{"id":186,"date":"2025-06-16T11:40:03","date_gmt":"2025-06-16T18:40:03","guid":{"rendered":"https:\/\/www.kyleslaw.com\/?p=186"},"modified":"2025-06-16T11:40:04","modified_gmt":"2025-06-16T18:40:04","slug":"zero-trust-in-the-real-world-what-it-actually-looks-like-for-modern-work","status":"publish","type":"post","link":"https:\/\/www.kyleslaw.com\/?p=186","title":{"rendered":"Zero Trust in the Real World: What It Actually Looks Like for Modern Work"},"content":{"rendered":"\n

Intro:<\/strong>
\u201cZero Trust\u201d has been the buzzword of the decade. I’ve had several conversations recently where CISOs continue to push toward zero trust, but have been confused and\/or frustrated by the marketing mumbo jumbo. Once the slideware is over, CISOs are left asking: What does this actually look like in my environment?<\/em> If you’re like most companies these days and your users are logging in from coffee shops, unmanaged devices, and home networks (while accessing apps in multiple clouds) you need more than a pretty framework. You need real strategy. This post breaks down what Zero Trust really means, what to stop doing, and how to phase it in without burning down your network or making the rest of the company hate you… hopefully.<\/p>\n\n\n\n

\n\n\n\n

The Basics (Without the Marketing Gloss)<\/h3>\n\n\n\n

At its core, Zero Trust is simple:
Don\u2019t trust anything. Verify everything. Every time.<\/strong>
Whether it\u2019s a user, a device, a network segment, or an API call, assume it could be compromised until proven otherwise.<\/p>\n\n\n\n

In practice, that means focusing on things like:<\/p>\n\n\n\n

    \n
  • Strong identity and access controls (MFA, conditional access)<\/li>\n\n\n\n
  • Least privilege by default<\/li>\n\n\n\n
  • Continuous monitoring and behavioral baselines<\/li>\n\n\n\n
  • Microsegmentation and network isolation<\/li>\n\n\n\n
  • Device posture enforcement<\/li>\n<\/ul>\n\n\n\n

    You\u2019re not just checking identity at the login screen and letting folks in. You\u2019re checking it everywhere<\/strong> and continuously.<\/strong><\/p>\n\n\n\n

    \n\n\n\n

    Where Modern Work Complicates Things<\/h3>\n\n\n\n

    In modern environments, Zero Trust isn’t just a strategy, it\u2019s survival.<\/p>\n\n\n\n

    Here\u2019s what you\u2019re dealing with:<\/p>\n\n\n\n

      \n
    • Users hopping between office, home, and mobile… and often using personal devices (because… of course they are)<\/li>\n\n\n\n
    • SaaS apps outside of corporate control (so easy to buy, right?!)<\/li>\n\n\n\n
    • VPNs that were never designed for this level of distributed access<\/li>\n\n\n\n
    • Shadow IT and ad hoc cloud adoption by business units<\/li>\n<\/ul>\n\n\n\n

      If your environment still relies on trusting the internal network or \u201ctrusted devices,\u201d you\u2019re already behind. Attackers know they don\u2019t have to break into your datacenter\u2014they just have to phish Bob from Accounting while he\u2019s on hotel Wi-Fi. Have state of the art email protection? Don’t worry, the attacker will just target Bob’s Gmail account.<\/p>\n\n\n\n

      \n\n\n\n

      Where Most Orgs Get It Wrong<\/h3>\n\n\n\n

      A lot of Zero Trust initiatives fall apart because they:<\/p>\n\n\n\n

        \n
      1. Start with network microsegmentation and nothing else.<\/strong>
        This can be a brutal starting point, especially when IT doesn’t necessarily know what apps they have or what they need to communicate with. So, it ends up expensive, complicated, and often breaks things.<\/li>\n\n\n\n
      2. Focus too much on tooling, not enough on principles.<\/strong>
        Buying a Zero Trust product isn\u2019t the same as building a Zero Trust architecture.<\/li>\n\n\n\n
      3. Forget about the user experience.<\/strong>
        If your new policy adds five extra logins a day or breaks someone’s Zoom call, they\u2019ll find a workaround. Now you\u2019ve got a shadow IT problem. Again.<\/li>\n<\/ol>\n\n\n\n
        \n\n\n\n

        What \u201cGood\u201d Looks Like in a Modern Enterprise<\/h3>\n\n\n\n

        Let\u2019s reframe Zero Trust as a journey<\/strong>, not a product. Here\u2019s what I see successful orgs doing:<\/p>\n\n\n\n

          \n
        • Identity as the new perimeter:<\/strong>
          SSO, MFA, and conditional access are your first Zero Trust wins. Tools like Entra ID, Okta, or Duo can help you enforce policies that consider user, device, location, and risk<\/strong>\u2014not just username\/password.<\/li>\n\n\n\n
        • Device trust and posture checks:<\/strong>
          You can\u2019t control every laptop, but you can assess device health before granting access. Tools like Microsoft Defender, CrowdStrike, or Cisco ISE help determine if a device is compliant, encrypted, or running endpoint protection.<\/li>\n\n\n\n
        • Contextual access policies:<\/strong>
          Granting someone access doesn\u2019t mean they get everything<\/em>. Use policies that limit what users can do based on context: e.g., block downloads from SharePoint unless on a trusted device.<\/li>\n\n\n\n
        • Kill the VPN (eventually):<\/strong>
          Move toward application-layer access via Zero Trust Network Access (ZTNA) platforms like Cisco Secure Access, PAN Prisma Access, Zscaler, and Netskope. These tools provide access\u00a0per app<\/strong>, not per network<\/strong>\u2014which is what you want.<\/li>\n<\/ul>\n\n\n\n
          \n\n\n\n

