Zero Trust implementation: from policy to working architecture

The five Zero Trust principles in plain language

Forrester defined the core principles, NIST formalised them, and the industry has been refining them ever since. Stripped of marketing language, five principles matter in implementation.

Never trust, always verify. No request is trusted by default. Identity, device posture and context are evaluated for every access decision, every time.

Least privilege. Users and systems get the minimum access required to do their job, no more. Privilege is granted by exception, not by default.

Assume breach. Design the architecture as if an attacker is already inside. Microsegmentation, lateral movement prevention and continuous monitoring follow from this assumption.

Verify explicitly. Authentication and authorisation use multiple signals: identity (who), device (what), context (where, when, how) and behaviour (is this normal). No single signal is enough.

Microsegment. Break the network into logical zones with policy boundaries. A breach in one zone does not propagate to the next.

Why Zero Trust implementations fail: the three most common mistakes

From dozens of implementation projects we see the same three failure patterns recur.

Tool-first thinking. Organisations buy a Zero Trust tool (often a ZTNA product) and assume Zero Trust is now "done". Without an identity foundation, posture management and policy governance, the tool is a layer of complexity without a corresponding security gain. The right sequence is identity foundation first, policy framework second, tool implementation third.

Big bang ambition. The "everything everywhere all at once" approach overwhelms IT operations. Users complain about new authentication friction, support tickets spike and leadership pulls the plug after three months. The phased approach (start with one application or one user group, prove value, expand) is slower in plan but faster in result.

No cultural change management. Zero Trust changes how people work. Engineers can no longer SSH into anything from anywhere. Marketing cannot share files outside the corporate domain without inspection. Without communication and training, frustration becomes resistance and the implementation stalls politically before it stalls technically.

From policy to architecture: a phased roadmap

A working Zero Trust implementation typically follows four phases over twelve to eighteen months. The phases overlap; the milestones do not.

Phase 1: identity foundation (1 to 3 months). Consolidate identity providers, enforce MFA universally, retire shared accounts, classify users and devices. Without a clean identity foundation, every later phase compounds existing identity sprawl.

Phase 2: high-value application protection (3 to 6 months). Pick one to three high-value applications (typically finance, HR, customer data). Replace VPN access to those with ZTNA. Measure: support load, user satisfaction, audit visibility. This phase produces the proof points that fund the next.

Phase 3: network-wide rollout (6 to 12 months). Extend ZTNA to all internal applications, retire legacy VPN, implement microsegmentation. Posture checks become mandatory; least-privilege policies tighten incrementally.

Phase 4: continuous improvement (12 to 18 months and beyond). Behavioural analytics, anomaly detection, automated policy refinement. This is where Zero Trust transitions from project to operating mode.

How SASE technically realises Zero Trust

Zero Trust as a principle requires specific technical capabilities. A mature SASE platform delivers all of them as standard configuration.

ZTNA for identity-driven access. Every access decision is bound to an authenticated identity and a verified device. No more "on the network equals trusted".

Microsegmentation through policy. The SASE platform inserts itself between users and applications. Policies define exactly what each identity can access, with no implicit east-west connectivity inside the corporate network.

Device posture checks. Before an access decision is finalised, the platform verifies device hygiene: OS version, patch level, endpoint protection status, certificate validity. Non-compliant devices get reduced access or are blocked.

Continuous monitoring. Behavioural baselines per user identify anomalies in real time. Access decisions are revoked if context changes mid-session (location shift, device posture change, behaviour anomaly).

This is the technical realisation of Zero Trust principles. Read more about how this works in our article on replacing VPN with ZTNA.

NIS2 and Zero Trust: the formal mandate

Zero Trust is no longer optional for organisations in scope of NIS2. The Cyber Resilience Act's Article 21 requires "access control and identity management" as a baseline measure. The supervisor expects evidence: identity-bound access logs, posture-checked sessions, demonstrable least-privilege enforcement.

Zero Trust delivered via ZTNA on a SASE platform produces exactly that evidence as a byproduct of normal operations. We unpack this further in our article on NIS2 compliance with one platform.

Momentum EMEA as Zero Trust implementation partner

Implementation is the gap between principles and reality. As EMEA's leading specialised Cato implementation partner, Momentum EMEA combines the underlay (carrier-neutral internet connectivity) and the overlay (Cato SASE with Universal ZTNA) from one contract.

The practical advantage in Zero Trust: one accountable partner for the platform that enforces the policies, the identity integrations and the policy framework. Quarterly reviews refine policies as usage patterns mature; incident response follows established workflows.