We are managing a legacy on-premise data center while scaling our new applications on Google Cloud Platform. The "perimeter" is becoming impossible to define. I want to move toward a Zero Trust Architecture (ZTA) where identity is the new perimeter. What are the first steps for a mid-sized team to implement this without breaking existing VPN-based workflows for our remote employees?
3 answers
The transition to Zero Trust usually starts with Identity and Access Management (IAM) consolidation. Since you're on GCP, look into Identity-Aware Proxy (IAP). It allows you to control access to your cloud applications based on user identity and context (like device security posture) without a traditional VPN. For the on-premise side, you can use a connector to bridge those legacy apps into the same identity flow. Start small—pick one non-critical internal app, move it behind IAP, and see how your users handle the shift. This phased approach prevents the "big bang" failure that often happens with security overhauls.
Are you planning to maintain your existing Active Directory as the source of truth, or are you migrating everyone to a cloud-native identity provider? This decision usually dictates how painful the rest of your Zero Trust journey will be.
Don't overlook device trust. Zero Trust isn't just about 'who' is logging in, but also 'what' they are using. Ensure your MDM is integrated with your access policies.
Spot on, Emily. We saw a lot of "identity-only" implementations fail because compromised personal laptops were used to access sensitive cloud buckets. Device health checks are a mandatory pillar of ZTA.
Christopher, we decided to keep AD on-prem but sync it with Cloud Identity. The most difficult part was handling the service accounts. Human identities are easy, but machine-to-machine communication in a hybrid setup requires much more granular micro-segmentation. We used Anthos Service Mesh to gain visibility into those traffic flows before we started enforcing any "deny by default" policies.