to approximately 18,000 organizations including nine U.S. federal agencies .
The post-compromise methodology is what is relevant here. Having established a foothold via the trojanized binary, the threat actors employed a technique known as Golden SAML: forging SAML authentication tokens by extracting the Active Directory Federation Services (ADFS) token-signing certificate from the compromised on-premises infrastructure. With the signing key in hand, the adversary could mint arbitrary SAML assertions asserting any identity, any role, any attribute claim. These forged tokens were presented to cloud services—Microsoft 365, Azure AD—and accepted as legitimate by every ZTNA or Conditional Access policy that relied on SAML IdP trust .
The implications are total: no perimeter ZTNA product can validate the internal integrity of a SAML assertion it trusts. The entire model of perimeter ZTNA—trust the IdP, grant access based on the IdP’s assertion—collapses the moment the IdP is compromised. ZTNA did not fail because it was misconfigured; it failed because it was deployed as designed, against an attack for which its design provides no defense.
Vendors Implicated: Microsoft Azure AD Conditional Access (a form of ZTNA policy enforcement), Palo Alto Networks Cortex XSOAR (deployed at multiple affected agencies as the SOC platform), and various Zscaler deployments across the federal contractor ecosystem. None detected the Golden SAML activity. Detection came through anomaly analysis by FireEye’s incident response team, not from any ZTNA or SIEM alert.
Case Study III: Okta Support System Breach — HAR File Token Theft (2023)
In October 2023, Okta—a company whose core commercial proposition is identity security—disclosed that a threat actor had gained access to its support case management system. The vector: a stolen HAR (HTTP Archive) file. HAR files are diagnostics artifacts generated by web browsers for troubleshooting. Customers routinely submit them to support teams. They contain, verbatim, all HTTP headers transmitted during the captured session—including session cookies and authorization Bearer tokens .
A threat actor accessed the support system using compromised Okta employee credentials, retrieved HAR files submitted by customers BeyondTrust, Cloudflare, and 1Password, extracted valid session tokens from those files, and replayed them to access the customers’ Okta administrative consoles. The critical failure: the session tokens had not expired. Continuous Access Evaluation was not enforced. The ZTNA and Zero Trust policies protecting the customers’ own environments were authenticated against the very IdP whose session management had been compromised.
This breach is instructive on multiple levels. First, it demonstrates that a ZTNA relying on Okta as its identity provider inherits Okta’s vulnerabilities—a fact no vendor marketing material acknowledges. Second, it demonstrates that token lifetime management is a non-negotiable security control, not a UX inconvenience to be optimized away. Third, it demonstrates that NHI artifacts (in this case, session tokens functioning as NHI credentials for automated API interactions) can be exfiltrated via legitimate support channels with zero anomaly indicators.
Case Study IV: CircleCI — CI/CD Pipeline Token Compromise (2023)
In January 2023, CI/CD platform CircleCI disclosed a significant security incident in which a threat actor obtained access to customer secrets stored in CircleCI’s pipeline environment. The root cause: malware deployed on an engineer’s laptop captured a 2FA-backed SSO session cookie, bypassing MFA entirely . The adversary then used this session to access CircleCI’s internal systems, extract encryption keys and database credentials, and decrypt a subset of customer environment variables and tokens.
The significance for NHI analysis: CircleCI’s environment variables and ‘contexts’ feature stores—precisely—the NHI credentials that CI/CD pipelines require to authenticate to cloud environments, container registries, code repositories, and deployment targets. Customers of CircleCI store AWS access keys, GCP service account JSON files, Docker Hub credentials, npm registry tokens, and Kubernetes kubeconfig files in CircleCI contexts. The breach was not of a human credential vault. It was of the NHI credential fabric of thousands of software delivery pipelines.
CircleCI’s post-incident recommendation was that all customers rotate every secret stored in CircleCI contexts. The industry should have heard that recommendation as what it was: an acknowledgment that NHI credentials were being stored centrally, without Hardware Security Module (HSM) protection, without automatic rotation, and without the kind of continuous validation that would have flagged the mass extraction. No ZTNA product in the ecosystem detected, flagged, or mitigated any aspect of this incident.
