Zero Trust as a Resilience Foundation

This is Part 3 of a 7-part series on Cyber Resilience for CISOs. Read Part 1: Why Prevention Alone Will Fail and Part 2: The 2026 Threat Landscape for context.

---

Zero trust has become the most overused term in cybersecurity marketing. Every vendor claims to offer it. Every CISO is asked about their zero trust strategy. But beneath the buzzword lies a genuinely powerful approach to building organisational resilience.

The core insight of zero trust is simple: assume compromise. Do not trust any user, device, or network segment simply because it exists inside your perimeter. Verify every access request based on all available context, and grant only the minimum access required.

This philosophy aligns perfectly with resilience thinking. If you assume attackers will get in, you design systems that limit what they can do once inside.

From Perimeter to Zero Trust

Traditional network security resembled a castle. Build strong walls, guard the gates carefully, and trust everyone inside. This model had obvious appeal - it was simple to understand and relatively straightforward to implement.

But the castle model has collapsed.

Cloud adoption means data and applications live outside the walls. Remote work means users connect from untrusted networks. Third-party integrations mean partners need access to internal systems. Lateral movement means attackers who breach the perimeter move freely inside.

The supply chain threats we will examine in Part 4 exploit this trust. Once attackers compromise a trusted third party, they inherit that trust inside target networks.

Zero trust acknowledges this reality. There is no inside and outside anymore. Every access request must be evaluated on its own merits.

Zero Trust Principles for Resilience

Zero trust is not a product you can buy. It is an architectural philosophy that requires implementing several core principles.

1. Verify Explicitly

Every access request should be authenticated and authorised based on all available data points:

• User identity - Is this who they claim to be?
• Device health - Is the device compliant with security policies?
• Location context - Does this access pattern make sense?
• Resource sensitivity - What is being accessed and is this user authorised?
• Anomaly signals - Does this request fit historical patterns?

Traditional access control checked identity once at login. Zero trust evaluates context continuously throughout sessions.

2. Use Least Privilege Access

Grant only the minimum access needed for the immediate task:

• Just-in-time access - Elevated privileges expire after defined periods
• Just-enough access - Users receive only what they need, not broad role-based bundles
• Segmented permissions - Access to one system does not imply access to others
• Regular review - Permissions are audited and revoked when no longer needed

This limits blast radius. When an account is compromised, the attacker gains only what that account could legitimately access - which should be as little as possible.

3. Assume Breach

Design systems expecting that attackers are already present:

• Micro-segmentation - Network segments are isolated, limiting lateral movement
• Encryption in transit - Data is protected even on internal networks
• Logging and monitoring - Behaviour is tracked to detect compromises
• Containment capabilities - Compromised segments can be isolated rapidly

This assumption drives architectural decisions that improve resilience. You are not hoping to keep attackers out - you are ensuring they cannot cause catastrophic damage when they get in.

Practical Zero Trust Implementation

Moving from principle to practice requires addressing several domains. Most organisations cannot implement everything simultaneously - prioritise based on risk and feasibility.

Identity

Identity is the foundation of zero trust. If you cannot verify who is requesting access, you cannot make intelligent access decisions.

Essential capabilities:

• Phishing-resistant MFA - FIDO2/WebAuthn for sensitive systems, push-based MFA minimum for everything else
• Single sign-on - Centralised authentication enables consistent policy enforcement
• Privileged access management - Elevated accounts require additional controls
• Identity governance - Regular access reviews, automated provisioning and deprovisioning
• Behavioural analytics - Detection of anomalous authentication patterns

As discussed in Part 2, identity is the new perimeter. Invest accordingly.

Devices

Access decisions should consider the security posture of the device requesting access.

Essential capabilities:

• Device inventory - You cannot secure what you do not know about
• Endpoint protection - Anti-malware, host firewall, encryption
• Compliance checking - Verify devices meet security requirements before granting access
• Mobile device management - Controls for corporate and BYOD devices
• Patch verification - Confirm devices are current on security updates

An authenticated user on a compromised device is still a risk. Device posture should factor into access decisions.

Network

Traditional flat networks facilitate lateral movement. Zero trust networks constrain it.

Essential capabilities:

• Micro-segmentation - Isolate workloads and limit allowed communications
• Software-defined perimeters - Hide resources from unauthorised users entirely
• Encrypted internal traffic - Assume internal networks are hostile
• Network access control - Authenticate devices before granting network access
• East-west traffic monitoring - Detect anomalous internal communications

This is often the most complex domain to address, particularly in environments with legacy infrastructure. Start with critical assets and expand gradually.

Applications and Workloads

Applications themselves must enforce zero trust principles.

Essential capabilities:

• Application-level authentication - Do not rely solely on network position
• API security - Authentication and authorisation for all API calls
• Container security - Verify container images and runtime behaviour
• Secrets management - Secure storage and rotation of credentials
• Workload identity - Machine-to-machine authentication

Modern applications are often more exposed than traditional on-premises systems. Cloud-native security practices are essential.

