logo

Are you need IT Support Engineer? Free Consultant

Zero Trust without the drama

  • By Duxbury Networking
  • October 21, 2025
  • 420 Views

Martin May, Business Development: Networking at Duxbury Networking

Zero Trust is often misinterpreted as a product that can be purchased on a Friday and activated by Monday. It isn’t. It’s a way of running your network that assumes nothing, verifies everything, and minimises the damage that one compromised account or device can cause. For South African teams juggling cloud apps, branch sites, contractors, and a mix of fibre/LTE links, it’s also the most practical way to cut risk without slowing the business down.

What actually changes

Zero Trust doesn’t mean “trust nobody.” It implies that trust is earned on a per-request basis. Identity, device posture, location, time, and sensitivity of the resource all play a role. Access is scoped to the application, not the whole network, and it’s re-evaluated as conditions change.

In practice, this means the finance contractor in Cape Town doesn’t need layer-3 access to your entire HQ LAN; they need a secure, time-boxed session to your ERP. The warehouse scanner should only be able to communicate with the WMS and update services. A user logging in at 23:30 from an unmanaged laptop? They get stepped-up authentication or no access at all. That’s Zero Trust in action.

The building blocks

You’ll need a few pieces working together:

  • Identity at the centre: A modern IdP with MFA and clear group/role definitions.
  • Device posture: UEM/MDM signals (OS version, disk encryption, jailbreak/root checks) to decide if a device is in good standing.
  • ZTNA instead of broad VPN: Per-app access delivered from nearby enforcement points, not a single concentrator that sprays implicit trust.
  • Segmentation on the wire: Macro/micro-segmentation on LAN/Wi-Fi, so lateral movement is complex, even inside a site.
  • Inspection and DNS controls: Sensible egress filtering and URL/DNS security for what leaves your environment.
  • Telemetry: Rich logs to your XDR/MDR so you can detect and respond when something slips through.

SASE platforms knit these pieces together and put enforcement close to users and apps. Vendors like HPE Aruba Networking combine EdgeConnect SD-WAN with security service edge capabilities to enforce policy consistently across branches and remote users. At the same time, ZTNA handles the “who, what, from where, and how” on a per-session basis.

Start small, aim true

One of the recommended approaches when managing a Zero Trust programme is to select two or three high-risk, high-value applications, such as finance, identity administration, and remote support tools, and move them behind ZTNA first. Map the users, devices, and flows; write the policy in plain language; then implement and monitor. Retire one VPN group as you go. Rinse, repeat.

Do the same on the LAN. Carve a small branch into user, guest, and device segments with clear east-west rules. Label what can talk to what, and why. When something breaks, fix the rule or the requirement.

Pitfalls to avoid

  • Lifting and shifting VPN thinking: If everyone still gets broad network access, you’ve changed the technology, not the model.
  • Too many exceptions: Every “temporary” bypass is a permanent hole unless you track and retire it.
  • Ignoring legacy and OT: Old systems still need controls, use gateways, proxies, or segmentation to contain them.
  • No business owner: If the app owner can’t tell you who needs access and why, you’ll end up guessing and over-permitting.

How to know it’s working

Dashboards are nice, but secure habits are better. Track things you can defend in a risk review:

  • Standing privileges are going down; time-boxed access is going up.
  • Mean time to revoke access for a leaver is measured in minutes, not days.
  • Lateral-movement tests fail more often than they succeed.
  • A rising percentage of remote access runs through ZTNA, not full-tunnel VPN.
  • Policy exceptions have owners and expire automatically.
  • MFA coverage is universal for admins and broad for users (and you’re moving key roles to phish-resistant factors).

A South African reality check

We work with variable links, distant branches, and small teams. That’s precisely where Zero Trust helps. ZTNA PoPs close to users cut the “trombone” effect to SaaS. Segmentation limits the blast radius when a site gets hit. An identity-first policy keeps contractors and third parties accountable.

Zero Trust isn’t a switch. It’s a set of decisions you make every week until “least privilege by default” is just how your network behaves. Done right, it won’t feel dramatic. It will feel calm, predictable, and (when something does go wrong) containable. That’s progress.

Related Posts

Blog
Wi-Fi 7 is here. This is why it matters for SA networks.
Blog
cnMaestro 6.0: What resellers need to know
Blog
Strengths and evolution of Sophos: A practical view from the front lines
Blog
Building Resilient Connectivity for Modern Logistics