Zero Trust has been established as the guiding principle for cybersecurity. The “don’t trust, always verify” approach stands for methods that don’t rely only on singular security tools, such as the traditional network perimeter firewall, to keep attackers out. Instead, Zero Trust builds on layered security and repeated or  continuous verification.

The concept of Zero Trust has evolved beyond a network perspective, restricting lateral movements of users once they have passed the firewall. It involves a broader model that looks at many different layers of access and permissions. Zero Trust spans identities, devices, networks, systems, applications, data, and software.

The Role of Identity in Zero Trust

Identities are where Zero Trust starts, with user authentication and with IGA (Identity Governance and Administration) solutions managing the user accounts and their entitlements, but also providing  access governance capabilities, including regular review and recertification, making it a key component of a Zero Trust model. In the future, we expect – also following the NIST Zero Trust concept of policy-based controls – an uptake of policy-based, real-time enforcement and verification of access authorizations.

Zero Trust  on ServiceNow Every IT environment must be protected against cyberattacks, and to achieve this, Zero Trust must become ubiquitous. ServiceNow, delivers a range of business applications on the platform to protect enterprises. With its capabilities  for managing IT services and assets, as well as GRC (Governance, Risk, and Compliance) and support for SecOps (Security Operations), it’s a smart way to start implementing Zero Trust with your existing IT Service Management (ITSM) investment.

The criticality of ServiceNow becomes obvious when looking at some of the use cases. CMDBs are an important repository when it comes to advanced device management in the context of Zero Trust. Device verification must build on valid information. With its ITSM capabilities supporting the management of employees, contractors, and partners and their entitlements, e.g., in manual fulfilment, ServiceNow also must be protected against fraudulent use.

There are various further use cases:  

  • the role of CMDBs for delivering attributes that are used for defining entitlements, and for real-time authorization;
  • the integrated Risk Management capabilities;
  • the protection of workflows in Portfolio Management; and
  • IT and Security Operations, that is both a solution for better managing and protecting the IT infrastructure, and a potential attack target for taking control about large parts of the IT infrastructure.

ServiceNow  requires  strong identity management to govern users and their entitlements. This goes beyond the capabilities of ITSM solutions, such as ServiceNow, that are primarily focused on supporting manual fulfilment activities within IGA.

Zero Trust with ServiceNow and Clear Skye IGA

Clear Skye is an IGA solution built natively on ServiceNow. It utilizes a wide range of platform capabilities, such as the data model and database, workflows, and the ServiceNow user interface. While supporting a wide range of applications, a particular strength of Clear Skye derives from being native to the ServiceNow platform and the ability to manage identities and their access in this environment.

With that, Clear Skye provides an essential building block for enhancing Zero Trust to ServiceNow environments and beyond. It can protect both the various applications within the ServiceNow environment and other, external systems and applications via connectors.


Commissioned by ClearSkye