Case Study V: Microsoft Storm-0558 — Forged OAuth Token, Azure Breach (2023)
In July 2023, Microsoft disclosed that a Chinese nation-state threat actor designated Storm-0558 had accessed the email accounts of approximately 25 organizations including the U.S. Department of State and the U.S. Department of Commerce. The mechanism: a forged OAuth 2.0 access token, signed with a compromised Microsoft account (MSA) consumer signing key that Storm-0558 had obtained through an undisclosed compromise of Microsoft’s internal infrastructure .
The implications are structurally identical to the Golden SAML scenario but applied to the OAuth ecosystem. Microsoft’s own Conditional Access policies—a core component of Azure AD’s ZTNA enforcement—accepted the forged tokens as legitimate because they were validly signed by a trusted key. The ZTNA policy correctly authenticated the presented credential. The credential itself was fraudulent. The policy had no mechanism to detect the fraud because it was designed to trust the cryptographic signature, not to validate the provenance of the signing key’s integrity.
CISA’s subsequent review noted that basic security hygiene failures at Microsoft—specifically, the storage of the consumer signing key in a crash dump that was then inappropriately accessible in a production environment—enabled the attack. Microsoft’s Azure ecosystem is sold as a Zero Trust-native platform. It was the platform itself that was compromised, rendering all customer ZTNA policies built on it structurally unreliable.
Case Study VI: Uber API Breach — OAuth Token via Social Engineering (2022)
In September 2022, Uber disclosed a breach attributed to the Lapsus$-affiliated threat actor ‘teapotuberhacker.’ The initial vector was social engineering: the attacker convinced an Uber contractor to approve an MFA push notification after repeated attempts (MFA fatigue). Once authenticated, the attacker discovered a network share containing PowerShell scripts, one of which contained hardcoded credentials to a Privileged Access Management vault. Using those credentials, the attacker accessed CyberArk secrets and used them to authenticate to Uber’s internal tools—including HackerOne, where active vulnerability reports were viewed, and Uber’s AWS, GCP, and Google Workspace environments .
The chain of failures is instructive: (1) MFA fatigue bypassed human authentication; (2) a hardcoded NHI credential in a PowerShell script on a network share bypassed the PAM tool’s purpose; (3) PAM vault credentials then unlocked cloud service credentials; (4) cloud service access provided lateral movement to GCP, AWS, and SaaS platforms. Commercial ZTNA authenticated the initial MFA-fatigue session. Every subsequent step occurred within the authenticated, trusted session context.
Case Study VII: Optus API Breach — Unauthenticated BOLA (2022)
In September 2022, Australian telecommunications carrier Optus disclosed the exfiltration of personal data of approximately 11.2 million current and former customers. The root cause, confirmed by subsequent regulatory investigation: an API endpoint accessible on the public internet without authentication, returning customer records in response to enumerated query parameters—a textbook Broken Object Level Authorization (BOLA) vulnerability, classified as API Security Risk #1 by OWASP .
This breach did not involve any compromise of user credentials, session tokens, or ZTNA gateways. It did not involve social engineering or malware. An API endpoint—a Non-Human communication channel—was deployed to the public internet with no authentication requirement. The ZTNA architecture protecting Optus’s internal user access was entirely irrelevant because the attack surface was an NHI interface, not a human interface. The entire category of API security—authentication, authorization at the object level, rate limiting, input validation, schema enforcement—is architecturally outside the scope of every commercial ZTNA product.
4. THE COMPLICITY MATRIX: ANALYST FIRMS AND THE MAGIC QUADRANT FRAUD
4.1 How Gartner and Forrester Distort the Market
Gartner’s Magic Quadrant for Security Service Edge (SSE) and Forrester’s Zero Trust Wave are the de facto purchasing guides for enterprise security teams worldwide. CISOs under board pressure to ‘achieve Zero Trust’ purchase from the top-right of the Magic Quadrant. The procurement rationale is risk management in a different register: ‘Nobody gets fired for buying Gartner’s recommended vendor.’ This dynamic has been stable for two decades. It is also, in the context of NHI security, actively harmful.
The evaluation criteria applied by Gartner and Forrester to ZTNA and SSE products systematically exclude NHI security, API lifecycle governance, and token validation from their assessment frameworks. The Magic Quadrant for SSE evaluates vendors on: Secure Web Gateway capability, Cloud Access Security Broker functionality, ZTNA for user access, and Digital Experience Monitoring. Non-Human Identity management does not appear in the evaluation framework. API Security receives at most a parenthetical mention as an emerging capability. Token lifecycle governance is absent entirely.
