Zero trust, in practice
By the Zoneits team · 6 min read
Zero trust gets sold as a box you can buy. It is not. It is an architecture and a set of principles, and the hard part is not the tooling, it is deciding where to start and having the discipline to sequence the work. Here is how we approach it.
Three principles, not a product
Every vendor with a firewall or an identity suite now has a zero-trust logo on its slide deck. That marketing has done real damage, because it implies you can purchase your way to zero trust in a single procurement cycle. You cannot. Zero trust is a way of designing access, and it rests on three principles that NIST and most serious frameworks state in one form or another:
- Verify explicitly. Authenticate and authorize every request using all the signals you have, identity, device health, location, and behavior, rather than trusting anything because of where it sits on the network.
- Use least-privilege access. Grant the minimum rights needed for the task at hand, for the shortest time that makes sense, and no more.
- Assume breach. Design as if an attacker is already inside. Segment aggressively, encrypt end to end, limit blast radius, and instrument everything so you can see and respond.
None of those is a feature you toggle on. They are decisions that shape identity, network, endpoints, and operations together. The upside is that you do not need a rip-and-replace to begin, you need a direction and a sequence.
From a trusted perimeter to identity
The model zero trust replaces is the castle and moat: a hard network perimeter, and implicit trust for anything inside it. Once an attacker phished a laptop or found a soft VPN, they were on the trusted side and could move laterally with little friction. Remote work, cloud, and SaaS dissolved that perimeter anyway, the users, the data, and the apps are no longer conveniently on one network you control.
So the new control plane is identity. In a zero-trust design, strong identity plus phishing-resistant authentication, device posture, and per-request authorization replace the old assumption that a network location equals trust. Every access decision is made fresh, against policy, using current signals, and every decision is logged. That is the shift, from trusting the network to verifying the identity and the device on each request.
The core moves
Underneath the principles there is a fairly concrete set of moves. In rough order of leverage:
- Consolidate identity and enforce MFA. One identity provider as the source of truth, single sign-on for your applications, and multi-factor authentication everywhere, ideally phishing-resistant methods such as passkeys or FIDO2 rather than SMS codes.
- Microsegment the network. Break the flat internal network into small zones so a compromise in one place cannot reach everything. Segmentation is the practical expression of assume breach, it caps the blast radius.
- Adopt ZTNA instead of a flat VPN. Zero Trust Network Access brokers per-application access based on identity and device posture, so a user reaches only the specific apps they are entitled to, never the whole network. It is the direct replacement for the all-or-nothing VPN tunnel.
- Apply least privilege and PAM. Right-size every role, remove standing admin rights, and put privileged access behind just-in-time approval and session recording with a privileged access management tool.
- Instrument everything for the SOC. Feed identity, endpoint, and network telemetry into a SOC backed by XDR so detection and response are continuous. If you cannot measure mean time to detect and mean time to respond, you cannot claim the model is working.
Where to start
The most common failure is trying to do all of it at once. Zero trust touches nearly every system you own, and treating it as one giant program is how it stalls. Sequence it instead, and let each phase earn the next.
Start with identity and MFA. It is the highest-leverage move by a wide margin, most breaches still begin with a stolen or weak credential, and closing that gap protects everything downstream. Once identity is consolidated and phishing-resistant MFA is enforced, move to segmentation to limit lateral movement, then to ZTNA to retire the flat VPN and broker access per application. Layer least privilege and PAM across all of it, and stand up the monitoring that lets your SOC actually watch the estate. Do not try to boil the ocean, ship one phase, measure it, and move on.
If you do exactly one thing this quarter, consolidate identity and turn on phishing-resistant MFA everywhere. It is the single highest-leverage control in a zero-trust program, and it makes every later phase, segmentation, ZTNA, least privilege, meaningfully easier to enforce.
A phased rollout
Here is the sequence we use with clients, framed as four phases. Each one delivers standalone value, so the program is never all-or-nothing, and each sets up the phase after it.
| Phase | Focus | First moves |
|---|---|---|
| Phase 1 | Identity | Consolidate to one identity provider, enforce SSO, roll out phishing-resistant MFA, and clean up dormant accounts. |
| Phase 2 | Segmentation | Microsegment the network into zones, restrict east-west traffic, and encrypt internal paths to cap the blast radius. |
| Phase 3 | ZTNA + least privilege | Replace the flat VPN with per-application ZTNA, right-size roles, and put privileged access behind just-in-time PAM. |
| Phase 4 | Monitor + respond | Feed identity, endpoint, and network telemetry into a SOC with XDR, and track MTTD and MTTR to prove it works. |
The point of it all
Zero trust is not about buying trust, it is about removing the implicit kind. Done well, an attacker who lands a phished credential finds strong authentication in the way, a segmented network that goes nowhere, application access scoped to one entitlement, no standing admin rights to escalate, and a SOC watching every step. That is the whole idea, make each move an attacker has to make expensive, visible, and contained.
We build these programs end to end, from the identity foundation through segmentation and ZTNA to a managed SOC that runs it day to day. If you want to see how it maps to your estate, start with our cybersecurity practice and our managed NOC and SOC, then bring us the hard parts.
Start with identity.
Tell us what your access model looks like today. We will map a phased zero-trust rollout, identity and MFA first, and run the SOC that keeps it honest.