Zero Trust for Internal Services: A Practical Implementation
Zero trust is sold as a posture and shipped as a product. The implementation is mechanical when you have the four components.
What zero trust actually means
Zero trust: every access decision is authenticated, authorised, and logged at the moment of access. No implicit trust based on network location.
The shift is from ‘inside the firewall = trusted’ to ‘every request proves itself.’
Four components
- Identity provider (Okta, Azure AD, Google).
- Device posture check (managed device, OS patched, disk encrypted).
- Access proxy (Cloudflare Access, BeyondCorp, Tailscale, Pomerium).
- Policy engine (per-app rules; user attributes; contextual signals).
Migrating from VPN-trust
Phase 1: identity proxy in front of internal apps; require SSO. Phase 2: device posture as additional check. Phase 3: per-app policies replace network ACLs.
12-18 month migration is realistic. Faster only if you have one engineer dedicated.
Year-one realistic scope
Year one: 5-10 critical internal apps behind the access proxy with SSO + device check.
Avoid: trying to migrate everything at once; the friction kills the program politically.
Antipatterns
- Zero trust as “just turn on MFA.” MFA is one piece.
- VPN + zero trust in parallel forever. Pick one; deprecate the other.
- Zero trust without device posture. Misses half the threat model.
What to do this week
Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.