A Zero Trust architecture saves an average of $1.76 million per security breach, according to IBM's Cost of a Data Breach 2025 report, yet Gartner estimates that by 2026 only 10% of large enterprises will have a mature, measurable Zero Trust programme. That gap between the model's demonstrated value and its actual adoption is arguably the largest untapped cybersecurity opportunity available to organisations today. The good news is that Zero Trust is neither a product you buy nor a switch you flip: it is a strategy you implement in phases, and any organisation can start next Monday with the assets it already has.
This practical guide explains what Zero Trust really is (beyond vendor marketing), how it differs from the traditional VPN, what the NIST and CISA pillars consist of, what role ZTNA plays in modern access, and — most importantly — how to bring the model into production without halting the business or rewriting the entire infrastructure.
What is Zero Trust and how does it differ from the traditional VPN?
Zero Trust is a security model built on an uncomfortable but realistic premise: no user, device, or connection should be implicitly trusted, whether inside or outside the corporate perimeter. Rather than assuming that everything "on the network" is safe, every access request is explicitly verified, authorised for a specific resource, and continuously re-evaluated.
The contrast with the traditional VPN is stark. The VPN was designed to solve a different problem: connecting a remote device to the corporate network as if it were physically in the office. The problem lies precisely in that "as if it were inside" assumption: once the tunnel is established, the device gains broad access to an entire network segment. If credentials are compromised or the laptop is infected, the attacker inherits that same trust and can move laterally across the network with relative freedom.
Zero Trust inverts the logic. There is no concept of "being inside." Access is granted resource by resource, session by session, based on verified identity, device health, and request context.
| Dimension | Traditional VPN | Zero Trust / ZTNA |
|---|---|---|
| Trust model | Implicit after initial authentication | Never trust, always verify |
| Access scope | Full segment or network | A single application or resource |
| Granularity | Per network | Per session and per resource |
| Lateral movement | Possible once inside the tunnel | Blocked by design |
| Context evaluated | Credentials at login | Identity, device, and context — continuously |
| App visibility | Resources exposed on the internal network | Applications invisible until authorised |
The practical difference is enormous for a mid-market or enterprise organisation: with Zero Trust, a stolen credential is no longer the master key to the kingdom. At most, it is the key to a single door — and only for as long as the context remains legitimate.
NIST 800-207 principles and the five CISA pillars
Talking about Zero Trust seriously means grounding the conversation in recognised frameworks, not vendor brochures. The two canonical documents are NIST SP 800-207 (Zero Trust Architecture) and CISA's Zero Trust Maturity Model 2.0.
The seven principles of NIST SP 800-207
The Zero Trust model rests on seven foundational principles defined in NIST SP 800-207. Among the most important: all communications are secured regardless of network location, access to each resource is granted per individual session, and authentication and authorisation are dynamic and strictly enforced before every access. In practice, these principles translate into several operational rules:
- All data sources and computing services are treated as resources that must be protected.
- All communications are secured regardless of where the network is (inside or outside the perimeter).
- Access to individual resources is granted per session, not permanently.
- Access is determined by dynamic policies that incorporate the observable state of the identity, application, and requesting asset.
- The organisation monitors and measures the integrity and security posture of all its assets.
- Authentication and authorisation are dynamic and strictly enforced before any access is permitted.
- The organisation collects as much information as possible about the state of the network and uses it to improve its security posture.
What matters about NIST 800-207 is that it does not mandate a specific technology: it describes principles and logical components (the policy engine, policy administrator, and policy enforcement point) that each organisation implements with the tools it already has or decides to acquire.
The five pillars of the CISA maturity model
If NIST provides the principles, CISA provides the roadmap. CISA's Zero Trust Maturity Model 2.0 structures the model around five pillars plus three cross-cutting capabilities that span all of them:
- Identity — robustly verify who is accessing (phishing-resistant MFA, identity lifecycle management).
