We are looking to transition from a perimeter-based security model to a Zero Trust framework. However, we have several legacy systems that don't support modern authentication protocols. What are the best practices for applying micro-segmentation and "never trust, always verify" principles without breaking our existing internal workflows or causing massive downtime?
3 answers
Moving to Zero Trust is a marathon, not a sprint. Start by mapping your data flows to understand how legacy apps communicate. You can use a "software-defined perimeter" or identity-aware proxies to wrap those old systems in a modern security layer. This allows you to enforce MFA and strict access controls even if the app itself doesn't natively support it. Focus on high-risk assets first and gradually move to the rest of the network. Don't forget that visibility is key; if you can't see the traffic, you can't secure it or verify the identity of the users effectively.
Focus on Identity and Access Management first. If you can strongly verify the user through MFA, you've already mitigated a huge portion of the risk associated with legacy system access.
Have you considered using a micro-segmentation tool that operates at the workload level rather than the network level? This might bypass some of your hardware limitations with those older systems. What specific legacy protocols are giving you the most trouble during the initial pilot phase?
Brandon, we are mostly struggling with old SCADA systems and some internal apps using NTLM. To address this, we usually recommend deploying a gateway or a proxy that can translate these protocols into something modern like SAML or OIDC before they hit the core network. It keeps the legacy "bubble" isolated while ensuring the external entry point follows Zero Trust.
Totally agree, Jessica. Strengthening the IAM foundation is the most logical first step because it provides the most immediate ROI in a Zero Trust transition strategy.