Zero Trust in Practice — Lessons from 12 Migrations
What we learned moving a dozen mid-market companies from perimeter security to zero-trust architectures.
The premise
"Never trust, always verify" is easy to say and surprisingly hard to do. Over the past 18 months we migrated 12 clients off legacy VPNs and perimeter firewalls onto zero-trust stacks. Here's what worked — and what didn't.
What worked
Identity is the new perimeter
Every one of the 12 migrations started by consolidating identity. One IdP, one source of truth, one auth flow per app. Once that was in place, everything else fell out naturally.
Device posture, not network location
We stopped caring where a device was connecting from and started caring what it looked like: patched OS, disk encrypted, EDR running, in-policy.
Phased rollout
The teams that succeeded fastest were the ones who picked a single low-stakes app (often an internal wiki) and got the full flow working end-to-end before touching anything else.
What didn't work
- Big-bang migrations. Every attempt to flip a hundred apps over a weekend ended in tears and rollback.
- Skipping the legacy app inventory. You can't protect what you don't know exists.
- Underestimating the helpdesk hit. Plan for a 2-3x ticket spike during cutover.
The takeaway
Zero trust isn't a product you buy. It's an operating model you adopt, app by app, device by device. Budget time for the change management — it's the long pole.