Zero Trust Transformation: Where do I actually start?

Okay, let's be honest... if you're currently wondering "Zero Trust – great, but where the hell do I start?", then you're in very good company.

At ODCUS, we've seen this situation with dozens of clients. The decision for Zero Trust has been made, management is convinced, the budget is there. And then... yes, then you stand there, looking at your evolved IT landscape. With that ancient CRM system that no one really understands anymore. With the applications that have "always worked like this." With the VPN that everyone believes means security.

And suddenly, Zero Trust feels less like a modern architecture and more like a massive mountain you're supposed to climb.

The Uncomfortable Truth About Zero Trust Migrations

Here's the thing that many consultants don't tell you right away: A Zero Trust migration is not a sprint. It's a marathon. A pretty long one, too.

We've learned – sometimes the hard way – that implementing Zero Trust into an existing network, no matter how old or how many legacy services you have, requires a phased approach. With many iterations. With setbacks. With adjustments.

Doesn't sound sexy? True. But it's realistic. And honestly... we value realism more than marketing promises.

Why You Can't Just "Switch Swiftly" to Zero Trust

Let's briefly talk about something we keep seeing (and what makes us a bit gray every time): Companies turning off their traditional security controls too early.

We once had a client – let's call them Company X – who was so convinced of Zero Trust that they wanted to shut down the VPN on Friday and start with the new architecture on Monday. Spoiler: We stopped them.

Imagine you're on a tightrope. Would you remove the safety net before the new one is set up? Exactly.

Our basic rule: Never deactivate traditional security controls before you have implemented AND thoroughly tested your Zero Trust controls. Otherwise, your systems are literally exposed – and the risk is substantial.

Need an example? Don't remove your VPN until you're absolutely sure that your new Zero Trust architecture covers all the threats the VPN previously handled. Test it. Then test it again. And perhaps a third time.

The Starting Point: Really Understand Your Architecture

Okay, now it gets practical. The first step – and this is not just lip service – is: Understand your current architecture. Truly understand it.

We mean:

• Where are your key resources?

• Where are the main risks?

• What legacy services do you have that Zero Trust might not support?

• Who accesses what from where?

• What data flows are business-critical?

That sounds simple, but... we've seen organizations that invested three months in planning, only to find that a critical system from the 90s simply won't cooperate. Those three months could have been better spent.

That's why at ODCUS, we always start with a Discovery Workshop. Two intensive days where we map out the landscape with the client. Not perfect – that would be unrealistic – but good enough to make informed decisions.

The Principles That Guide Us

Over the years, we've developed a framework at ODCUS that helps our clients navigate complexity. These principles don't automatically guarantee a secure architecture (wouldn't that be nice?), but they help focus your efforts.

1. Transparency About Your Environment
Before you change anything, you need to understand what you have. Users, devices, applications, data flows. This is the foundation for everything else. We often use automated discovery tools for this, but also good old interviews with the teams who know the systems.

2. Strong Identity Foundations
Every access is based on a verifiable identity – whether it's human, machine, or service. This is probably THE most time-consuming part of the entire migration. Plan for at least 6-9 months if you have a complex environment.

3. Continuous Trust Validation
Trust is not granted once and then forgotten. It is continuously verified based on context, behavior, and risk profile. That means: Your monitoring needs to be really good.

4. Risk-Based Access Decisions
Not every service is equally critical. Not every access carries the same risk. Your policies should reflect this. A controller accessing Excel from a managed device at the office? Low risk. The same controller accessing the finance database at night from an unknown device? Higher risk, different policies.

5. Granular Access Segmentation
Micro-segmentation is your friend. An attacker should not be able to overrun your entire network from a compromised system. That means: Massively hinder lateral movement.

6. Encryption by Default
Data in transit and at rest. No exceptions. Yes, this has performance implications. Yes, modern hardware handles this well.

7. Assumption of Compromise
Assume that somewhere in your environment a compromise already exists or could exist. Your architecture has to be able to handle it. This is the mindset shift that many find hardest.

8. Automation and Orchestration
Manual processes don't scale and are prone to errors. The more you can automate – from policy enforcement to incident response – the better.

The Issue with Identity (and Why It Takes Time)

Let's talk about identity... because honestly, this is often the sticking point.

Establishing a strong identity for both users AND devices or rolling out modern authentication across your entire organization – it's time-consuming. Really time-consuming.

We're not talking weeks here. More like months. Sometimes longer, depending on how complex your environment is and how heterogeneous your system landscape.

A practical example: We had a client in the financial sector with about 3,000 employees. The migration to a modern identity platform with multi-factor authentication for all systems took us 14 months. And that was with a dedicated team and management support.

But – and this is important – without solid identities, Zero Trust simply doesn't work. In a Zero Trust architecture, you remove the inherent trust from the network. You need to build this trust elsewhere: in the user's identity, in the device's health, in the services being accessed.

No shortcuts here. Sorry.

The Pragmatic Approach: Mixed Estate

Here's a reality you need to accept (and that's okay): You probably won't be able to fully implement all principles immediately.

Maybe you have legacy systems that simply don't support Zero Trust features. That AS/400 that has been running your warehouse management since 1997? It's not suddenly going to support modern authentication.

Maybe the technology you're using isn't mature enough yet. Or the budget doesn't cover everything at once.

At ODCUS we say: Be pragmatic in your solutions.

You may need to run traditional security controls in parallel for a while. And you know what? That's perfectly fine. A Mixed Estate – a mixed environment with traditional and Zero Trust elements – is often the reality during the transition.

We call this internally the "80/20 rule": If you operate 80% of your environment according to Zero Trust principles, you're doing a great job. The remaining 20% can remain legacy as long as you isolate and monitor them accordingly.

