Zero Trust in the Real World: What It Actually Looks Like for Modern Work
Kyle Gililland | Trace3 Vice President, Security & Networking Solutions
“Zero Trust” has been the buzzword of the decade. I’ve had several conversations recently where CISOs continue to push toward zero trust, but have been confused and/or frustrated by the marketing mumbo jumbo. Once the slideware is over, CISOs are left asking: What does this actually look like in my environment? If you’re like most companies these days and your users are logging in from coffee shops, unmanaged devices, and home networks (while accessing apps in multiple clouds) you need more than a pretty framework. You need real strategy. This post breaks down what Zero Trust really means, what to stop doing, and how to phase it in without burning down your network or making the rest of the company hate you… hopefully.
The Basics (without the marketing gloss)
At its core, Zero Trust is simple:
Don’t trust anything. Verify everything. Every time.
Whether it’s a user, a device, a network segment, or an API call, assume it could be compromised until proven otherwise.
In practice, that means focusing on things like:
-
Strong identity and access controls (MFA, conditional access)
-
Least privilege by default
-
Continuous monitoring and behavioral baselines
-
Microsegmentation and network isolation
-
Device posture enforcement
You’re not just checking identity at the login screen and letting folks in. You’re checking it everywhere and continuously.
Where Modern Work Complicates Things
In modern environments, Zero Trust isn’t just a strategy, it’s survival. Here’s what you’re dealing with:
-
Users hopping between office, home, and mobile… and often using personal devices (because… of course they are)
-
SaaS apps outside of corporate control (so easy to buy, right?!)
-
VPNs that were never designed for this level of distributed access
-
Shadow IT and ad hoc cloud adoption by business units
If your environment still relies on trusting the internal network or “trusted devices,” you’re already behind. Attackers know they don’t have to break into your datacenter—they just have to phish Bob from Accounting while he’s on hotel Wi-Fi. Have state of the art email protection? Don’t worry, the attacker will just target Bob’s Gmail account.
Where Most Orgs Get It Wrong
A lot of Zero Trust initiatives fall apart because they:
-
Start with network microsegmentation and nothing else. This can be a brutal starting point, especially when IT doesn’t necessarily know what apps they have or what they need to communicate with. So, it ends up expensive, complicated, and often breaks things.
-
Focus too much on tooling, not enough on principles. Buying a Zero Trust product isn’t the same as building a Zero Trust architecture.
-
Forget about the user experience. If your new policy adds five extra logins a day or breaks someone’s Zoom call, they’ll find a workaround. Now you’ve got a shadow IT problem. Again.
What “Good” Looks Like in a Modern Enterprise
Let’s reframe Zero Trust as a journey, not a product. Here’s what I see successful orgs doing:
-
Identity as the new perimeter:SSO, MFA, and conditional access are your first Zero Trust wins. Tools like Entra ID, Okta, or Duo can help you enforce policies that consider user, device, location, and risk—not just username/password.
-
Device trust and posture checks:You can’t control every laptop, but you can assess device health before granting access. Tools like Microsoft Defender, CrowdStrike, or Cisco ISE help determine if a device is compliant, encrypted, or running endpoint protection.
-
Contextual access policies:Granting someone access doesn’t mean they get everything. Use policies that limit what users can do based on context: e.g., block downloads from SharePoint unless on a trusted device.
-
Kill the VPN (eventually):Move toward application-layer access via Zero Trust Network Access (ZTNA) platforms like Cisco Secure Access, PAN Prisma Access, Zscaler, and Netskope. These tools provide access per app, not per network—which is what you want.
Legal and Governance Considerations
As the resident legal and compliance guy, I can’t leave out the fun GRC considerations. For GRC and legal teams, Zero Trust is a strategic control, not just a security pet project. It supports:
-
Audit-readiness: Clear access policies and logs for who accessed what, when, and how
-
Vendor risk segmentation: Apply Zero Trust principles to third parties to right-size their access and ensure a limited blast radius
-
Privacy compliance: By enforcing least privilege, you reduce exposure of sensitive data to unauthorized users (think HIPAA, CCPA, etc.)
Also, be sure to document your Zero Trust roadmap. Even if it’s in its early stages, regulators increasingly want to see “reasonable security." Should you encounter a security incident, showing you had a plan and worked toward it could justify access decisions and help lessen the legal/regulatory blow.
Tactical Recommendations for CISOs
So, we’ve identified that Zero Trust is not a product or a one-size fits all approach. It’s a journey and requires taking a lot of steps before you reach your desired destination. So, here is what I recommend for organizations looking to make meaningful progress:
Start with identity
Make sure every user is behind SSO and MFA. Use conditional access to apply different policies based on device, location, or risk. In my book, this alone is perhaps the most meaningful security improvement organizations can take, yet we still see lots of organizations that have points of access left without MFA.
Segment critical apps and data
Don’t start by re-architecting your entire network (that’s too big of a rock for most to push up hill). Start by isolating high-value targets (e.g., payroll systems, source code repos) and requiring stronger authentication to access them.
Roll out ZTNA for remote users
Start piloting Zero Trust Network Access for one or two key apps, especially for contractors or high-risk user groups. The idea is to eventually replace that legacy VPN, but start somewhere smaller and build momentum with small wins.
Involve GRC early
Let legal and compliance help document your approach, update policies, and explain Zero Trust to auditors. Also, get their buy-in and perhaps let them fight your budget battle.
Don’t call it “Zero Trust”
Seriously. Call it “modern access control” or “adaptive access.” I once got a client amped up because he was triggered by the use of “Zero Trust” and he proceeded to forget what I said after that. So, focus on outcomes: security, usability, visibility, etc.