In May 2020, we started with Zero Trust. Two years, dozens of changes, one major incident. A retrospective — what works, what doesn’t, and where we’re heading.
What We Implemented¶
- Identity-aware proxy for 90% of internal web applications
- Conditional Access in Azure AD — MFA, device compliance, location
- Microsegmentation — 12 network segments instead of one flat VLAN
- ZTNA (Zero Trust Network Access) replaced VPN for 80% of use cases
What Surprised Us¶
User resistance. MFA on every login = frustration. Solution: risk-based authentication — MFA only when risk is elevated (new device, unusual location). User experience improved dramatically.
Legacy systems. 10% of applications still require VPN. They can’t handle modern authentication, and refactoring is too expensive. We plan to isolate them in a dedicated segment with stricter rules.
The Incident That Proved the Value¶
A compromised consultant laptop. In the pre-Zero Trust era: the attacker would have had access to the entire network. With Zero Trust: conditional access detected an unknown device, requested MFA (which the attacker didn’t have), and blocked access. Incident report: no damage.
Zero Trust Works — But It’s a Marathon¶
Two years in and we’re at 80%. The remaining 20% (legacy) will take another twelve months. But the value is demonstrable.
Need help with implementation?
Our experts can help with design, implementation, and operations. From architecture to production.
Contact us