01 ·
Model, not product
Zero Trust is architecture, not a vendor. Adoptable in a progressive, modular way. Start from identity (MFA, IdP) and extend to device, network, app, data. Fortgale is vendor-agnostic.
Zero Trust: the definitive guide.
The network perimeter no longer exists. Remote workers, hybrid cloud and digital supply chain have dissolved the boundary between «inside» and «outside». Zero Trust is the model that answers this reality: never trust, always verify.
Fortgale · ZT Policy Engine
Verifying
Userm.bianchi@acme.eu
DeviceWIN-LPT-0342
ResourceERP · Finance Module
LocationMilan, IT
Policy engine verification
✓Identity verified · MFA
✓Compliant device
✓Context within norm
✓Authorised role
Access granted — Session monitored
Compliance · ZT
NIS2 ready
DORA
ISO 27001
GDPR
ZT standards
NIST SP 800-207
FIDO2
ZTNA
CASB
SASE
What Zero Trust is
«Never trust, always verify».
Zero Trust is not a product or a vendor: it is an architectural model that eliminates implicit trust based on network origin. Reference: NIST SP 800-207.
02 ·
Assume Breach by design
It is presumed that the breach has already happened or could happen. The defensive approach changes: not only prevent ingress, but limit damage and detect every anomalous internal movement.
03 ·
Iterative roadmap
Inventory + MFA + baseline segmentation deliver benefits already in the first 3-6 months. Microsegmentation + UEBA + policy automation complete maturity in 12-36 months.
Proof · why Zero Trust
Four data points that force the model.
80 %
Breaches that exploit
compromised credentials
compromised credentials
287
Average days to identify
a breach (classic model)
a breach (classic model)
-72 %
Reduction in incidents
with mature Zero Trust
with mature Zero Trust
-50 %
Reduction in average cost
of a breach (IBM)
of a breach (IBM)
Why the perimeter no longer exists
Three realities that broke the traditional model.
Cloud-first
☁️ Cloud has dissolved the perimeter
Resources live in SaaS, IaaS, PaaS, outside the data centre. The perimeter firewall is ineffective on infrastructure that lives everywhere.
Remote-first
🏠 Remote work is the norm
Users connect from home, on the move, from untrusted networks. The traditional VPN grants access that is too broad once inside.
Supply chain
🔗 Supply chain extends the surface
Suppliers, partners, system integrators have privileged access to customer systems. Often without MFA, monitoring or segmentation.
The 5+1 Zero Trust pillars
Five operational pillars + Assume Breach.
Standard NIST SP 800-207 implementation. The +1 «Assume Breach» is the pillar that changes the defensive paradigm.
Explicit identity verification
MFA, IdP, conditional access, continuous auth. No trust based on network origin: identity is verified for every request.
Least privilege · JIT/JEA
Just-in-Time / Just-Enough-Access: temporary, minimal permissions. Drastically limits the blast radius of a compromised account.
Microsegmentation
Network broken into granular segments: every resource is isolated. East-west lateral movement blocked. ZTNA for application access.
Continuous visibility & analytics
UEBA, SIEM, behavioural detection. Every access, behaviour and flow is logged and analysed in real time.
Automation & orchestration
SOAR, adaptive policies: response to anomalous events is automated. Response in seconds, not hours.
Assume Breach
Bonus pillar that changes the approach. Breach is presumed to have already happened: every request is treated as potentially compromised.
Adoption roadmap
Six phases · 12-36 months to maturity.
Zero Trust implementation is iterative. Early phases deliver benefits within the first 3-6 months. Each phase is autonomous and provides value.
01
Foundations · Inventory
Asset DiscoveryData ClassificationIdentity InventoryNetwork Flow Analysis
02
Identity · MFA + IdP
MFA · FIDO2Federated IdPPAM JITConditional AccessSSO
03
Devices · Device Trust
MDM/UEMEnterprise EDRDevice Compliance PolicyCert-Based Auth
04
Network · ZTNA + Microsegmentation
ZTNA gatewayMicrosegmentationSDPEast-West traffic control
05
Apps & Data
CASBWAF · API SecurityDLPData ClassificationEncryption
06
Maturity · UEBA + SOAR
UEBASIEM IntegrationSOARContinuous ValidationRisk-Based Adaptive
Integrated defence
Zero Trust is the model. The other services make it operational.