- Devices — know and assess the security posture of every endpoint before granting access.
- Networks — segment, encrypt traffic, and reduce the exposed attack surface.
- Applications and workloads — protect applications and workloads, including the software supply chain.
- Data — classify, label, encrypt, and control access to data, which is the ultimate asset to protect.
The three cross-cutting capabilities are Visibility and Analytics, Automation and Orchestration, and Governance. CISA also defines four maturity levels per pillar — Traditional, Initial, Advanced, and Optimal — which allows an organisation to assess itself honestly and prioritise investment where it is most needed, rather than chasing the latest trending tool.
This pillar-and-level approach is precisely what makes Zero Trust an approachable project: you do not need to reach "Optimal" across all five pillars simultaneously. Moving up one step in Identity and Devices already cuts risk dramatically.
ZTNA: application access without a network perimeter
If Zero Trust is the strategy, ZTNA (Zero Trust Network Access) is the technology that materialises the access principle for the most common and most critical use case: remote access to applications.
ZTNA creates a one-to-one connection between a verified user and a specific application, never placing the user "inside the network." Applications remain invisible to anyone not explicitly authorised: there is no IP range to scan, no port to probe, no network surface to attack. The ZTNA broker evaluates identity, device posture, and context before establishing each connection, and re-evaluates throughout the session.
This is why ZTNA is rapidly displacing the VPN. Gartner projects that up to 70% of new remote access deployments will be based on ZTNA rather than VPN technology in 2025, up from less than 10% at the end of 2021. The market follows that trend: according to MarketsandMarkets, the ZTNA market is projected to grow from $1.34 billion in 2025 to $4.18 billion in 2030, at a compound annual growth rate of 25.5%.
When ZTNA makes sense over a VPN
- Hybrid and remote work at scale — when a significant portion of the workforce accesses business applications from outside the office.
- Third-party access — vendors, contractors, or partners who need a specific application, not the entire network.
- Critical or regulated applications — where the principle of least privilege is not optional but a regulatory requirement.
- Attack surface reduction — when the goal is to stop exposing servers and services directly to the internet.
A candid caveat is warranted: ZTNA is not Zero Trust on its own. It is one piece — usually the first and most cost-effective one — of a broader architecture that spans all five CISA pillars. Purchasing a ZTNA solution and declaring "we now have Zero Trust" is one of the most common mistakes. That is why ZTNA should be framed within a comprehensive cybersecurity services strategy that also covers identity, devices, data, and monitoring.
How to implement Zero Trust in phases within an organisation
The million-dollar question is not "what is Zero Trust" but "where do I start without breaking anything." The answer is an incremental rollout, aligned with CISA maturity levels, that delivers value at each stage. Below we outline a five-phase journey designed for mid-sized and large organisations.
Phase 0 — Discovery and baseline
You cannot protect what you do not know. The first phase is a rigorous inventory of identities, devices, applications, data flows, and dependencies. The goal is to answer three questions: who accesses what, from where, and why. This phase typically surfaces legacy access, orphan accounts, and exposed applications that nobody remembered. It is also the moment to self-assess against CISA's four maturity levels for each pillar.
Phase 1 — Identity as the new perimeter
Identity is the pillar with the best ratio of effort to risk reduction. The core actions are:
- Deploy phishing-resistant MFA across all access points (ideally passkeys or FIDO2 keys).
- Centralise identity management and enforce the principle of least privilege.
- Implement risk-based conditional access (location, device, behaviour).
- Review and remove unnecessary standing access.
Phase 2 — Devices and application access (ZTNA)
With identity under control, device posture is incorporated into the access decision and ZTNA is deployed to progressively replace the VPN. This is where most organisations experience their first visible "Zero Trust moment": remote access stops being a network tunnel and becomes one-to-one connections to specific applications. It is advisable to start with a pilot group and one or two applications, not the entire organisation at once.
