Cybersecurity

Zero Trust In Indian Enterprises: What Changes First And What Can Wait

Updated: Feb 25, 2026

cybersecurity shield illustration with identity protection
5 Minutes Read

In Brief 

Zero Trust is not a product. It is a control shift. Start with identity and privileged access. Delay broad network redesign until you contain admin, remote, and third-party risk. 

The First Breach Usually Does Not Start In The Data Centre 

A Bengaluru-based SaaS firm enforced perimeter firewalls, endpoint protection, and VPN access. An attacker did not break the firewall. He logged in with stolen credentials. He moved laterally using over-privileged access. No segmentation blocked him. 

The board later asked one question. Why did Zero Trust not stop this? 

The answer was simple. Zero Trust had not been operationalised. It had been discussed. 

What Zero Trust Means In Practice 

Zero Trust is a security model that requires continuous verification of identity, device posture, access context, and session behaviour before granting access to applications or data. In India, Zero Trust implementation typically combines identity enforcement, Zero Trust Network Access (ZTNA), and Secure Service Edge (SSE) capabilities to reduce implicit network trust. It removes implicit trust based on network location and replaces it with policy-driven access decisions. 

In practical terms, Zero Trust shifts control from the network perimeter to identity and application layers. 

In Indian enterprises, Zero Trust must address five structural realities: 

  1. Hybrid workforce with unmanaged networks 
  2. Third-party vendor access across multiple sites 
  3. Privileged accounts with excessive standing rights 
  4. Rapid SaaS adoption without uniform governance 
  5. Flat east-west traffic inside campus and data centre networks 

Operational Zero Trust requires: 

  • Identity assurance at login and during session 
  • Device posture validation before access 
  • Application-level segmentation instead of broad network tunnels 
  • Continuous monitoring of identity anomalies 
  • Clear linkage between access control and incident response workflows 

If these controls are not measurable, Zero Trust remains conceptual. 

What Changes First 

1. Phishing-Resistant MFA For All Privileged Users 

Do not start with every employee. Start with domain admins, cloud administrators, finance approvers, and remote IT support staff. 

If privileged access lacks phishing-resistant MFA, Zero Trust does not exist. 

2. Remove Shared And Dormant Admin Accounts 

Audit service accounts. Remove shared credentials. Rotate keys. Reduce standing privilege. 

Most Indian enterprises underestimate the volume of unused elevated access. 

3. Replace VPN-Based Trust With Identity-Based Access 

VPN grants network access first and verifies later. Zero Trust verifies first and grants application-level access only. 

Focus on external-facing admin access and critical applications. Replace broad network tunnels with policy-driven access. 

4. Segment High-Value Assets 

Segment finance systems, HR data, and production control networks. Limit east-west movement. Measure lateral traffic reduction. 

Segmentation does not require a full network redesign on day one. It requires policy enforcement around sensitive assets. 

What Can Wait 

Broad Campus Micro-Segmentation 

Do not attempt enterprise-wide micro-segmentation before identity control stabilises. 

Full Device Trust For Every Endpoint 

Start with high-risk roles. Expand gradually. 

SaaS Policy Perfection 

Begin with visibility and privileged SaaS enforcement. Refine policies after baseline risk reduces. Zero Trust fails when scope overwhelms execution. 

Zero Trust Maturity Model For Indian Enterprises 

Level 1: Perimeter Dependent 

  • VPN-based access for remote users 
  • MFA optional or limited 
  • Flat internal network 
  • Privileged accounts not regularly audited 

Level 2: Identity-Enforced Access 

  • MFA enforced for privileged roles 
  • Role-based access defined 
  • Segmentation around high-value assets 
  • Vendor access restricted 

Level 3: Policy-Driven Continuous Verification 

  • Phishing-resistant MFA across critical roles 
  • Device posture validation before access 
  • Application-level access instead of network-level trust 
  • Continuous monitoring of identity behaviour 
  • Quarterly access reviews with measurable reduction targets 

You should know your maturity level. If privileged access is not tightly controlled, you remain at Level 1. 

Comparison Table - ZTNA vs VPN vs SSE

VPN assumes trust after connection. ZTNA verifies access per application. Secure Service Edge, or SSE, extends policy control across web, SaaS, and private applications with continuous inspection and identity-aware enforcement. 

For Indian enterprises evaluating Cisco Secure Access, Cisco Duo, and Cisco ISE, the architectural shift lies in moving from network trust to identity and policy enforcement at every access point. 

Indian enterprises moving from VPN to ZTNA typically see an immediate reduction in exposed internal services. Enterprises adopting SSE gain additional visibility across unmanaged SaaS usage and web traffic. 

Zero Trust Architecture In The Indian Context 

In Hyderabad’s IT corridor, a mid-sized technology firm moved remote admin access from VPN to identity-based application access. They enforced phishing-resistant MFA for all privileged roles, validated device posture before access, and segmented finance workloads at the network layer. During red-team simulation, lateral movement attempts failed at policy enforcement points. 