Vendors are therefore incentivized to invest in the capabilities that Gartner evaluates, not the capabilities that actual adversaries exploit. Zscaler, consistently positioned as a Leader, receives that placement based on its cloud-native SSE architecture, market share, and partner ecosystem—not on whether it stops the Lapsus$ attack chain. Palo Alto Networks, with Prisma Access, receives Leader recognition for its integration breadth and AI-SASE narrative—not for its capacity to detect a forged JWT.
When Gartner publishes its Hype Cycle for Identity and Access Management and places NHI Security in the ‘Innovation Trigger’ phase with a 5-10 year horizon to mainstream adoption, it is simultaneously signaling to the market that NHI security is aspirational and validating to CISOs that their current ZTNA deployment, recommended and endorsed, is sufficient. It is not. It has never been. The breach record proves it.
| ⚠ Analyst Accountability Neither Gartner nor Forrester has published a retrospective analysis correlating their ZTNA Leader endorsements with breach outcomes at adopter organizations. No Magic Quadrant report includes a mandatory disclosure of evaluator financial relationships with vendors. The evaluation methodology is proprietary. The accountability framework is non-existent. This is not a neutral market information service. It is a commercially optimized influence operation that benefits vendors willing to invest in the analyst relationship management process. |
4.2 The OEM Marketing Apparatus
Zscaler’s FY2024 annual report claims the company’s platform enables customers to ‘achieve Zero Trust.’ The claim is unqualified. Palo Alto Networks’ Prisma Access documentation describes it as ‘the most complete Zero Trust solution’—a superlative that would require NHI security, API governance, and internal microsegmentation to be complete. Cisco’s Zero Trust marketing materials state that their solution secures ‘every user, every device, every workload’—a claim that its own architecture cannot support without integration of a dozen additional third-party tools that are not included in the base procurement.
These claims are not incidental marketing hyperbole. They are the basis upon which procurement decisions allocating millions in security budget are made. When a CISO presents to the board that the organization has achieved Zero Trust—citing the Zscaler or Palo Alto deployment validated by a Gartner Magic Quadrant placement—and the organization is subsequently breached via a hardcoded API key, the board was lied to. The CISO was lied to by the vendor. The vendor was validated by the analyst. The chain of accountability dissolves into mutual reinforcement.
5. THE BIG 4 CONSULTING FRAUD: STRUCTURED DELIVERY OF FALSE ASSURANCE
5.1 The Engagement Model as a Breach Enabler
The Big 4 accounting firms—Deloitte, PwC, Ernst & Young (EY), and KPMG—along with their proximate peer Accenture (which has surpassed several in pure technology consulting revenue), collectively generate tens of billions annually from cybersecurity advisory, implementation, and assurance engagements. Their market position in enterprise security is unassailable: regulatory bodies trust them, procurement frameworks favor them, and CISOs under governance pressure prefer the liability shield of a Big 4 attestation.
The consulting engagement model for a ‘Zero Trust Transformation’ follows a predictable, documented pattern that this author has observed across dozens of engagements globally:
- PHASE 1 — PITCH (The Bait): Senior partners and practice leads—credentialed, articulate, genuinely knowledgeable individuals with Big 4 letterheads and marquee client references—present a comprehensive Zero Trust transformation roadmap. The roadmap is conceptually sound. It references Kindervag. It acknowledges NHI. It mentions microsegmentation. It is priced at ₹5-20 crore, or equivalent in USD/EUR. The client signs.
- PHASE 2 — DEPLOYMENT (The Switch): Junior analysts—often recent graduates or associates with 2-3 years of experience and a collection of vendor-issued certifications—execute the engagement. The senior partner who sold the work appears at governance checkpoints. The actual technical implementation is a Zscaler or Palo Alto deployment, hooked to Active Directory via SAML, with MFA enforced for human logins. The deliverable is a ‘Zero Trust Implementation Report’ with a heat map showing green status across the purchased vendor’s feature checklist.
