The principle, in one sentence

Zero Trust means: do not trust any user, device, or workload by default — verify identity, device posture, and request context on every access decision. Implementation choices follow from that principle, but the principle itself is doing a lot of work. Most "Zero Trust" projects in practice are identity-modernization projects with a network-access overhaul stapled on.

A workable sequence for mid-market

Step 1: Modern identity (months 1–3)

Consolidate authentication on a single IdP — Okta, Entra ID, JumpCloud, OneLogin. Enable phishing-resistant MFA (passkeys, FIDO2, or platform authenticators) for every privileged role and as the default for the rest. Disable legacy protocols (IMAP, POP, basic auth on Exchange). This single step blocks the majority of credential-stuffing and password-spray attacks.

Step 2: Conditional access (months 3–4)

Layer policies on top of identity: require managed device for SaaS apps holding sensitive data, block sign-ins from impossible-travel geographies, step up to phishing-resistant MFA for admin actions. Conditional access is where Zero Trust becomes operational rather than aspirational.

Step 3: ZTNA replaces VPN (months 4–8)

Zero Trust Network Access — Zscaler ZPA, Cloudflare Access, Cato Networks, Twingate, Tailscale Business — replaces the all-or-nothing VPN with per-application access decisions. Users connect to an app, not a network. The IdP evaluates identity and device posture per request. Most mid-market companies can fully decommission their VPN within 12 months of starting this step.

Step 4: Device trust (months 6–10)

Combine MDM signals (Intune, Jamf, Kandji) with EDR posture into a trust score that feeds your conditional access. A device with an out-of-date OS, missing EDR, or non-compliant disk encryption should not be able to reach production data — even if the user passed MFA.

Step 5: Microsegmentation (months 8–18)

East-west segmentation is the last and hardest step. Mid-market organizations can use cloud-native controls (security groups, VPC endpoints, service mesh policies) — many of which are inventoried by a CNAPP — before committing to a microsegmentation product like Illumio or Akamai Guardicore. Start with the highest-value zones (production databases, payment systems) and expand.

Common pitfalls

  • Treating ZTNA as a VPN replacement only — without identity modernization first, you have just renamed the perimeter
  • Buying every product Gartner labels Zero Trust — most are point solutions and stack badly
  • Skipping the change-management investment — Zero Trust changes how users access everything; communication and training are half the program
  • Allowing exception lists to grow unbounded — every "temporary" bypass becomes permanent
  • Underinvesting in monitoring — Zero Trust generates rich access telemetry that is wasted if no one is watching
You do not need a "Zero Trust platform". You need a sequence of capability upgrades — identity, conditional access, ZTNA, device trust, segmentation — most of which you can buy from your existing IdP and SSE vendor.

Metrics that show progress

  1. Percentage of users on phishing-resistant MFA (target: 100% of admins, 90%+ of all users)
  2. Percentage of internal apps fronted by ZTNA vs. VPN (target: 100% within 18 months)
  3. Percentage of access decisions evaluating device posture (target: 100% for sensitive apps)
  4. Number of standing privileged accounts (target: drop 80%+ via just-in-time access)
  5. Mean lateral-movement distance during red-team exercises (should shrink each year)