Guide · Worldwide

Zero Trust Roadmap

A pragmatic path from perimeter-centric architecture to Zero Trust. Aligned to NIST SP 800-207, CISA Zero Trust Maturity Model 2.0, UK NCSC ZT principles, and the Australian ISM — structured so global organizations can sequence work across five pillars without rip-and-replace.

Maturity stages

Stage 1
Traditional

Perimeter-centric controls; broad implicit trust inside the network.

Stage 2
Initial

Foundational ZT investments started: SSO, MFA, MDM rolling out.

Stage 3
Advanced

Policy decision points coordinate across pillars; visibility is unified.

Stage 4
Optimal

Continuous, automated, context-aware enforcement across users, devices, and workloads.

Pillars and progression

Identity
  1. 01Federated SSO for all SaaS and infrastructure
  2. 02Phishing-resistant MFA for users and admins
  3. 03Risk-based conditional access; just-in-time elevation
  4. 04Continuous identity-threat detection; session-aware policy
Devices
  1. 01MDM / UEM enrolling 100% of corporate endpoints
  2. 02Compliance posture (patch, disk encryption, EDR) gates access
  3. 03Hardware-bound credentials; managed browser policy
  4. 04Continuous device-trust signals feed access decisions
Networks
  1. 01Segmentation between user, server, OT, and admin planes
  2. 02Internet-exposed admin access removed; ZTNA or Bastion only
  3. 03Per-application access policy (no flat VPN tunnels)
  4. 04Microsegmentation in production; egress allow-listed
Applications & Workloads
  1. 01SaaS inventory and SSO-only access enforced
  2. 02Internal apps fronted by identity-aware proxy / ZTNA
  3. 03Service-to-service auth via workload identity (no static creds)
  4. 04Signed images, admission control, runtime protection in prod
Data
  1. 01Classification scheme defined and labels applied to top data stores
  2. 02Encryption at rest and in transit with customer-managed keys
  3. 03DLP / DSPM enforced for sensitive labels across endpoints, email, SaaS, cloud
  4. 04Data-centric access policy with per-record audit and revocation

First 180 days

  1. Days 0–30 · Inventory: identities, devices, applications, data stores, and current access paths.
  2. Days 0–30 · Pick a measurable target outcome (e.g., remove standing admin, retire VPN for SaaS, eliminate password-only auth).
  3. Days 30–60 · Roll out phishing-resistant MFA for all administrators; remove legacy authentication.
  4. Days 30–60 · Enforce device compliance gating on top 5 SaaS apps and admin consoles.
  5. Days 60–120 · Replace flat VPN with ZTNA or identity-aware proxy for two priority internal apps.
  6. Days 60–120 · Implement just-in-time admin elevation for cloud consoles; alarm on standing privilege.
  7. Days 120–180 · Classify top data stores; apply DLP / DSPM policy to the highest-risk label.
  8. Days 120–180 · Publish a ZT scorecard to leadership and set the next two-quarter targets.

Building a Zero Trust program?

Dephiant designs and operationalizes Zero Trust for global organizations — sequencing investments so risk drops at each stage, not just at the end.

Book a strategy sessionBack to resources