Often, organizations come to me hoping that Zero Trust is some kind of quick solution—like hitting the Staples Easy Button and exclaiming, “That was easy!” But that’s not how it works. Like all aspects of security, Zero Trust is an ongoing journey of continuously building and reinforcing defences—it’s not a one-time fix.
In the past—and sometimes even today—we relied on the castle and moat approach to security. It was a straightforward concept: build strong defences (the moat) around the network perimeter, and everything inside (the castle) would be safe. Once someone made it past the perimeter, they had free rein inside. But today’s IT environment is far more complex. We have on-prem systems, cloud services, mobile devices, and remote workers all accessing resources. The old castle walls don’t exist anymore, and the moat is full of holes.
Many years ago, long before Zero Trust was coined, I attended a talk where two individuals were discussing the need for organizational security to evolve. They used the analogy to say that that gators, moats, walls, and arrows can no longer protect IT enterprises from attackers. Back then, the solution proposed was defence-in-depth, emphasizing network segmentation, least privilege, and identity-based security. Looking back, I don’t think Zero Trust is new—it’s just been given a name and formalized into a framework.
Zero Trust flips the script by assuming no one and nothing can be trusted by default—not even if they’re inside the network. Instead of letting everyone roam freely once they’ve gained access, Zero Trust operates on a principle of continuous verification. Every user, device, and access request is treated as a potential risk until it’s verified, and that verification is ongoing.
This model doesn’t just stop attackers from getting in—it assumes they already have. By requiring continuous validation of identity, device health, and user behavior, you limit their ability to move laterally within your systems and prevent them from accessing sensitive data. It’s a mindset shift: don’t trust anyone or anything, inside or outside, until you’ve verified them and know they’re safe.
Starting Your Zero Trust Journey: Implement MFA
The first step in this journey? Multi-Factor Authentication (MFA). If you haven’t already implemented MFA, now is the time. It’s the simplest and most effective way to add an extra layer of protection, especially against the most common attack vector: compromised passwords. How many times a month do you read an article where company Y’s passwords have been compromised? MFA ensures that even if an attacker gets hold of someone’s password, they still can’t access your systems without the second factor.
MFA is your low-hanging fruit in the Zero Trust journey. It’s an easy win that dramatically improves your security posture with minimal effort. While it won’t solve all your security challenges, it sets the foundation for more complex Zero Trust implementations down the road. I am by no means saying it can’t be defeated, but why make it easier for the threat actor?
What’s Next After MFA?
So, what if you already have MFA in place? The next step is to build on that foundation. Start looking at least privilege access. This means giving users and devices the minimum level of access they need to perform their duties and nothing more. Even if an account is compromised, attackers won’t have free access to your entire network—just a limited portion.
Next, consider device health checks and conditional access policies. These ensure that only devices meeting certain security criteria, such as up-to-date patches and encryption, are allowed to connect to your network. You’re adding more layers of protection that make it harder for malicious actors to gain access or move within your systems.
From here, you can expand into network segmentation and micro-segmentation, breaking down your network into smaller segments where lateral movement is limited. This way, even if one section is compromised, the damage is contained.
Zero Trust for Today’s Complex IT Environment
One of the biggest challenges of today’s security world is how fragmented and complex it’s become. Organizations now have to manage their on-prem systems, cloud environments, remote users, and mobile devices, all of which need to be secure. The idea of a well-defined network perimeter is outdated. Your users and devices could be anywhere—on the road, at home, or in the office—and all of them need to be treated with Zero Trust principles.
This complexity is exactly why Zero Trust is so critical. As your environment grows more diverse and dispersed, your approach to security must evolve with it. Zero Trust provides the framework to continuously verify every access point, regardless of where it’s coming from.
And let’s not forget, the human element is always the weakest link. According to research by Dark Reading, 91% of cyberattacks start with phishing emails. This is a critical reason why implementing controls like MFA and phishing-resistant measures are essential parts of the journey. No matter how good your technical controls are, if users are easily tricked, your defences will fall.
Zero Trust is Continuous, Not a Destination
Zero Trust isn’t a destination you arrive at—it’s a continuous process. After MFA and least privilege access, there are always new layers of security to implement, whether that’s micro-segmentation, real-time threat detection, or automated response systems (which I’ll cover in another blog post).
It’s important to remember that Zero Trust isn’t about perfection. It’s about resilience. No matter how advanced your security measures are, breaches may still occur. The key is to minimize the damage by assuming the breach has already happened and limiting the attacker’s access as much as possible. The journey doesn’t end with one implementation; it’s about constantly improving, staying agile, and evolving with new threats.
Commit to the Journey
Zero Trust requires ongoing commitment. You’re not just flipping a switch and calling it a day. Each step—from MFA to conditional access to segmentation—builds on the last, creating a stronger, more resilient security posture. As your organization grows and adapts, so must your approach to Zero Trust.
By understanding that Zero Trust is a journey, not a button you press, you’re already ahead of the game. Commit to the process, take it step by step, and you’ll find that your organization is better prepared to face today’s threats and whatever comes next.