Data

Ultimately, zero trust exists to protect data. Data-centric security ensures protection follows the data.

Essential capabilities:

• Data classification - Understand what data exists and its sensitivity
• Encryption at rest - Protect data even if storage is compromised
• Data loss prevention - Control how sensitive data can be shared
• Rights management - Persistent controls that travel with documents
• Backup isolation - Ensure backups cannot be compromised alongside primary data

Data protection is the ultimate measure of zero trust effectiveness.

Zero Trust and Resilience Alignment

Each zero trust principle directly supports resilience objectives.

This alignment is not coincidental. Both zero trust and resilience stem from the same realistic assessment: perfect prevention is impossible, so design for inevitable compromise.

Common Zero Trust Mistakes

Many zero trust implementations fail to deliver promised benefits. Avoid these common mistakes.

Treating Zero Trust as a Product

Vendors happily sell "zero trust solutions" that address only one piece of the puzzle. Real zero trust requires architectural change across identity, devices, networks, applications, and data. No single product delivers this.

Better approach: Develop a zero trust roadmap that addresses all domains over time. Select tools that integrate into a coherent architecture, not standalone products.

Ignoring Legacy Systems

Many organisations have applications that cannot support modern authentication, lack API security, or require network-level access that violates zero trust principles.

Better approach: Document legacy exceptions explicitly. Implement compensating controls where possible. Plan migration paths for critical legacy systems.

Forgetting the User Experience

Security controls that frustrate users get bypassed. Zero trust that requires constant re-authentication or blocks legitimate work will fail.

Better approach: Design for user experience from the start. Use risk-based authentication that challenges only when warranted. Ensure security controls are invisible during normal operations.

Pursuing Perfection

Some organisations delay implementation waiting for a perfect comprehensive solution. Meanwhile, they remain vulnerable to attacks that zero trust would mitigate.

Better approach: Start with high-risk areas. Implement zero trust for privileged access, critical applications, and sensitive data first. Expand coverage iteratively.

Declaring Victory Too Early

Implementing SSO and MFA is not zero trust. These are prerequisites, not the destination.

Better approach: Measure maturity across all zero trust domains. Track progress against a comprehensive framework. Continue investment until all principles are consistently applied.

Quick Reference: Zero Trust Maturity Assessment

Assess your current zero trust maturity across each domain:

Identity (0-5 score):

• [ ] MFA deployed for all users (not just privileged)
• [ ] Phishing-resistant MFA for sensitive systems
• [ ] Privileged access management implemented
• [ ] Regular access reviews conducted
• [ ] Behavioural analytics detecting anomalies

Devices (0-5 score):

• [ ] Complete device inventory maintained
• [ ] Endpoint protection on all devices
• [ ] Device compliance checked before access
• [ ] BYOD devices managed appropriately
• [ ] Patch status verified

Network (0-5 score):

• [ ] Network segmentation implemented
• [ ] Micro-segmentation for critical assets
• [ ] Internal traffic encrypted
• [ ] East-west traffic monitored
• [ ] Software-defined perimeters deployed

Applications (0-5 score):

• [ ] Application-level authentication required
• [ ] API security implemented
• [ ] Secrets managed securely
• [ ] Container security in place
• [ ] Workload identity implemented

Data (0-5 score):

• [ ] Data classification completed
• [ ] Encryption at rest implemented
• [ ] DLP controls in place
• [ ] Rights management for sensitive documents
• [ ] Backup isolation verified

Scoring: 0-1 = Traditional, 2-3 = Transitioning, 4-5 = Mature

Focus improvement efforts on your lowest-scoring domains. Overall maturity is limited by your weakest area - attackers will find it.

The Resilience Connection

Zero trust is not security theatre. When implemented thoughtfully, it delivers genuine resilience benefits:

• Faster detection - Continuous verification surfaces anomalies that point-in-time authentication misses
• Smaller incidents - Least privilege and segmentation contain compromises before they spread
• Easier recovery - Well-segmented environments can isolate compromised portions while maintaining operations elsewhere
• Reduced dwell time - Attackers cannot move freely, limiting their ability to establish persistence

As we discussed in Part 1, resilience means continuing to operate despite attacks. Zero trust architecture makes this possible.

What Comes Next

Zero trust addresses internal architecture. But organisational boundaries are porous - Part 4 examines third-party and supply chain resilience, extending resilience principles beyond your direct control.

Part 5 provides a reality check on incident response - testing whether your architecture actually performs under pressure.

Zero trust is a journey, not a destination. But every step on that journey improves your organisational resilience. For a deeper technical dive, see my standalone guide on Zero Trust Architecture: A Strategy, Not a Product.

---

Implementing Zero Trust Architecture

Building a zero trust architecture requires strategic planning and experienced guidance. My IT management services help organisations assess their current posture, develop zero trust roadmaps, and implement controls that genuinely improve resilience.

Get in touch to discuss how zero trust can strengthen your security architecture.

---

Previous: Part 2 - The 2026 Threat Landscape

Next: Part 4 - Third-Party and Supply Chain Resilience