Zero-trust for mid-market: a 90-day plan that doesn't start with replacing your VPN

The zero-trust story most mid-market security teams hear sounds like this: rip out the VPN, replace it with a zero-trust network access (ZTNA) product, switch on conditional access, and call it a transformation. That sequence has the advantage of being easy to sell. It has the disadvantage of being wrong about which problem is doing the harm.

The actual problem zero-trust is solving is implicit trust by network location. Being on the corporate LAN should not grant the right to talk to a database. Being on the VPN should not unlock SSH to production. The VPN is one symptom of network-trust thinking — it isn't the disease. Replacing one product without changing the underlying assumption is how organizations end up with a $200k ZTNA bill and the same lateral-movement exposure they had a quarter ago.

There's a 90-day plan that actually works, sequenced by which controls deliver the most risk reduction per week of engineering effort. We've run it with mid-market customers in healthcare, finance, and AI startups. Roughly half the value comes from the first 30 days.

Days 1–30: identity is the perimeter, even before the network is. Get every privileged action behind your identity provider. SSO is table-stakes; the bigger lift is conditional access. Device posture (managed, encrypted, patched). Geography (does anyone log in from your typical countries vs. unexpected ones?). Behavioral signals (sudden new IP at 3am after months of business-hours-only patterns). Most identity providers ship this — what stops teams is the migration of legacy auth (shared local accounts, service accounts with passwords in PowerShell scripts) onto identity-first. That's the work. It's tedious. It's also where the largest fraction of breaches start.

Days 31–60: assume breach, contain the blast radius. Microsegmentation, finally. Once identity is the perimeter, network position can become a defense-in-depth layer rather than the entire defense. The win here isn't building a perfect zero-trust network — it's making sure that when a service account gets phished or a VM gets compromised, the blast radius is one workload, not the data center. Per-workload network policies in your hypervisor, your container orchestrator, or your cloud — pick the layer where you have the most visibility and start there.

Days 61–90: kill standing access. The hardest cultural shift is convincing engineers that production access shouldn't be a permission you have, it should be a permission you request, just-in-time, scoped to a single action, signed by your identity, time-bound, and recorded. The technology is solved (browser-mediated SSH, JIT cert issuance, approval workflows). The cultural part is the work. Audit logs from this layer give your security team and your auditor a complete record of every privileged action — which closes the longest gap in most mid-market SOC 2 audits.

What we explicitly don't recommend in 90 days: ripping out your VPN, replacing every legacy service that authenticates by IP, or migrating internal apps off shared credentials. Those are 6-12 month projects. Doing them on day one will burn out your team and stall the program before it shows real risk reduction.

The NIST SP 800-207 reference architecture is a good map for where this ends up: a policy decision point (your identity provider plus context), policy enforcement points at the access broker, the network segmentation layer, and the workload-identity verification layer. Mid-market teams don't need to implement it on day one. They need to implement the pieces in the order that retires the most risk per engineer-week — which is identity, then segmentation, then standing-access elimination, not the order most ZTNA vendors will sell you.

If you want the longer version with the architecture diagrams, the cutover playbooks, and the audit-evidence catalog, the Zero-Trust Architecture Whitepaper is available from our Trust Center under NDA. If you'd rather walk through your specific environment, the 30-minute zero-trust posture review with one of our senior engineers usually returns a phased plan within a week.