Why zero-trust is no longer optional for Indian enterprises

For two decades, enterprise security in India was built on a simple premise: trust everything inside the network, distrust everything outside. Firewalls at the perimeter, VPNs for remote access, and a relatively flat internal network. That model worked when employees sat in offices and applications lived in data centers. It does not work anymore.

The perimeter has dissolved

The shift to hybrid work, the migration of business-critical applications to SaaS, and the adoption of multi-cloud architectures have all done the same thing: they have moved both users and applications outside the traditional network perimeter. A bank employee opening Salesforce from a home laptop is not protected by the corporate firewall. A factory floor system pulling data from AWS is not behind the DMZ. The perimeter is now wherever the user and the application happen to meet, and that is almost never inside your physical network.

What zero-trust actually means

Zero-trust is not a product. It is an architectural principle: never trust, always verify. Every access request — from any user, on any device, to any application — is authenticated, authorized, and continuously validated. Identity becomes the new perimeter. The practical implementation typically involves four layers: strong identity (MFA, conditional access), device posture (only healthy, managed devices), network micro-segmentation (lateral movement is blocked by default), and continuous monitoring (anomalies trigger automatic response).

Why Indian enterprises are under pressure now

The RBI cyber security framework, SEBI CSCRF, and the DPDP Act have all converged on the same expectation: demonstrable, verifiable access control. Auditors are no longer satisfied with "we have a firewall." They want evidence that access decisions are made per-request, logged, and reviewable. Enterprises that cannot show this in their next audit cycle will face escalating findings — and in regulated sectors, real penalties.

Where to start

The most pragmatic starting point is identity. If you have not yet rolled out MFA across all users and all applications, that is the single highest-impact zero-trust investment you can make. From there, focus on device posture (EDR coverage on every endpoint) and then network segmentation (start by isolating critical workloads from general user traffic). A full zero-trust transformation takes 18 to 24 months in most enterprises. The cost of not starting is significantly higher than the cost of starting now.