EnrichFree Security Audit
Back to Insights

Zero Trust in India: The Gap Between Buying the Tools and Building the Architecture

Why ZTNA, microsegmentation, and identity hardening need to work as layers — not checkboxes — for Indian enterprises navigating CERT-In compliance and real-world threat actors.

ST
Snansh Tyagi
Infographic titled The Rise of Zero Trust Architecture in Modern Cybersecurity showing three sections — the failure of the castle-and-moat security model illustrated by the SolarWinds breach, the Zero Trust authentication and continuous validation flow diagram, and a comparison of VPN broad access versus ZTNA application-specific access with implementation context for Indian enterprises including CERT-In directives and Zscaler ZPA — published by Enrich Data Services.

In 2020,

SolarWinds Orion — a trusted network monitoring tool deployed inside the perimeters of 18,000 organisations — became the attack vector itself. The castle-and-moat model failed completely. The industry mourned, rewrote its playbooks, and declared the network perimeter dead. But here's what nobody wants to talk about: the perimeter didn't die. We just moved it — and the new one is failing too.

In July 2023,

a Chinese threat group codenamed Storm-0558 obtained a Microsoft consumer signing key — likely through operational errors that allowed key material to leave Microsoft's secure production environment — and used it to forge authentication tokens, gaining unauthorised access to enterprise email accounts across multiple government agencies. They didn't brute-force a password. They didn't exploit a zero-day in a firewall. They walked through the front door of the identity layer — the very thing Zero Trust told us to trust.

In October 2023,

attackers breached Okta's customer support unit and accessed HTTP Archive (HAR) files submitted by customers, extracting valid session tokens from 134 organisations. With those tokens, they could impersonate authenticated users without touching MFA, without knowing a single password. The identity provider — the centerpiece of every modern Zero Trust deployment — was the vulnerability.

We didn't destroy the perimeter. We condensed it into a single login box that nation-states are now treating like a vending machine.

This isn't a theoretical concern. This is the operating reality that Indian enterprises, government bodies, and every CISO reading this needs to contend with.

What Zero Trust Actually Is (And What It Isn't)

NIST SP 800-207 defines Zero Trust as an approach where "all resource authentication and authorization are dynamic and strictly enforced before access is allowed" — no implicit trust is granted based on physical or network location. Every access request is authenticated, authorised, and continuously validated regardless of origin.

That's the framework. What the market has done with it is something else entirely.

As Forrester analysts bluntly state: "Zero Trust is not one product or platform… Attempting to buy Zero Trust as a product sets organizations up for failure." It's a strategic architecture. It's a mindset shift in how you think about trust boundaries. It is emphatically not a SKU.

Yet scroll through any cybersecurity vendor's website today and you'll find legacy firewalls, rebranded VPN appliances, and endpoint agents all wearing the Zero Trust badge like a participation trophy. Real administrators on practitioner forums echo the frustration — calling Zero Trust an "architecture mindset, with processes involved, not a product. Vendors who use this are generally just scammers surfing on this wave."

This isn't just semantics. Buying a "Zero Trust" tool can actively decrease your security posture if it lulls your board into a false sense of compliance while your internal networks remain entirely flat and unsegmented. The board hears "we've implemented Zero Trust," checks the box, and moves on — while lateral movement inside your network is just as easy as it was in 2015.

If your vendor says their widget "is" Zero Trust, they are likely selling you a 2010 firewall wrapped in a 2026 marketing brochure. Ask them which of the seven pillars of NIST 800-207 their product actually addresses. Watch the silence.

The VPN Isn't Dead — It's Complicated

The industry narrative is clean and simple: ZTNA good, VPN bad. Replace your VPN with Zero Trust Network Access and you're modern, secure, and compliant. It's a compelling story. It's also incomplete.

Traditional VPNs grant broad network access once authenticated — that's a real problem. ZTNA grants access only to the specific application the user needs, verified at the time of each request. For organisations with hybrid workforces and cloud workloads, this distinction is critical and ZTNA is the clear winner.

But here's what the product marketing pages don't mention: mainframes still power 71% of Fortune 500 financial institutions. Legacy on-premises systems — the ones running your core banking, your defence logistics, your railway signalling — often lack the APIs or compatibility to integrate with modern ZTNA solutions. They speak protocols that ZTNA brokers have never heard of.

