Zero trust without vendor capture

The marketing version of zero trust says it’s a journey. The vendor version says it’s a product. The honest version is that it’s a different way of making access decisions, and the day-to-day implementation is mostly procedural — about which decisions get made, by whom, with what evidence — rather than which appliance you bought.

Most zero-trust programs we review are vendor roadmaps in disguise: a multi-year sequence of product purchases (ZTNA, microsegmentation, CASB, SSE) labelled as “phases” of zero trust. The diagram is impressive and the bill is large. The actual security improvement, when measured against control objectives, is often modest — because the procedural shift never happened.

This post is the version we give clients who ask what does an honest zero-trust program look like, given we already have an Entra/Okta IdP, an EDR, an MFA rollout, and not much budget?

What zero trust actually requires

The substantive content of zero trust is three commitments:

1. Every access decision is made on current context, not on prior network position. Being on the corporate VPN does not grant you access to anything; the access is granted by an IdP-evaluated policy that considers identity, device posture, and the resource being accessed.

2. Access is granted to specific resources, not to network segments. “VPN access to the data centre” is a network-position grant. “Access to the finance system, for users in role X, on managed devices, during business hours” is a resource grant. The latter is the zero-trust grant.

3. The audit trail captures the access decision, not just the network connection. Every grant emits a record of who, what, when, why (which policy), and on what device. This is the inspectability that lets you defend the grant later.

A program that delivers these three commitments is a zero-trust program, regardless of what was bought. A program that didn’t deliver them is not, regardless of what was bought.

What you don’t need to start

You do not need to rip out your VPN. You do not need to purchase ZTNA. You do not need a dedicated zero-trust platform. You do not need to microsegment your data centre. These may all be useful in time. They are not the entry point.

The entry point is your identity provider. If you have a working Entra ID or Okta tenant, you have the engine. The work is to use it.

The first three things to do

The highest-leverage zero-trust work for a mid-market organisation, in order:

1. Make identity the gate, not the network. Configure conditional access (Entra) or sign-on policies (Okta) such that access to every business application goes through the IdP. Specifically: every SaaS app federated, every internal web app behind an SSO-aware reverse proxy or identity-aware proxy, every administrative interface accessed via SSO with MFA. Your VPN remains for legacy applications during transition; new access decisions are made at the IdP.

2. Make device posture a factor in the policy. The IdP evaluates whether the device is managed (Intune, Jamf, MDM equivalent), whether it has current EDR, whether it has compliant disk encryption, whether it has the current OS patch level. Non-compliant devices receive constrained access — read-only, time-limited, or denied — based on the resource sensitivity. This is technical work but the heavy lifting is the policy decisions: which resources require which posture levels.

3. Make the audit trail useful. Every access decision emits a log with identity, device, policy, decision, and resource. The logs go to a SIEM (Sentinel, Splunk, Chronicle) that can be queried. The query patterns become part of operational practice — periodic review of unusual access, exception-rate trending, supervisor-style oversight on privileged actions.

These three steps deliver the substantive zero-trust commitments. They use the tools most mid-market organisations already own. They are achievable in 60–120 days of focused work.

What comes after

After the first three, the next moves are tightening:

• Privileged access moves to just-in-time (covered separately in an earlier post). Privileged operations require an explicit elevation request, time-bounded, logged.
• Network position is decoupled. Internal network access stops granting application access; the IdP grants application access independent of where the user is. The VPN can be retired for SaaS-only users; for hybrid users, it continues to provide network reachability without granting authority.
• Resource segmentation follows. Once identity is the gate, granular resource-level access becomes tractable. SharePoint sites, M365 groups, database connections, internal APIs are scoped to specific roles and contexts.
• Microsegmentation if needed. For data centres or specialised environments, microsegmentation tools can be useful — but at this point, they are augmenting an existing zero-trust posture, not establishing one.

The vendor approach reverses this order. They sell microsegmentation first because it has the largest ticket, then work backwards. A practical program works from identity outward.

What about the data centre and OT environment?

For organisations with significant on-premises or OT footprints, zero trust gets more nuanced — these environments often pre-date the assumption of an IdP-mediated access path. The honest answer for most mid-market organisations: do the IdP-mediated work for everything that can be brought under it (most modern SaaS and cloud), accept that legacy and OT may need a different path, and decide deliberately how to manage them rather than pretending they are zero trust when they aren’t.

A practical first move

If you are reading this without a current zero-trust program: this week, list every application your staff use to do their work. For each: is access mediated through your IdP, with MFA, with conditional access? The applications that aren’t are your priority list. Start with the highest-risk ones — finance systems, customer data systems, code repositories — and bring them under IdP mediation. Each one removes a network-position-based grant and replaces it with an identity-and-context-based grant.

That is the zero-trust work. The diagrams and the appliances come later, if at all.

For organisations doing this work alongside CPS 234 obligations or as part of a broader information security uplift, the posture assessment covers the inventory and the policy gap analysis as a fixed-fee deliverable.