The Iterative Approach: Step by Step

We always recommend an iterative approach to our clients. Specifically, this means:

Phase 1: Laying the Foundation
Start with identity infrastructure. This is your base for everything else. Simultaneously: Create visibility. You can't protect what you can't see.

Phase 2: Identify Pilot Services
Select services that are relatively easy to migrate and where the risk is manageable. Initial successes motivate. We often use internal tools or non-critical web applications as starting points.

Phase 3: Learn and Adapt
Every phase is a learning phase. What works? What doesn't? Where are the stumbling blocks? Which assumptions were wrong? In one of our last projects, we adjusted the entire timeline after the pilot because we underestimated how complex the integration with a particular ERP system was.

Phase 4: Scale
Now that you have experience and your playbook is developed, you can tackle more complex services. This also goes faster now because you've learned from the mistakes of the early phases.

Phase 5: Continuous Optimization
Zero Trust is not a project with a fixed end date. It's a continuous process. New threats emerge, new technologies become available, your business evolves. Your Zero Trust architecture has to grow with it.

What This Means for Your Organization

Let's talk about the practical implications...

Your Time: A complete Zero Trust migration can take years. Yes, years. For a medium-sized company with 50-100 applications, we realistically plan for 18-36 months. Plan accordingly and communicate realistic timelines. Nothing is more frustrating than unrealistic expectations.

Your Money: The costs spread over a longer period, which is often easier to manage budget-wise. But don't underestimate the costs for training, new tools, and possibly external support. As a rule of thumb: Calculate 20-30% in addition to the pure tool costs for implementation and change management.

Your Risks: The risk during the transition is real. Hence the parallel operation of old security measures. You massively reduce your risk in the long term, but in the short term, you have to be very careful. We have a dedicated risk assessment for each migration step – boring but necessary.

Your Status: Let's be honest – Zero Trust is currently a buzzword that is well-received by management and stakeholders. Use this to gain buy-in and budget. But be honest about the timelines and effort. Over-promising and under-delivering is the quickest way to lose trust.

The Most Common Mistakes (and How to Avoid Them)

Based on our experience at ODCUS, there are a few classic pitfalls:

Mistake 1: Starting Too Ambitiously
A client once wanted to simultaneously migrate the main ERP system, the HR platform, and the CRM. It took us three weeks to convince him that this wasn't a good idea. You don't want to migrate three critical systems at the same time. Trust us.

Mistake 2: Ignoring Legacy Systems
They won't disappear on their own. Explicitly plan how you will handle them. Sometimes the answer is: "We'll leave the system as it is until we can replace it." That's okay as long as you consciously decide and secure it accordingly.

Mistake 3: Neglecting Monitoring
Without good monitoring, you won't notice when something goes wrong. And in Zero Trust, you MUST continuously monitor. Invest here early. A SIEM is not optional, it's essential.

Mistake 4: Shutting Down Too Early
We've said it before, but it's SO important: Don't turn off old controls too early. We had a case where a client shut down the old system against our advice... and we had to do an emergency rollback. It wasn't a pleasant Friday.

Mistake 5: Forgetting Training
Your users and IT team need to understand what changes and why. Otherwise, there's resistance. And shadow IT. And creative workarounds that bypass your beautiful security architecture. Change management is not optional.

Mistake 6: Underestimating Performance Implications
Yes, Zero Trust can have performance implications. Additional authentication steps, encryption, policy checks. Test this early and under realistic load. Nothing kills a project faster than users complaining that "everything has slowed down."

The Way Forward

So... where do you start?

If we were to break this down into a simple action plan:

1. Conduct a thorough inventory of your current environment. Invest time here, it pays off later.

2. Identify Quick Wins – services that are relatively easy to migrate. This creates momentum and shows management that things are moving.

3. Build your identity infrastructure (this takes time, so start early). Modern identity provider, MFA for all, device registration.

4. Pilot with a non-critical service. Learn what works and what doesn't. Adjust your playbook.

5. Develop a governance model. Who decides what? How are policies defined and adjusted? It sounds bureaucratic, but without it, there will be chaos.

6. Learn, optimize, scale. In that order.

And most importantly: Always keep your principles in mind. They're like a compass that guides you, even when the path is sometimes unclear.

The Conclusion

Zero Trust migration is not a sprint; it's a marathon. That may sound daunting... but see it this way: You don't have to be perfect tomorrow. You just have to be one step better today than you were yesterday.

The network architecture is fundamentally changing. At ODCUS, we see it every day: More services are moving to the cloud, SaaS continues to grow, flexible work models are here to stay. Employees work from home, from a café, from a beach in Bali. The traditional network perimeter – that nice firewall that gave us security for years – is disappearing. And with it, the value of traditional defensive measures.

Zero Trust is not just a trend. It's the answer to these new conditions. It's the way modern businesses think about and implement security.

Yes, the mountain looks high. But with the right route, the right equipment, and a realistic schedule... you can do it. We've seen it time and again. With clients from mid-sized businesses, with enterprises, with start-ups.

And if you feel at times like you're not making progress or the complexity is overwhelming you? That's normal. Completely normal, in fact. We had those moments too – in every single project. Take a deep breath, step back, look at the principles again.

And then continue. One step at a time.

At ODCUS, we like to say: "Zero Trust is like brushing your teeth. You don't do it perfectly once and you're done. You do it a little every day, and in the long run, it pays off."

Okay, maybe not the most glamorous picture... but honest.

Do you need support with your Zero Trust migration?

We've been down this road multiple times at ODCUS – with all the highs, lows, and surprising turns. Let's look together at what your specific route could look like. Without marketing BS, just an honest assessment of what's feasible and what's not.

Contact us for a non-binding conversation. No sales pitch, just an honest talk about your situation and possible paths forward.