IAM / Zero Trust
Why Identity Is the New Control Plane in Zero Trust
Why has identity become the new control plane? Historically, employees attended the office Monday to Friday, had no reason to take their work devices away from the office aside from occasional travel for work, helping us contain the attack surface to the office. The office location served as an anchoring point, with controlled access to the building, turnstiles for keeping undesirables out and office networks. But things changed.
In a modern work from home, globally distributed team landscape, office locations are no longer a reliable mechanism for granting access to organisational network resources. Identity serves as an alternative validating access to an organisations resources, multiauthentication provides us with confidence that the right access is being granted to the right requester, wherever in the world they may be. In this article, we will evaluate the efficacy of different control planes such as the network perimeter, endpoints and applications.
Why this page matters: If you are searching for a Zero Trust identity control plane definition, wondering what a Zero Trust identity control plane is, or comparing the Zero Trust control plane vs data plane, this page is designed to answer those questions directly and practically.
Key takeaways
- Zero Trust is a non-negotiable for ensuring that the network is protected from advanced persistent threats.
- Mobile device management is a must for hybrid workforces that allow bring your own device (BYOD).
- Token based authentication, namely single sign on, not only provides productivity gains but prevents password recycling related attacks.
What is a Zero Trust identity control plane?
A Zero Trust identity control plane is the identity-centred layer used to verify access requests, evaluate trust conditions, and apply policies across systems, applications, and devices. Rather than granting trust based on network location alone, it relies on identity, authentication strength, access policy, and contextual signals to determine whether access should be granted.
In practice, the identity control plane sits at the centre of Zero Trust decision-making. It helps determine who is requesting access, how strongly they have authenticated, what device they are using, whether that device is compliant, what application or resource they are trying to reach, and whether the request fits expected behaviour.
Key definitions
assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). (NIST, 2020)
the control plane is where the network is designed and the parameters for its functionality are set, while the data plane is where data moves between devices. (IBM)
authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to. (Auth0)
the network perimeter is the boundary between an organization's secured internal network and the Internet — or any other uncontrolled external network. (Cloudflare)
any device that connects to a computer network such as desktop computer, smartphones, tablets, laptops and IoT devices. (Cloudflare)
data points collected from a device that indicate its posture, compliance and integrity, supporting context aware decision making for access requests. (Hexnode)
an app is a self-contained software package that allows users to perform specific tasks on a mobile or desktop device. (Spiceworks)
users, systems, and processes should operate with the absolute minimum access rights, permissions, and privileges necessary to perform their specific tasks. (NIST)
an access control approach that grants time-limited, task-specific privileged permissions to a human or non-human identity only when needed, and revokes those privileges immediately after the work is done. (Palo Alto)
Why the network perimeter is an outdated control plane
The modern network perimeter is no longer restricted to business locations. The ONS reported that in Q1 of 2025 28% of working adults worked hybrid. This means that the traditional ‘castle and moat’ security model, where implicit trust was granted based on physical or network location, is no longer robust enough.
With the location of the workforce varying, it quickly becomes impractical or cumbersome to use location as a control plane for securing organisational resources. The use and access of company resources outside the controlled perimeter of a physical work location also introduces significant risks such as unauthorised device access and theft. Movement away from the formal office environment removes preventive physical security controls such as turnstiles with ID badge entry and security personnel, and these controls cannot reasonably be extended into the home working environment.
In a threat landscape containing advanced persistent threats (APTs), attackers that opt to establish a long term presence within the network implicitly trusting any identity, human or non-human, within the network introduces significant risk. It is possible for an advanced persistent threat to achieve lateral movement once they have penetrated the network perimeter, thus the network perimeter cannot be the control plane. In contrast, in the Zero Trust model where identity is the control plane and the least privilege model is in place, attempts to access unauthorised network resources send signals of unusual access.
Why device trust alone is not enough
The use of trusted devices for the control plane is unsuitable in a threat landscape with growing phishing proneness. In 2025, the Cyber Security Breaches Survey reported that 43% of UK businesses reported experiencing a cyber breach in the last 12 months. In a hybrid organisation, if trust is inherited from a device an attacker could focus on compromising devices using phishing to hijack a device and appear compliant whilst carrying out malicious activities.