For cost-constrained Indian SMBs, government departments running decade-old infrastructure, and defence networks that can't be rearchitected on a vendor's timeline, the VPN remains a necessary bridge. A hybrid access model — ZTNA for cloud and SaaS applications, VPN for specific users who need access to legacy on-prem servers — is often the most pragmatic and honest deployment.

Unlike VPNs that create centralised bottlenecks, modern ZTNA allows application teams to define their own access policies as code, removing the network team as a gatekeeper. That's a genuine operational improvement. But ripping out your VPN for pure ZTNA today is a great way to accidentally sever access to your most critical, decades-old legacy data centres that can't speak modern identity protocols.

The VPN is the cockroach of the security stack: unloved, unglamorous, but frequently the only thing that can survive in a 20-year-old government data centre.

The India Reality Check

In India, Zero Trust isn't merely an architectural modernisation project. It's a desperate race to comply with regulations that have teeth — real financial and legal consequences — amidst crippling SOC talent shortages and rising breach costs.

Under CERT-In's directives, Indian organisations must report cybersecurity incidents within six hours of detection. Not six business days. Six hours. They must maintain logs within Indian jurisdiction for 180 days and synchronise their systems to NTP servers of the National Informatics Centre (NIC) or National Physical Laboratory (NPL). The intent is sound: faster response, better forensic capability, sovereign data control.

But the implementation reality is brutal. The Information Technology Industry Council (ITI) has raised formal concerns that mandating connections to Indian government NTP servers "could negatively affect companies' security operations as well as the functionality of their systems, networks, and applications" — essentially arguing that a security regulation might create new security vulnerabilities. When your compliance mandate introduces a potential single point of failure, you have to ask whether we're building resilience or building fragility with extra paperwork.

The numbers tell the rest of the story. The average cost of a data breach in India has risen to approximately ₹22 crore (US$2.6 million). Security budgets are expanding, but SOC capacity isn't keeping pace with the volume of alerts. Indian enterprises are buying more tools, generating more telemetry, and drowning in more noise — without proportionally more analysts to make sense of it.

Meanwhile, the broader market opportunity is massive. The Asia Pacific Zero Trust strategy services market was valued at USD 20 billion in 2024 and is expected to reach USD 102 billion by 2033, growing at a 20% CAGR. Money is flowing. Whether it's flowing into genuine architectural transformation or into box-ticking compliance exercises is the question every Indian CISO should be asking themselves.

CERT-In's aggressive regulations are pushing Indian companies toward rapid compliance that might actually create new architectural vulnerabilities rather than generating genuine resilience. In India, Zero Trust isn't just a strategic security initiative — it's your best legal defence against crushing non-compliance penalties. That motivation produces very different architecture decisions than "let's build the most resilient network we can."

Microsegmentation — The Promise vs. The Reality

If Zero Trust has a holy grail, it's microsegmentation: the idea that every workload, every application, every database sits inside its own security boundary, communicating only with explicitly authorised peers. No more flat networks. No more lateral movement. In theory, even if an attacker compromises one system, they're trapped in a segment of one.

In practice? Fortinet's survey data tells a sobering story: while 40% of organisations report their Zero Trust strategy as "fully implemented," more than half of those same respondents don't have the ability to authenticate users and devices on an ongoing basis. They've declared victory without achieving the core capability.

The reasons are painfully familiar to anyone who's tried real segmentation. Legacy systems often lack compatibility with modern microsegmentation tools, featuring hardcoded credentials, outdated protocols, and flat monolithic architectures that resist segmentation by design. You need a deep, accurate understanding of every data flow in your environment before you can draw segment boundaries — and most enterprises don't have that map. Get it wrong and you don't just block attackers; you block your own applications from talking to each other. The blast radius of a misconfigured microsegmentation policy in production is not a theoretical risk; it's a Tuesday afternoon outage.

Over 80% of organisations 

acknowledge that implementing a Zero Trust strategy across an extended network is difficult — 21% call it extremely difficult. Practitioners admit that implementations frequently happen in silos: "We hardened identity but forgot to update network trust levels," resulting in disjointed policies that fail to stop lateral movement. One team deploys ZTNA at the edge. Another team manages firewall rules. A third team handles endpoint detection. Nobody owns the gaps between them.