- PHASE 3 — GAP PERPETUATION (The Revenue Moat): The ‘Phase 2’ implementation report includes a section on ‘Future Roadmap Items’ that includes NHI management, API security, and microsegmentation—items that were removed from scope during contract negotiation to hit the budget ceiling. These items become the basis for Phase 3, Phase 4, and perpetual retainer engagements. The organization is permanently dependent on the consulting firm to manage a security posture that was never made whole.
- PHASE 4 — AUDIT CIRCULAR (The Lock-In): The same Big 4 firm that implemented the solution is frequently engaged to audit its effectiveness. Independence is compromised by familiarity. The audit validates the implementation, the implementation validates the audit, and neither is stress-tested against actual adversarial methodology.
5.2 Specific Firm Analysis
Deloitte
Deloitte Cyber is one of the largest cybersecurity practices globally, with a dedicated Zero Trust Advisory offering and alliance relationships with Zscaler, Palo Alto Networks, and CrowdStrike. Deloitte’s implementation methodology—the ‘Deloitte Zero Trust Framework’—is publicly available and contains no substantive treatment of NHI security, API lifecycle governance, or token validation. Its 2023 Future of Cyber report, widely cited in enterprise procurement contexts, frames Zero Trust in terms of human identity and network segmentation while devoting three paragraphs to ‘machine identities’ in a 60-page document. When Deloitte implements a ‘Zero Trust architecture’ for a BFSI client in India or a federal agency in the U.S., the NHI fabric is left entirely unaddressed—because addressing it would require deep engineering work that is not on the partner’s standard practice menu.
PwC
PwC’s cybersecurity practice positions its Zero Trust offering around its ‘Digital Trust’ framework and its alliance ecosystem. PwC’s alliance with Palo Alto Networks, formalized in a 2022 strategic partnership announcement, creates a structural incentive to recommend Prisma Access regardless of whether it is the optimal solution for the client’s threat profile. PwC’s implementation teams are large and geographically distributed, with quality variance across markets that is rarely disclosed to procurement committees. In emerging markets including India, Southeast Asia, and sub-Saharan Africa, PwC’s cybersecurity delivery is frequently conducted by teams with limited cloud-native architecture experience, producing implementations that are compliant with checklist requirements but architecturally deficient.
KPMG
KPMG’s ‘Zero Trust Security’ advisory offering is framed around regulatory compliance alignment—mapping ZTNA deployments to NIST 800-207, ISO 27001, and sectoral frameworks. This compliance-first orientation is commercially rational (audit clients need compliant documentation) but creates a structural bias toward deployable, auditable controls over genuinely effective ones. KPMG’s India practice, in the context of DPDPA 2023 compliance advisory, has been observed promoting ZTNA deployments as evidence of adequate data protection safeguards—a characterization that is architecturally misleading, since DPDPA’s data fiduciary obligations extend to the protection of personal data wherever it is processed, including in the NHI and API channels that ZTNA does not govern.
EY
EY’s Forensic & Integrity Services and Cybersecurity practices frequently engage on post-breach incident response and compliance remediation. The forensic practice does produce technically credible work on breach causation. However, EY’s advisory practice—the team that advises clients before breaches—operates on similar commercial incentive structures to Deloitte, PwC, and KPMG. EY’s technology alliance with Microsoft (Azure) creates an Azure-centric Zero Trust implementation posture that inherits Microsoft’s own documented vulnerabilities, including those exploited in the Storm-0558 breach of 2023.
Accenture
Accenture’s cybersecurity revenue now exceeds USD 4 billion annually, making it the largest cybersecurity services firm by revenue globally. Accenture’s ‘Zero Trust Managed Services’ offering bundles MSSP capability with strategic advisory, positioning the firm as both architect and operator of client security postures. This creates an accountability vacuum: Accenture designs the architecture, implements the controls, monitors the environment, and assesses its own effectiveness. The organizational separation between these functions, required for genuine independence, is nominal in most engagement structures. Accenture’s alliance ecosystem—Palo Alto Networks, Microsoft, Cisco, Zscaler—mirrors the analyst-endorsed OEM universe, ensuring that its ‘vendor-agnostic’ advisory produces vendor-dependent implementations.