Phishing remains a significant threat to organisations with a growing level of sophistication and frequency, since the human factor remains the most difficult to defend against. Spear phishing, a highly personalised scam that deceives people into divulging sensitive data or clicking links, remains a very effective form of compromising devices. Researchers analysed 50 billion emails and determined that spear phishing accounted for less than 0.1% of emails but represented 66% of successful breaches.
Zero Trust does not directly prevent the compromise of devices. However, through conditional access, device compliance and device health signalling facilitates the flagging and enforcement of policies intended to protect the network from risky behaviour.
Why identity works better as the control plane
Users need access to multiple applications during the course of the working day. For an average organisation, there are tools for identity such as active directory, email, finance, IT ticketing, file storage and at least one more for industry specific usage such as a GRC tool, timesheeting, or customer support.
This technology stack requires multiple passwords per platform. As security professionals we discourage the use of password recycling, but accept that requiring unique passwords across multiple applications adds friction to productivity. Password reuse introduces the risk of inconsistent security across apps, potential time lags in implementing joiners-movers-leavers changes and credential stuffing if the attacker reuses breached credentials across other applications.
In comparison, using identity as the control plane, token based authentication, for example enabling single sign on for multiple applications, centralises access control and access governance.
Zero Trust control plane vs data plane
In Zero Trust, the control plane is where access decisions are made, trust is evaluated, and policy is enforced. The data plane is where the actual movement of data takes place. Identity becomes central to the control plane because it helps determine whether a requester should be trusted before access to resources in the data plane is allowed.
| Zero Trust Control Plane | Zero Trust Data Plane |
|---|---|
| Evaluates access requests | Handles the actual movement of data |
| Uses identity, policy, device signals and context | Transfers content between systems, apps and users |
| Determines whether access should be granted | Operates after the access decision has been made |
| Includes policy enforcement and trust evaluation | Includes the traffic or workload being accessed |
| Identity is central here | Protected by the decisions made in the control plane |
What components make up a Zero Trust identity control plane?
- Identity provider and directory services
- Multifactor authentication
- Conditional access policies
- Device trust and compliance signals
- Privileged access controls
- Joiner-mover-leaver lifecycle governance
- Token-based authentication such as single sign on
- Logging, monitoring, and policy enforcement
Exceptions and limitations
Identity as the control plane is a solution to modern organisational needs, but it still requires the implementation of robust identity and access management practices as defence-in-depth. IAM practices such as multifactor authentication, least privilege, role based access control, privileged access management and joiner-mover-leaver automation remain essential.
It is possible for an organisation to be vulnerable to identity based attacks by failing to monitor the access granted on a regular basis and apply conditional access for detecting risky behaviour.
In a modern organisation with a hybrid workforce, identity, both human and non-human, has emerged as the most reliable control plane for guarding organisation’s resources.
Key takeaways
- Zero Trust is a non-negotiable for ensuring that the network is protected from advanced persistent threats.
- Mobile device management is a must for hybrid workforces that allow bring your own device (BYOD).
- Token based authentication, namely single sign on, not only provides productivity gains but prevents password recycling related attacks.
Have you built your identity and access management maturity roadmap?
Explore more IAM and Zero Trust thinking across the site as the hub continues to grow.
Explore my workReferences
- https://www.nist.gov/publications/zero-trust-architecture
- https://www.ibm.com/think/topics/control-plane-vs-data-plane
- https://auth0.com/docs/get-started/identity-fundamentals/authentication-and-authorization
- https://www.cloudflare.com/en-gb/learning/access-management/what-is-the-network-perimeter/
- https://www.cloudflare.com/en-gb/learning/security/glossary/what-is-endpoint/
- https://www.hexnode.com/blogs/what-is-device-trust-from-android-enterprise/
- https://www.spiceworks.com/soft-tech/what-are-apps/
- https://csrc.nist.gov/glossary/term/least_privilege
- https://www.paloaltonetworks.com/cyberpedia/what-is-just-in-time-access-jit
- https://www.ons.gov.uk/employmentandlabourmarket/peopleinwork/employmentandemployeetypes/articles/whohasaccesstohybridworkingreatbritain/2025-06-11
- https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/advanced-persistent-threat-apt/
- https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025
- https://www.ibm.com/think/topics/spear-phishing