The result? Most enterprise networks have a hard, crunchy ZTNA shell and a soft, flat internal network. Most "Zero Trust" implementations are like a coconut: hard on the outside, but soft and milky the moment an attacker breaches the shell.

Until Indian enterprises invest in the operational discipline — the asset inventories, the data flow mapping, the cross-team governance — to implement microsegmentation meaningfully, calling their deployments "Zero Trust" is aspirational at best and misleading at worst.

The Identity Layer Problem

This is the section that will make some vendors uncomfortable, but it needs to be said.

By shifting the security perimeter from the network to Identity and Access Management, we have concentrated enterprise risk into a single layer. Your IdP — whether that's Azure AD, Okta, or any other platform — is now the skeleton key to your entire estate. If that gets compromised, your Zero Trust architecture doesn't degrade gracefully. It collapses.

The evidence is already in. During the Storm-0558 incident, threat actors used a stolen signing key — which left Microsoft's secure environment through operational errors — to forge authentication tokens and seamlessly access enterprise email accounts. They didn't need to bypass any network controls — because in a Zero Trust world, there were no network controls to bypass. The identity layer was the control, and it failed.

The Okta breaches 

demonstrated that attackers don't even need to break encryption. They target support systems to steal session tokens, bypassing MFA entirely — and notably, 6% of Okta customers still don't have MFA enabled for administrators. The MGM and Caesars casino breaches abused the Okta Active Directory Sync integration, allowing attackers to use AD passwords to access SSO, grant themselves higher privileges, and reset authenticators — proving that identity infrastructure integrations, the plumbing that connects your IdP to everything else, are a massive and under-scrutinised attack surface.

We spent a decade dismantling the network perimeter to eliminate a single point of failure, only to hand the keys to the kingdom to a handful of cloud identity providers. Identity is the new perimeter — which means if your IdP gets popped, your entire Zero Trust architecture collapses in milliseconds.

This doesn't mean Zero Trust is wrong. It means the current implementation pattern — where identity is both the foundation and the single point of failure — needs defence in depth that most organisations haven't built yet. Backup authentication paths. Hardware-bound tokens. Out-of-band verification for privileged access. The same paranoid, layered thinking that good security architects have always applied — but now aimed at the identity layer itself.

Where Enrich Stands

At Enrich Data Services,

our experience across 40+ government and enterprise deployments has taught us something that doesn't fit on a vendor slide: Zero Trust is a journey that looks different for every organisation, and the hardest part isn't choosing the technology — it's understanding your own environment well enough to deploy it honestly.

We partner with Zscaler, Palo Alto Networks, Fortinet, and other leading platforms because they build genuinely best-in-class solutions — Zscaler's cloud-native architecture for secure access and workload communications, Palo Alto's Prisma platform for network and cloud security, Fortinet's integrated fabric approach. These are powerful foundations for any Zero Trust journey. But as we've argued throughout this piece, no single platform covers every layer on its own. A strong ZTNA deployment needs to be complemented by microsegmentation for east-west traffic, hardened identity infrastructure with backup authentication paths, and — for many Indian environments — legacy access solutions that bridge the gap until modernisation catches up. The real value isn't any one product; it's the hybrid architecture that layers these solutions together.

What Indian enterprises need —

whether they're a BFSI institution navigating RBI mandates, a government body under CERT-In pressure, or an enterprise modernising a legacy data centre — is a partner who helps them build that layered architecture honestly. Where are your actual trust boundaries today? What can realistically be segmented this quarter? Where does the VPN need to stay while you build the bridge to ZTNA? How do you protect the identity layer that everything now depends on?

These aren't comfortable questions. But they're the ones that separate a resilient architecture from a compliance checkbox.

Stop buying "Zero Trust in a box." Start building a strategy that survives contact with your legacy infrastructure — and with the threat actors who are already testing your identity layer.

About the Author

ST

Snansh Tyagi

Collaboration Specialist

Snansh Tyagi — Collaboration Specialist at EDSPL. Cybersecurity pre-sales by day, AI automation builder by night. Stanford AI Security certified. Based in Delhi/NCR.