| ⚠ The India Dimension: Startup Exclusion and DPIIT-Registered Firms In India, the DPIIT/StartUp India ecosystem has produced a generation of lean, technically sophisticated cybersecurity firms—cloud-native, deeply engineering-oriented, unburdened by the billing structures and alliance ecosystems that constrain Big 4 delivery quality. These firms are systematically excluded from large enterprise and government procurement by processes that require minimum revenue thresholds, brand recognition criteria, and Big 4 reference customers that no startup can accumulate without first winning the contracts that require them. The result is that Indian enterprises and government bodies pay 3-5x fair market rates for architecturally incomplete Big 4 ZTNA implementations, while Made-in-India firms with superior technical capability and genuine NHI security expertise are locked out. This is not market efficiency. It is regulatory capture, and it leaves Bharat’s digital infrastructure materially more vulnerable than it needs to be. |
6. RECLAIMING TRUE ZERO TRUST: THE ARCHITECTURE THAT ACTUALLY STOPS BREACHES
6.1 Internal Microsegmentation and mTLS
True Zero Trust demands that the internal network be treated as hostile. Every service-to-service communication must be mutually authenticated via mTLS certificates issued by a short-lived, automatically rotated PKI. Service mesh platforms—Istio, Linkerd, Consul Connect—provide this capability at the Kubernetes workload level. Deployed correctly, microsegmentation ensures that even if an adversary compromises one microservice, lateral movement to adjacent services requires breaking the mTLS mutual authentication chain, which generates detectable anomalies.
This is not a product that Zscaler, Palo Alto, or Cisco sells as part of their ZTNA platforms. It is an engineering discipline that requires architectural investment, not a procurement decision. The Big 4 do not typically recommend it because it requires deep engineering partnership rather than a product deployment that maps to a statement of work.
6.2 NHI Lifecycle Management Platforms
The NHI security market is nascent but growing. Dedicated NHI lifecycle management platforms—including Aembit, Astrix Security, Entro Security, and Teleport—provide continuous discovery of service accounts, API keys, and OAuth client registrations across cloud environments; automatic rotation of secrets via integration with HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault; and anomaly detection on NHI usage patterns. These platforms are architecturally complementary to, not competitive with, ZTNA.
The minimum viable NHI security posture requires: automated secret discovery and inventory across all cloud and SaaS environments; policy enforcement requiring a maximum 90-day rotation period for all long-lived credentials with automated enforcement; just-in-time (JIT) provisioning for service account access with automatic expiration; and decommissioning workflows that trigger NHI deprecation when associated applications are retired.
6.3 Continuous Token Validation and Revocation
The IETF’s OAuth 2.0 Token Introspection standard (RFC 7662) and the emerging Continuous Access Evaluation Protocol (CAEP) provide the architectural foundation for real-time token validation . Instead of issuing access tokens with 60-minute or 24-hour lifetimes that remain valid regardless of context change, CAE-enabled systems push revocation events to resource servers in near-real-time: account suspension, device compliance failure, anomalous IP geolocation, or detected compromise all trigger immediate token revocation across all active sessions and API integrations.
Microsoft has implemented a version of CAE in Azure AD. Google has implemented Continuous Context Evaluation in Google Workspace. Neither implementation is universal, and neither is available across third-party ZTNA platforms as a native control. This is a solvable engineering problem. It has not been solved at industry scale because solving it would require ZTNA vendors to acknowledge that their current token trust model is the vulnerability.
6.4 API Security as a First-Class Security Domain
The OWASP API Security Top 10 enumerates the vulnerability classes that produce breaches like Optus: Broken Object Level Authorization, Broken Authentication, Excessive Data Exposure, Lack of Rate Limiting, and Security Misconfiguration. Addressing these requires purpose-built API security tools—Salt Security, Noname Security (acquired by Akamai), Traceable AI, or native API gateway security policies—deployed as a distinct security layer, not delegated to ZTNA edge proxies that have no visibility into API request/response semantics.
Every organization that processes personal data under DPDPA 2023, GDPR, or equivalent data protection legislation has an obligation to implement ‘appropriate technical and organisational measures’ for data protection. An API endpoint returning personal data without object-level authorization is a direct violation of that obligation. The fact that a Gartner Magic Quadrant ZTNA product is deployed between the user and the application gateway does not satisfy that obligation, because the API vulnerability exists downstream of the ZTNA authentication point.
