Partha Protim Mandal, Chief Information Officer at Berger Paints India in an interview with CIOTechOutlook, shared his insights on the challenges faced in implementing scalable Identity and Access Management (IAM) solutions in alignment with Zero Trust models and more. Partha has twenty-six years of dedicated and outstanding techno-functional expertise on Enterprise Oracle Applications and related technologies, Enterprise Solution Architecture, IT Infrastructure and Datacenter Management, Project Management & Leadership.

Legacy systems often lack the architecture required for Zero Trust. How has continued reliance on legacy infrastructure impacted the organization's ability to adopt Zero Trust principles effectively?

The continued reliance on legacy infrastructure substantially hampers the organization’s ability to adopt Zero Trust Architecture (ZTA) effectively. Limited visibility of IT landscape and unavailability of real-time telemetry makes it difficult to establish a strong security analytics baseline or detect anomalies. Traditional legacy system often has its own challenges of Identity, Authentication and Granular level of Access Control which are the major impediments towards establishing ZTA. Relying on outdated authentication methods (e.g., passwords only), lack of support for modern identity protocols (e.g., SAML, OAuth, OpenID Connect), struggle with integrating MFA or Identity Providers (IdPs), access controls based on perimeter defence and implicit trust of traditional legacy environment creates a roadblock for successful implementation of ZTA. Many legacy environments have poor or no network segmentation; rearchitecting which can be costly and disruptive at times and cause hindrance to implement ZTA which has micro-segmentation as its core principle. Inconsistencies in policy enforcement, lack of API compatibility (integration barriers), unpatched systems often impose challenges and weakens the core Zero Trust principle of "never trust, always verify."

Legacy systems aren’t inherently incompatible with Zero Trust, but they make it significantly harder to implement its core principles. Organizations that continue to rely on legacy infrastructure often face a trade-off between business continuity and security modernization. To adopt Zero Trust effectively, most organizations need to modernize key systems or wrap them with modern security controls, prioritize risk-based segmentation and access control, invest in identity modernization and observability enhancements.

Zero Trust hinges on robust identity verification and least privilege access. What challenges have been encountered in implementing scalable IAM solutions aligned with Zero Trust models?

Implementing scalable Identity and Access Management (IAM) solutions in alignment with Zero Trust principles is crucial but comes with many challenges. Most of the time organizations have multiple identity stores (e.g., Active Directory, LDAP, cloud IdPs) across on-prem and cloud environments (identity sprawl) which lead to Difficulty establishing a single source of truth, complex identity federation or synchronization efforts, inconsistent enforcement of authentication and access policies. Many organizations run legacy applications which do not support modern protocols (e.g., SAML, OAuth2), lacks native integration with centralized IAM systems and requires hardcoded credentials or manual account provisioning which complicates integration and forces the use of fragile workarounds like identity proxies or custom middleware.

Zero Trust emphasizes just-in-time, role-based, or attribute-based access control (RBAC/ABAC/JIT), however, implementing these at scale is complex; role explosion can occur in RBAC, making management unwieldy, mapping user attributes to appropriate access levels often requires extensive work and governance. Scalable IAM in a Zero Trust world requires contextual factors (location, device health, time of day, etc.) to determine access, however, collecting reliable & real-time telemetry, building dynamic policy engines that can process this context and avoiding excessive friction for users while still maintaining strong security always impose big challenges towards successful implementation

Multi-Factor Authentication (MFA) is foundational for Zero Trust, but it’s not uniformly adopted across all systems, especially, for old legacy applications. Users may resist or circumvent MFA due to usability concerns as not all MFA methods offer the same level of assurance or adaptability. Finally, cultural and organizational barriers can cause even the best IAM solution can falter as resistance from departments reluctant to give up broad access, silos between IT, security, and business teams and lack of executive buy-in or funding for a comprehensive IAM overhaul. To implement scalable IAM that aligns with Zero Trust, organizations must address technical, operational, and cultural challenges.