Identity
ITDR · Identity Protection
Identity is the first Zero Trust pillar. ITDR detects and responds to compromised credentials on AD, Entra ID, Cloud.
Discover ITDR →Continuous visibility
Managed Detection & Response
European SOC 24·7 for the continuous monitoring required by Zero Trust. Triage in <15 min, containment ~11 min.
Discover MDR →Intelligence
Cyber Threat Intelligence
Proprietary threat intelligence feeding adaptive policies and risk-based access decisions.
Discover CTI →FAQ
Everything to know before starting with Zero Trust.
What is Zero Trust and what does it mean?
Zero Trust is a security model that eliminates implicit trust: no user, device or system is considered trusted by default, not even inside the corporate network. Every access request is verified explicitly based on identity, device, context and behaviour. The guiding principle is "never trust, always verify" (NIST SP 800-207).
What is Zero Trust architecture?
Zero Trust Architecture (ZTA) is the technical framework defined by NIST SP 800-207 that decomposes the model into operational components: Policy Engine (decides whether to grant access), Policy Administrator (executes the decision), Policy Enforcement Point (applies the control on every request). It relies on federated identity, MFA, network microsegmentation, device trust and continuous telemetry.
What is the Zero Trust framework?
The Zero Trust framework is the set of principles, controls and technologies used to implement the architecture. Most adopted references: NIST SP 800-207 (architecture), CISA Zero Trust Maturity Model (5 pillars: identity, devices, networks, applications, data), Forrester ZTX, Gartner CARTA. The choice depends on the regulatory context (NIS2, DORA) and organisational maturity.
Which vendors are leading the adoption of Zero Trust security frameworks?
No vendor covers the entire Zero Trust stack: adoption is multi-vendor by definition. Leaders per pillar: Identity — Microsoft Entra ID, Okta, Ping Identity, CyberArk (PAM); Endpoint/Device — CrowdStrike, SentinelOne, Microsoft Defender; Network/ZTNA — Zscaler, Palo Alto Prisma Access, Cisco Duo; Microsegmentation — Illumio, Akamai Guardicore; Data/CASB — Netskope, Microsoft Purview. Fortgale is vendor-agnostic: combines existing components, integrates only when needed.
Is Zero Trust suitable for SMEs or only for enterprises?
It is an architectural model, not a single product. Adoption is progressive and modular: start from identity + MFA, gradual extension. Fortgale supports all sizes with a realistic roadmap.
How long does implementation take?
12-36 months depending on complexity and starting point. Iterative: early phases (inventory, MFA, baseline segmentation) deliver benefits within the first 3-6 months; advanced phases (microsegmentation, UEBA, automation) complete maturity.
Difference between Zero Trust and VPN?
VPN grants access to the entire network once authenticated — implicit trust that ZT eliminates. With ZTNA access only to the specific authorised app/resource, verified every time. Compromised VPN account → attacker moves across the entire network; ZTNA → blast radius limited to a single resource.
Are Zero Trust and cloud compatible?
ZT was born for the cloud era. Unlike perimeter security, it natively handles multi-cloud, hybrid and remote-first scenarios. Every resource is protected with the same continuous verification controls: identity, device, context, behaviour.
Does Fortgale implement Zero Trust directly?
Vendor-agnostic approach: posture assessment, roadmap definition, support for technology integration (IdP, EDR, CASB, SIEM, microsegmentation) and continuous access monitoring via MDR + CTI. We don't sell licences: we design the architecture best suited to the customer.
Zero Trust Assessment
Ready to adopt Zero Trust?
It starts with the assessment. In 90 minutes we identify the critical gaps in your infrastructure and we build the implementation roadmap together — concrete, prioritised, sustainable.