Phase 3 — Microsegmentation and data protection
Once access is secured, work moves inward: segment the network to prevent lateral movement, encrypt east-west traffic, and — in the data pillar — classify and label information to apply access controls proportionate to its sensitivity. This phase is the one most closely connected to governance frameworks such as ISO 27001, where access control and information classification are formal requirements; aligning the Zero Trust project with an ISO 27001 certification avoids duplicating effort.
Phase 4 — Visibility, automation, and continuous improvement
Zero Trust is not a project that ends; it is a posture that is maintained. CISA's three cross-cutting capabilities take centre stage: centralised telemetry, detection and response, and automation of policy decisions. For many organisations, sustaining this phase 24x7 internally is not feasible — and here a managed SOC and MDR service provides the continuous monitoring and incident response the model demands without having to build an in-house security operations team.
Practical rule: each phase must deliver a measurable risk reduction on its own. If a phase cannot be independently justified, it is badly scoped.
Phase summary
| Phase | Focus | Dominant CISA pillar | Expected outcome |
|---|---|---|---|
| 0. Discovery | Inventory and baseline | Visibility | Access map and maturity self-assessment |
| 1. Identity | MFA and least privilege | Identity | Stolen credential no longer a master key |
| 2. Devices and ZTNA | Posture + app access | Devices / Applications | Progressive VPN replacement |
| 3. Segmentation and data | Microsegmentation and encryption | Networks / Data | Lateral movement blocked |
| 4. Continuous operations | Telemetry and response | Automation / Governance | Sustained and measurable posture |
Zero Trust and regulatory compliance: NIS2, ENS, and GDPR
For organisations subject to European regulations, Zero Trust is not just a technical best practice — it is increasingly a direct enabler of regulatory compliance. Granular access control, least privilege, and continuous verification are precisely what the current and emerging regulatory frameworks demand.
The regulatory landscape is in full evolution. NIS2 has been partially transposed in some member states, while the pressure from the European Commission on full transposition continues to mount. For affected organisations — a universe that NIS2 expands significantly compared to the original NIS Directive — security obligations are coming, and it pays to get ahead of them. At the same time, NIST and ENISA (the EU Cybersecurity Agency) both position Zero Trust as the standard for aligning access control and least privilege with those requirements.
How Zero Trust supports each framework
- NIS2 — requires risk management measures, access controls, and security governance; the CISA Identity, Devices, and Governance pillars respond to these directly.
- ENS (National Security Framework) — for public-sector entities and their suppliers, least privilege and segmentation are central controls that Zero Trust implements by design.
- GDPR — data protection (classification, encryption, and need-to-know access) reduces the scope and severity of a potential personal data breach.
- DORA — in banking, insurance, and capital markets, digital operational resilience relies on the continuous verification and monitoring that Zero Trust formalises.
The underlying message is that investing in Zero Trust is not a separate "compliance spend": it is building once an architecture that satisfies multiple frameworks simultaneously. That efficiency is precisely what differentiates organisations that approach security strategically from those that react audit by audit.
Conclusion: start small, measure, and build forward
Zero Trust is neither a product nor a destination — it is a disciplined approach to granting access: never by default, always verified, resource by resource. The evidence supports the decision — $1.76 million average savings per breach according to IBM — and the regulatory context, with NIS2 transposition advancing, makes it an unavoidable priority. The key is not to try to tackle everything at once: start with identity, replace the VPN with ZTNA, segment, protect data, and sustain operations with continuous visibility. Each phase reduces risk in a measurable way and builds on the previous one.
If your organisation wants to take the first step in an orderly fashion, Technova Partners designs Zero Trust roadmaps tailored to the actual maturity level of each business. You can start by downloading our ISO 27001 readiness checklist — a solid starting point for auditing your access controls and governance — or speak directly with our cybersecurity team to assess your situation and prioritise the phases that eliminate the most risk in your specific context.