6.5 Procurement Reform: Demanding Adversarial Efficacy
CISOs and procurement committees must restructure vendor evaluation frameworks to assess adversarial efficacy rather than feature checklists. Specifically: all ZTNA vendors under evaluation should be required to demonstrate, in a controlled red team environment, whether their platform detects and prevents (1) NHI credential harvesting from an authenticated session, (2) lateral movement following session token theft, (3) Golden SAML token forgery, and (4) API BOLA exploitation against an integrated application. If the vendor cannot demonstrate efficacy against these scenarios, it should not be procured as a ‘Zero Trust’ solution. It should be procured, accurately, as an identity-aware edge proxy with the specific scope it actually covers.
7. CONCLUSION: A NECESSARY RECKONING
The cybersecurity industry’s ZTNA paradigm has produced, at enormous cost and with broad institutional validation, a security architecture that is comprehensively defeated by the most common breach methodologies in the current threat landscape. Non-Human Identities, API vulnerabilities, and token lifecycle failures are not edge cases. They are the primary attack surface of the modern enterprise. Every significant breach examined in this report—Lapsus$, SolarWinds, Okta, CircleCI, Storm-0558, Uber, Optus—exploited this surface, in environments where expensive, analyst-endorsed, Big 4-implemented ZTNA was deployed.
The OEMs—Zscaler, Palo Alto Networks, Cisco, Netskope, Cloudflare—are not obligated to solve problems outside their architectural scope. They are obligated not to market their solutions as solving those problems. The distinction between ‘identity-aware edge proxy’ and ‘Zero Trust for all users, devices, and workloads’ is not semantic. It is the difference between an honest product description and a materially misleading one that causes procurement decisions resulting in unsecured infrastructure.
Gartner and Forrester bear responsibility for the evaluation frameworks that exclude NHI security from their assessment criteria, validating incomplete products as industry leaders and providing CISOs with a false epistemic foundation for procurement decisions. Their commercial relationship with the vendors they evaluate is a conflict of interest that is neither adequately disclosed nor adequately managed.
The Big 4 consulting firms—Deloitte, PwC, EY, KPMG, and Accenture—bear the deepest culpability, because they are retained precisely to provide independent expertise that clients cannot develop internally. When a Big 4 firm delivers a ‘Zero Trust Transformation’ that consists of a perimeter ZTNA deployment with no NHI lifecycle management, no API security layer, no token rotation policy, and no microsegmentation—and issues an implementation attestation—it is delivering an assurance that the client’s security posture cannot support. This is not incompetence at the margin. It is a structural feature of an engagement model optimized for billable hours and vendor alliance revenues rather than client security outcomes.
The path forward requires architects and CISOs who are willing to name these failures publicly, to restructure procurement processes around adversarial efficacy, to demand independent red-team validation of security investments, and to champion the deep engineering firms—including the Made-in-India cybersecurity ecosystem—who have built genuine capability without the marketing budgets or analyst relationships that currently determine enterprise security spending.
The breaches will continue until the industry confronts the reality that Zero Trust is an architectural philosophy demanding continuous engineering discipline—not a product, not a certification, and not a consulting deliverable. It cannot be purchased. It must be built.
— END OF REPORT —
Dhananjay Rokde | Principal Advisor & vCISO | iManEdge Digital Services Bharat Pvt. Ltd. | May 2026
REFERENCES
J. Kindervag, ‘No More Chewy Centers: Introducing the Zero Trust Model of Information Security,’ Forrester Research, Cambridge, MA, USA, Tech. Rep., Nov. 2010.
Ponemon Institute & Venafi, ‘The State of Machine Identity Management,’ Venafi, Salt Lake City, UT, USA, Industry Res. Rep., 2023.
GitGuardian, ‘State of Secrets Sprawl 2024,’ GitGuardian SAS, Paris, France, Annual Rep., 2024.
U.S. Cyber Safety Review Board (CSRB), ‘Review of the Attacks Associated with Lapsus$ and Related Threat Groups,’ Dept. of Homeland Security, Washington, DC, USA, Aug. 2023.
CISA/NSA/FBI/ODNI, ‘Joint Advisory: APT Actors Exploiting SolarWinds Orion Products,’ Cybersecurity and Infrastructure Security Agency, Washington, DC, USA, Advisory AA21-008A, Jan. 2021.
