Skip to content
K KPRS

Zero trust you can actually afford

4 February 2026 · KPRS · 6 min read

The enterprise zero-trust pitch assumes infinite budget and unlimited patience. Here is a staged approach a mid-sized engineering team can actually implement in a year.

“Zero trust”, as sold in conference keynotes, is an entire organisational philosophy plus six or seven vendor categories you have never heard of. That is why most mid-sized companies stall on it.

The principle itself is much simpler: do not trust a request because of where it came from; trust it because of who is making it, on what device, to do what, with evidence that each of those is still true right now.

Here is a staged version of that, one layer at a time, that a team of twenty or fifty engineers can actually deliver inside a year.

Layer 1 — Make identity the perimeter

Before anything called “zero trust” can happen, every access — human and service — must route through a single identity provider.

For humans: SSO on every application, with enforced MFA (phishing-resistant if your regulator asks, TOTP if not). For services: workload identity — IAM roles, Kubernetes service accounts, Azure managed identities — and no static long-lived secrets in anything you deploy.

If this is not true yet, do it first. The rest of the zero-trust stack falls apart without it.

Layer 2 — Remove standing privilege

Privileged access — production databases, cloud admin, customer data — should never be held “by default” by any human.

Practically this means:

  • Just-in-time access requests with a short TTL (an hour, a day) and a written reason.
  • A clear, audited approval flow. Not an email chain.
  • Break-glass accounts that are genuinely sealed and alerted on.

The tooling here has got markedly cheaper. You do not need a seven-figure PAM product. A small set of scripts against your identity provider, combined with discipline, gets most teams 80% of the benefit.

Layer 3 — Replace VPN with application-level access

Most VPNs today are a shortcut for “this person should be trusted because their IP is on the corporate subnet.” That is exactly the thing zero-trust repudiates.

The replacement is an authenticating, context-aware proxy in front of each application: Cloudflare Access, Google Cloud IAP, Tailscale-style overlay networks, or a self-hosted equivalent. The proxy evaluates identity, device posture, and policy on every request. The application behind it can, and should, still authenticate — but the first gate is no longer a flat network.

This alone makes a whole category of lateral-movement attacks considerably harder.

Layer 4 — Segment the data plane

Once human access is identity-aware, turn to service-to-service traffic. The goal: a service should only be able to reach the services it actually needs, and it should prove its identity on each call.

Pragmatic middle ground:

  • mTLS between internal services where the language stacks support it cleanly (service mesh, or bare TLS with short-lived certs via an internal CA).
  • Network policies in Kubernetes, or security groups carefully authored in IaC, that default-deny east-west traffic.
  • A short, written list of exceptions, owned by a human.

You do not have to do all of this at once. Start with the blast radius of your most sensitive data and expand outward.

Layer 5 — Continuous evaluation

The last step is the one most teams skip. It is also where zero trust earns its name: the idea that trust is never static.

That means device posture checks that revoke access when a laptop falls out of compliance. Session tokens that expire and re-validate identity. User-behaviour analytics that flag the account logging in from two continents in twenty minutes.

This is the layer where tooling genuinely helps — EDR, SIEM, your identity provider’s risk signals. But it is also the layer where the investment only pays off if the first four layers are in place.

What to stop worrying about

A lot of the zero-trust conversation gets tangled up with every buzzword in the current security market — SASE, SSE, XDR, CNAPP. Most of that is product category branding. If the five layers above are real inside your company, you are doing zero trust, whatever the acronym du jour.

Tell your board that. Show them the pull requests. They will believe you more than they will believe the vendor deck.

More articles View all
Enterprise Software
Writing systems you can actually hand over
17 March 2026
Cloud & DevOps
Cloud cost is an architecture problem wearing a finance costume
1 March 2026
Data & Analytics
Data contracts for small teams
19 February 2026
Get in touch

Have a system that needs shipping — or saving?

Tell us what you are building. We respond within one working day with a short, honest assessment.

Start a conversation See what we do