Zero Trust can introduce authentication fatigue or friction. What steps have been taken to ensure that Zero Trust implementations maintain a seamless user experience while enhancing security?

Balancing security with a frictionless user experience is one of the toughest challenges in Zero Trust adoption. If not handled carefully, Zero Trust can result in authentication fatigue, where users are overwhelmed by frequent prompts or cumbersome access workflows. Instead of asking for MFA on every login, many Zero Trust frameworks use contextual signals to determine when step-up authentication is needed. This helps reduce unnecessary prompts by evaluating device health and trust status, IP reputation or geo-location, Time of access and behavioural anomalies and Access patterns over time. If the context is low-risk, access is granted seamlessly, if not, step-up auth (e.g., MFA) is triggered. SSO platforms consolidate authentication across multiple apps and services, allowing users to authenticate once and access everything they're authorized for without repeated logins which reduces login fatigue, improves adoption of secure authentication methods, centralizes access logging and control.

To eliminate the weakest link (passwords), many organizations are embracing password-less solutions, such as Biometrics (fingerprint, facial recognition), WebAuthn security keys, Authenticator apps or push notifications - these methods are both more secure and user-friendly, reducing cognitive load on users. Providing access only when and as needed helps reduce privilege exposure without burdening users with excessive approval chains. Techniques includetime-bound access grants, automated provisioning for specific tasks, self-service access requests with auto-approval for low-risk cases which can be part of Just-in-Time and Just-Enough Access (JIT/JEA) strategy. Unified Access Portals or Dashboards can eliminate the struggle of managing access across multiple tools and offer visibility into available resources, reduce navigation friction, allow quick revocation or requests for access. This improves usability without compromising the principles of Zero Trust. End User Education and Communication is one of the most crucial aspects needs to be addressed with care. Train employees on secure behavior and Zero Trust principles are a must for seamless implementation.

Static security policies can quickly become outdated. What processes are in place to continuously update and refine security policies based on evolving threat landscapes?

In Zero Trust model, static security policies are a liability. Threats evolve fast, and policies need to evolve even faster. To keep policies current and relevant, organizations are implementing dynamic, continuous processes for refining and adapting security controls. Continuous Monitoring and Telemetry Collectionare imperative in defining dynamic security policy. Organizations deploy tools to gather real-time data fromEndpoints (via EDR/XDR), Network traffic (via NDR tools), Identity systems (via SIEM/UEBA) and Cloud environments (via CSPM/CIEM) - this telemetry forms the foundation for context-aware policy decisions and detecting drift or outdated rules.

Automated Threat Intelligence Feeds help organizations to formulate security policies driven by threat intel feeds that updateKnown malicious IPs/domains, Vulnerable software signatures, Indicators of compromise (IOCs), Emerging threat actor TTPs (Tactics, Techniques, Procedures). These feeds integrate with firewalls, endpoint agents, and access control systems to automatically adjust security postures.Using User and Entity Behavior Analytics (UEBA) or machine learning, organizations can detect unusual login patterns, suspicious privilege escalations, lateral movement or data exfiltration attempts, anomalies trigger automated policy tuning, such as temporarily blocking access, increasing authentication requirements, notifying security teams.

Regular Risk Assessments (VAPT, Red Teaming etc.) and Threat Modelling is extremely important basis which the security policy can further be refined. Every security incident should trigger a postmortem or lessons-learned analysis. This process usually includesreviewing the policies that failed or were bypassed, identifying gaps in monitoring or access control, feeding insights into updated Zero Trust rules or policy logic which ensures that policies evolve with real-world adversary behavior. Cross-Functional Governance and Policy Committees must be formed made up ofSecurity teams, IT operations, Compliance/legal, Business unit leaders. These groups meet regularly to review access patterns, threat data, and policy effectiveness, then make decisions about necessary policy updates or retirements.