The change was phased and measurable. It did not disrupt operations because high-risk identities and applications were prioritised first. 

Effective Zero Trust architecture combines: 

  • Phishing-resistant MFA for privileged and remote roles 
  • Conditional access based on device health and user risk 
  • Application-level access control for remote connectivity 
  • Segmentation policies that restrict east-west traffic 
  • Central telemetry that feeds SOC detection and reporting workflows 

Each control must produce a measurable reduction in attack surface, not only architectural compliance. 

The First 90 Days Zero Trust Plan 

Zero Trust fails when the scope expands too early. You need a phased execution model with measurable checkpoints. 

Days 1–30: Identity Stabilisation 

  • Inventory all privileged and administrative accounts 
  • Enforce phishing-resistant MFA for privileged users 
  • Remove shared admin credentials 
  • Define conditional access policies for high-risk roles 
  • Establish baseline metrics for privileged access exposure 

Target outcome: 100 percent privileged account coverage with strong MFA and zero shared admin accounts. 

Days 31–60: Remote Access And Application Control 

  • Replace high-risk VPN access for administrators with application-level access 
  • Restrict vendor access to defined applications only 
  • Implement device posture checks for remote sessions 
  • Begin segmentation around finance and HR workloads 

Target outcome: Reduced exposed internal services and controlled third-party connectivity. 

Days 61–90: Segmentation And Continuous Verification 

  • Expand segmentation to additional critical workloads 
  • Integrate identity telemetry with SOC monitoring 
  • Conduct a controlled red-team simulation to test lateral movement 
  • Run an executive tabletop exercise focused on identity compromise 

Target outcome: Measurable reduction in lateral movement paths and validated enforcement under test conditions. 

At the end of 90 days, you should see a quantifiable reduction in exposed services, excessive privilege, and internal trust assumptions. 

The Outcome You Should Demand 

Within six months, you should be able to demonstrate: 

  • 100 percent phishing-resistant MFA for privileged roles 
  • Elimination of shared or dormant admin accounts 
  • Application-level access replacing high-risk VPN exposure 
  • Reduced lateral movement paths across critical assets 
  • Measured decline in excessive privilege through quarterly reviews 

Track these metrics: 

  • Percentage of privileged accounts protected by phishing-resistant MFA 
  • Number of shared admin accounts removed 
  • Number of internal services exposed to remote VPN users 
  • East-west traffic reduction across segmented workloads 

If you cannot show quantitative change, your Zero Trust programme lacks operational depth. 

Proactive Data Systems works with enterprises across Delhi NCR, Mumbai, Pune, Bengaluru, Hyderabad, and industrial clusters to design and implement Zero Trust architectures that integrate identity assurance, application-level access, segmentation, and SOC telemetry into one accountable model. 

As a Cisco Preferred Security Partner, Proactive aligns identity enforcement, secure access, and network segmentation with measurable risk reduction and regulatory readiness. 

We assess your current maturity, define a phased roadmap, deploy controls, and test them under simulation. 

If you want clarity on what must change now and what can wait, request a focused Zero Trust readiness assessment. Write to [email protected] today.

No. Mid-sized enterprises with a remote workforce and SaaS exposure face equal risk.
No. Firewalls remain part of network control. Zero Trust reduces implicit trust inside the network.
A focused first phase covering privileged access and remote administration can begin within weeks. Broader rollout depends on scope and maturity.
ZTNA grants application-level access based on verified identity and device context. VPN grants network-level access once connected.

Whitepapers

Webex Calling Compliance In India
A CTO’s Position Paper On Regulatory-Ready Cloud Calling

The India CISO Incident Response Playbook

The Network Diagnosis No One Talks About

The Proactive Edge: Mastering Observability for Operational Resilience

Achieving Zero Trust with Cisco Duo MFA: A Comprehensive Guide to Strengthening Your Security

The Future of Enterprise Networking: Trends, Challenges, and Solutions

Building a Future-Ready GCC in India: A Roadmap for Success
View all

E-Books

Cloud Calling Implementation Guide: How to Migrate from PBX to Webex Calling

Avoid the 10 Most Common Mistakes in Cybersecurity Projects

Unlock the Power of Cloud Networking with Cisco Meraki

Mastering Cisco Catalyst 9000: Real-World Configuration for IT Teams 

Choosing a Cloud Calling Provider: 10 Questions Indian CTOs and CEOs Must Ask

Future-Proof Your Network: Trends & Solutions for Today's Businesses

From PBX to Cloud Calling – The Playbook for Indian Enterprises

Your Guide to the Cisco: Secure Firewall 1200 Series Discover the Future of Network Security
View all

Contact Us

We value the opportunity to interact with you, Please feel free to get in touch with us.