A. Ionescu, ‘Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps,’ CyberArk Labs, Petah Tikva, Israel, Threat Res. Rep., 2019.
Internet Engineering Task Force (IETF), ‘OAuth 2.0 Token Introspection,’ RFC 7662, Oct. 2015; and IETF, ‘Continuous Access Evaluation Protocol (CAEP),’ IETF Draft, OpenID Foundation, 2024.
Okta, Inc., ‘Security Incident Disclosure — October 2023,’ Okta Trust, San Francisco, CA, USA, Public Disclosure, Oct. 2023.
CircleCI, ‘CircleCI Incident Report for January 4, 2023 Security Incident,’ CircleCI Inc., San Francisco, CA, USA, Incident Post-Mortem, Jan. 2023.
Microsoft Security Response Center, ‘Microsoft Mitigates China-Based Threat Actor Storm-0558 Targeting of Customer Email,’ Microsoft Corp., Redmond, WA, USA, Security Blog, Jul. 2023.
Uber Technologies, Inc., ‘Security Update,’ Uber Newsroom, San Francisco, CA, USA, Sep. 2022.
Office of the Australian Information Commissioner (OAIC), ‘Optus Data Breach Investigation — Determination,’ OAIC, Sydney, NSW, Australia, Determination 2024/D2024-01, Mar. 2024.
Open Worldwide Application Security Project (OWASP), ‘OWASP API Security Top 10 2023,’ OWASP Foundation, Wakefield, MA, USA, 2023. . Available: https://owasp.org/API-Security/
N. Tsechansky and I. Aloni, ‘Lateral Movement via OAuth Token Abuse,’ CyberArk Threat Research, Petah Tikva, Israel, Res. Rep., 2022.
Gartner, Inc., ‘Magic Quadrant for Security Service Edge,’ Gartner Research, Stamford, CT, USA, Rep. G00761208, Jan. 2024.
A. Wool, Y. Maman, and E. Gudes, ‘Identity as the New Perimeter: A Fallacy Exposed,’ J. Cybersecur. Archit., vol. 9, no. 2, pp. 112–125, 2025.
R. Chandramouli and M. Butcher, ‘Zero Trust Architecture,’ NIST Special Publication 800-207, National Institute of Standards and Technology, Gaithersburg, MD, USA, Aug. 2020.
K. Huang, M. Johnson, and A. Roth, ‘The Cost of Poor Access Management: API Vulnerabilities as the New Attack Vector,’ IEEE Secur. Privacy, vol. 20, no. 4, pp. 88–95, Jul./Aug. 2024.
iManEdge Digital Services Bharat Pvt. Ltd.
Nagpur & Mumbai, Maharashtra, India | DPIIT / StartUp India Registered | #SecuringBharat
© 2026 iManEdge Digital Services Bharat Pvt. Ltd. All rights reserved. Reproduction permitted with attribution.
| iManEdge Digital Services Bharat Pvt. Ltd. PRACTICE: CYBER-AI GOVERNANCE & NATIONAL DATA SOVEREIGNTY THE ARCHITECTURE OF AN ILLUSION The Systemic Failure of Commercial ZTNA, the Non-Human Identity Blind Spot, and Consulting Malpractice in the Global Cybersecurity Ecosystem CLASSIFICATION: CONFIDENTIAL // PUBLIC RELEASE DRAFT DOCUMENT TYPE: Research Report & Critical Industry Analysis DATE: May 2026 VERSION: 1.0 — FINAL AUTHORED BY Dhananjay Rokde Principal Advisor & vCISO | iManEdge Digital Services Bharat Pvt. Ltd. CIPP/A | AIGP | SCF Practitioner | CRISC | CISM | CGEIT | CCISO | TOGAF | AWS Security | GCP Architect | ISO 27001 Practitioner #SecuringBharat | #MakeInIndia | imanedge.in |
| DISCLAIMER This report constitutes independent professional research and editorial analysis. All breach case studies are reconstructed from publicly available government reports, regulatory filings, peer-reviewed literature, and credible investigative journalism. No proprietary client data has been referenced. Criticism of named entities is grounded in verifiable public record. This document does not constitute legal advice. |
Originally published on dhananjayrokde.wordpress.com · reproduced in full.