          Legal and Governance Considerations<\/h3>\n\n\n\n

          As the resident legal and compliance guy, I can’t leave out the fun GRC considerations. For GRC and legal teams, Zero Trust is a strategic control, not just a security pet project. It supports:<\/p>\n\n\n\n

            \n
          • Audit-readiness:<\/strong> Clear access policies and logs for who accessed what, when, and how<\/li>\n\n\n\n
          • Vendor risk segmentation:<\/strong> Apply Zero Trust principles to third parties to right-size their access and ensure a limited blast radius<\/li>\n\n\n\n
          • Privacy compliance:<\/strong> By enforcing least privilege, you reduce exposure of sensitive data to unauthorized users (think HIPAA, CCPA, etc.)<\/li>\n<\/ul>\n\n\n\n

            Also, be sure to document your Zero Trust roadmap. Even if it\u2019s in its early stages, regulators increasingly want to see \u201creasonable security\u201d. <\/strong>Should you encounter a security incident, showing you had a plan and worked toward it could justify access decisions and help lessen the legal\/regulatory blow.<\/p>\n\n\n\n

            \n\n\n\n

            Tactical Recommendations for CISOs<\/h3>\n\n\n\n

            So, we’ve identified that Zero Trust is not a product or a one-size fits all approach. It’s a journey and requires taking a lot of steps before you reach your desired destination. So, here is what I recommend for organizations looking to make meaningful progress:<\/p>\n\n\n\n

            \u2705 Start with identity.<\/strong>
            Make sure every user is behind SSO and MFA. Use conditional access to apply different policies based on device, location, or risk. In my book, this alone is perhaps the most meaningful security improvement organizations can take, yet we still see lots of organizations that have points of access left without MFA.<\/p>\n\n\n\n

            \u2705 Segment critical apps and data.<\/strong>
            Don\u2019t start by re-architecting your entire network (that’s too big of a rock for most to push up hill). Start by isolating high-value targets (e.g., payroll systems, source code repos) and requiring stronger authentication to access them.<\/p>\n\n\n\n

            \u2705 Roll out ZTNA for remote users.<\/strong>
            Start piloting Zero Trust Network Access for one or two key apps, especially for contractors or high-risk user groups. The idea is to eventually replace that legacy VPN, but start somewhere smaller and build momentum with small wins.<\/p>\n\n\n\n

            \u2705 Involve GRC early.<\/strong>
            Let legal and compliance help document your approach, update policies, and explain Zero Trust to auditors. Also, get their buy-in and perhaps let them fight your budget battle.<\/p>\n\n\n\n

            \u2705 Don\u2019t call it \u201cZero Trust.\u201d<\/strong>
            Seriously. Call it \u201cmodern access control\u201d or \u201cadaptive access.\u201d I once got a client amped up because he was triggered by the use of “Zero Trust” and he proceeded to forget what I said after that. So, focus on outcomes: security, usability, visibility, etc.<\/p>\n","protected":false},"excerpt":{"rendered":"

            Zero Trust isn\u2019t a product, but a strategy. In modern environments, it\u2019s also essential. This blog post tries to cut through at least some of the jargon to explain how Zero Trust really works, where companies go wrong, and how CISOs can apply it in practical ways. I also Include practical tips on identity, device posture, ZTNA, and GRC alignment. No buzzwords, just straight talk.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[2],"tags":[],"class_list":["post-186","post","type-post","status-publish","format-standard","hentry","category-security"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false},"uagb_author_info":{"display_name":"Kyle Gililland","author_link":"https:\/\/www.kyleslaw.com\/?author=2"},"uagb_comment_info":0,"uagb_excerpt":"Zero Trust isn\u2019t a product, but a strategy. In modern environments, it\u2019s also essential. This blog post tries to cut through at least some of the jargon to explain how Zero Trust really works, where companies go wrong, and how CISOs can apply it in practical ways. I also Include practical tips on identity, device…","_links":{"self":[{"href":"https:\/\/www.kyleslaw.com\/index.php?rest_route=\/wp\/v2\/posts\/186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kyleslaw.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kyleslaw.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kyleslaw.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kyleslaw.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=186"}],"version-history":[{"count":2,"href":"https:\/\/www.kyleslaw.com\/index.php?rest_route=\/wp\/v2\/posts\/186\/revisions"}],"predecessor-version":[{"id":188,"href":"https:\/\/www.kyleslaw.com\/index.php?rest_route=\/wp\/v2\/posts\/186\/revisions\/188"}],"wp:attachment":[{"href":"https:\/\/www.kyleslaw.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kyleslaw.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kyleslaw.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}