Zero Trust: From Buzzword to Best Practice for the Modern Enterprise
The adoption of forward-thinking security models like Zero Trust is now essential for businesses to adopt. Recent findings from the 2024/2025 ASEAN Enterprise Innovation Survey highlights this necessity as organisations navigate an increasingly complex digital environment:
A significant 39.5% of Malaysian businesses identify cybersecurity and privacy issues as primary obstacles in their digital transformation journeys. This highlights the critical challenges that modern security approaches aim to address.
Furthermore, there's a clear shift in investment priorities, with 52% of organisations now making cybersecurity and data protection a key focus in their digital transformation investments. This represents a substantial increase from just 22% in 2019, demonstrating a growing awareness of the importance of robust security.
Our recent workshop co-hosted with CyberSecurity Malaysia on Zero Trust: From Buzzword to Best Practice for the Modern Enterprise addressed the following themes:
Understanding the core principles of Zero Trust security
Implementing Zero Trust across different IT environments, including cloud and on-premises
Addressing common Zero Trust implementation challenges such as legacy system integration, user training and transparency in data practices
Measuring the effectiveness of a Zero Trust strategy
Recent conversations with enterprises across the ASEAN region highlights how establishing and maintaining digital trust has become imperative for businesses, governments, and citizens alike. Read more in our Cybersecurity in ASEAN Report.
1. Understanding the Core Principles of Zero Trust Security
Zero Trust is built on the premise that no user, device, or network segment is trusted by default—every access request must be continuously authenticated, authorised, and encrypted.
Least‑Privilege Access: Grant users and services only the minimal permissions they need, reducing attack surface.
Continuous Verification: Regularly re‑evaluate trust in user identities and device postures rather than relying on one‑time authentication.
Strong Identity Controls: Treat identity as the new perimeter—apply robust IAM (Identity and Access Management), multifactor authentication, and data tokenisation to ensure that credentials and sensitive information remain protected even within the network.
Why do we need resilience? Because now we expect it's not about how to protect, it's about how to respond. So we expect that we're already being hacked. So the government is pushing on digital trust. So once we have cyber resilience, there will be trust from the public.
- Ts. Mohd Zabri Adil Bin Talib, Vice President & Principal Specialist, Responsive Technology & Services Division, CyberSecurity Malaysia
2. Implementing Zero Trust across Different IT Environments, Including Cloud and On‑Premises
Adopting Zero Trust requires a consistent security fabric that spans on-premises data centers, private and public clouds, and SaaS platforms. This involves addressing several key architectural considerations:
Hybrid Architectures: Enterprises highlighted the need to integrate on-prem security gateways with cloud-native controls, ensuring policy enforcement travels with data and workloads.
Multi-Cloud Consistency: With workloads distributed across multiple providers, organisations must deploy centralized policy engines or orchestration layers that translate Zero Trust rules into each cloud’s native controls.
Legacy System Integration: Even as new workloads move to cloud, legacy applications remain critical. Participants emphasised using micro-segmentation appliances or virtual network functions to insert Zero Trust controls without rewriting monolithic systems.
The primary motivations for undertaking comprehensive Zero Trust implementations, which necessitate addressing these complex architectural requirements, are clearly highlighted by the live poll conducted with Malaysian enterprise leaders (poll snapshot below). The poll revealed that digital transformation initiatives are the primary catalyst for implementing Zero Trust, with 50% of respondents citing this as the main driver. Regulatory requirements followed as the second most significant factor (voted by 31%).
A live poll with Malaysian enterprise leaders highlighted that digital transformation initiatives are the primary catalyst for implementing Zero Trust (poll snapshot below), with 50% of respondents citing this as the main driver. Regulatory requirements followed as the second most significant factor, influencing 31% of participants.
3. Addressing Common Zero Trust Implementation Challenges
Several hurdles can slow or complicate Zero Trust rollouts:
Legacy System Constraints: Older platforms often lack APIs or agents needed for continuous monitoring. A phased approach—wrapping legacy apps in reverse proxies or network segmentation—is essential.
User Training and Change Management: Shifting from a “castle‑and‑moat” mindset requires clear communication about new sign‑on flows, MFA prompts, and just‑in‑time access processes. Pilot programs and interactive workshops were highlighted as effective ways to build user confidence.
Transparency in Data Practices: Zero Trust thrives on visibility—organisations must document data flows, perform necessity‑scoring on sensitive data, and establish sanitization protocols (e.g., tokenization or masking) before granting access. Regular “contact‑test” drills help verify that these controls are both effective and transparent to stakeholders.
Every technology will have a zero trust... [Each] is focusing in their area of speciality... All of them have their own zero trust. But how are we collecting, as an organization... Getting all of these technology stack to work together... make it a one big, I think that is the bigger question
- Kenneth Devan, Country Manager, Hong Kong & Growth Markets TH, MY & VN, Okta
4. Measuring the Effectiveness of a Zero Trust Strategy
To ensure Zero Trust delivers real security outcomes, enterprises discussed the following metrics and practices:
Real‑Time Dashboards and Risk Scores: Integrate threat‑intelligence feeds into unified dashboards that translate alerts into consolidated risk scores.
Bounce‑Back and Resilience Metrics: Beyond blocking incidents, track how quickly systems recover—time to detect, contain, and remediate—as core KPIs.
Health‑Check Exercises: Schedule automated and manual “health checks” to validate that policies remain current, detection rules are tuned, and remediation playbooks execute properly.
By grounding Zero Trust in clear principles, deploying it consistently across hybrid environments, tackling common rollout obstacles head‑on, and rigorously measuring outcomes, organisations can transform fragmented defenses into a resilient, adaptive security posture.
The key idea here is also not simply looking at the entire risk, but focusing our effort to the most important thing that will affect my business
- Kanan Velayutham, Consultant, Tenable
