Zero trust explained: a practical guide for South African businesses
Why perimeter security is no longer enough
Traditional network security assumes that everything inside the corporate firewall can be trusted. Users on the office network get broad access to file shares, applications, and databases. A VPN extends that trust to remote workers. The firewall draws a clear line: inside is safe, outside is dangerous.
The problem is that modern threats do not respect that line. Phishing emails land inside the network every day. Compromised credentials grant attackers legitimate access through the front door. Cloud applications - Microsoft 365, Google Workspace, SaaS platforms - sit outside the firewall entirely. Remote and hybrid workers connect from home networks, coffee shops, and airports.
Once an attacker is inside a flat, trust-everyone network, lateral movement is trivially easy. A single compromised laptop can give access to file servers, databases, and admin consoles because the network assumes anything inside the perimeter belongs there.
South African businesses face the same threat landscape as their global counterparts, compounded by local factors: load shedding disrupts security monitoring, bandwidth constraints limit the viability of some cloud security tools, and a shortage of cybersecurity professionals makes it harder to staff internal security teams.
Zero trust flips the model: never trust, always verify. Every request - regardless of where it originates - must be authenticated, authorised, and continuously validated before access is granted.
Core principles of zero trust
Verify explicitly
Every access request is evaluated against multiple signals: user identity, device health, location, time of day, and the sensitivity of the resource being accessed. No single factor grants blanket trust. A user logging in from a known corporate device during business hours might get seamless access. The same user logging in from an unknown device in another country at 2 a.m. should trigger additional verification or be blocked entirely.
Least-privilege access
Users and applications receive only the minimum permissions they need to do their job, and only for as long as they need them. A finance analyst should not have admin rights on the domain controller. A contractor should not have access to source code repositories. Privileges should be scoped, time-bound where possible, and regularly reviewed.
This principle extends to applications and services too. A web application should only be able to query the specific database tables it needs, not the entire database server.
Assume breach
Design your architecture as if an attacker is already inside. This mindset changes how you build and operate systems:
- Segment your network so that a compromise in one zone cannot easily spread to another.
- Encrypt data in transit and at rest, even on internal networks.
- Monitor continuously for anomalous behaviour - unusual login patterns, unexpected data transfers, privilege escalation attempts.
- Automate response so that when indicators of compromise are detected, containment happens in seconds, not hours.
What zero trust looks like in practice
Zero trust is a strategy, not a product you can buy and install. It is implemented through a combination of technologies, policies, and practices layered across your environment. Here is what a mature zero trust architecture typically includes:
| Layer | Zero trust control | Example |
|---|---|---|
| Identity | MFA, conditional access, passwordless | Azure AD conditional access policies |
| Device | Device compliance, health attestation | Intune or similar MDM enforcement |
| Network | Micro-segmentation, encrypted tunnels | VLANs, software-defined perimeters |
| Application | Per-app access policies, API gateways | Reverse proxy with authentication |
| Data | Classification, DLP, encryption | Sensitivity labels, rights management |
| Monitoring | SIEM, EDR, behavioural analytics | Continuous detection and response |
You do not need all of these on day one. The key is to start with the highest-impact controls and build incrementally.
Practical steps to get started
Step 1: Enable multi-factor authentication everywhere
This single step blocks the vast majority of credential-based attacks. Microsoft reports that MFA prevents over 99 per cent of account compromise attacks. If your organisation uses Microsoft 365 or Google Workspace, MFA is built in - you just need to enforce it.
Start with administrative accounts, then roll out to all users. Prefer authenticator apps or hardware tokens over SMS-based codes, which are vulnerable to SIM-swapping attacks.
Step 2: Implement identity and access management
Centralise user provisioning, enforce role-based access control (RBAC), and automate de-provisioning when staff leave or change roles. An IAM platform removes the guesswork from who has access to what and ensures that former employees do not retain access to systems.
Conditional access policies add context-aware controls: allow access from compliant devices only, require MFA for high-risk sign-ins, and block access from suspicious locations.
Step 3: Segment your network
Separate critical systems - servers, databases, backup infrastructure - from general user traffic. Place IoT devices, printers, and guest Wi-Fi on isolated network segments. Micro-segmentation limits the blast radius if a single device is compromised.
This does not require replacing your entire network. Start by creating VLANs for different trust levels and applying firewall rules between them. More advanced approaches use software-defined networking for granular, policy-based segmentation.
Step 4: Monitor continuously
Deploy endpoint detection and response (EDR) tools across all devices and establish a security operations capability that watches for indicators of compromise around the clock. Feed logs from identity systems, firewalls, endpoints, and cloud platforms into a central SIEM for correlation and analysis.
Automated playbooks can handle common scenarios - isolating a compromised device, resetting a flagged account, blocking a known malicious IP - without waiting for a human analyst.
Step 5: Classify and protect your data
Not all data requires the same level of protection. Classify sensitive information - customer data, financial records, intellectual property, employee personal information - and apply stricter controls accordingly. Encryption, data loss prevention (DLP) rules, and access restrictions should scale with sensitivity.
For South African businesses, data classification also supports POPIA compliance by ensuring that personal information receives the “appropriate technical measures” the act requires.
Zero trust and compliance
For businesses subject to POPIA, zero trust principles align naturally with the act’s requirements. POPIA mandates that organisations implement appropriate technical and organisational measures to protect personal information. Zero trust delivers this through:
- Access control - only authorised personnel can access personal data.
- Audit trails - every access is logged and attributable.
- Breach containment - segmentation and monitoring limit the scope and impact of any compromise.
- Data minimisation - least-privilege access ensures data is only available to those who need it.
Organisations pursuing ISO 27001 or other governance frameworks will also find that zero trust maps well to Annex A controls covering access management, cryptography, operations security, and communications security.
Common misconceptions
“Zero trust means no one is trusted.” Not quite. It means trust is earned per-request based on verifiable evidence, rather than assumed by network location. A fully verified user on a compliant device accessing a resource within their role still gets seamless access.
“It is only for large enterprises.” The principles scale down. A 30-person business benefits from MFA, IAM, and network segmentation just as much as a 3,000-person organisation. The tools are more accessible than ever, with many available as cloud services at reasonable per-user costs.
“It requires replacing everything.” Zero trust is a strategy, not a rip-and-replace project. You layer it on top of existing infrastructure incrementally, starting with the controls that deliver the most risk reduction for the least effort.
“It is just about technology.” Technology is only one part. Zero trust also requires policy changes (access reviews, least-privilege enforcement), process changes (automated provisioning, incident response), and cultural changes (security awareness, shared responsibility).
Building a zero trust roadmap
A realistic roadmap for a mid-sized South African business might look like this:
- Month 1-2: Enforce MFA across all accounts. Audit existing access permissions and remove excessive privileges.
- Month 3-4: Deploy IAM with conditional access policies. Implement device compliance requirements.
- Month 5-6: Begin network segmentation. Isolate critical systems and IoT devices.
- Month 7-9: Deploy EDR across all endpoints. Establish continuous monitoring and alerting.
- Month 10-12: Implement data classification and DLP. Conduct a security posture review and refine policies.
This is not a one-time project. Zero trust is an ongoing discipline that evolves as your business, technology, and threat landscape change.
Where to start
The best starting point is an honest assessment of your current posture. ITHQ offers cybersecurity assessments that identify gaps, prioritise remediation, and map a practical path to zero trust. From there, we help implement identity management, network segmentation, and ongoing security monitoring - all aligned to zero trust principles.
Contact us to discuss a zero trust roadmap for your business.