Zero Trust 2026: These 4 steps work in IT, OT & cloud-first

Before we look at specific success factors of zero trust strategies, it is worth taking a look at the practice: How far has zero trust come today? The answers vary depending on the area: In IT, the model is established, whereas in OT it is more likely to be implemented as a hybrid. A systematic comparison shows where companies should start today.

Zero Trust in transition: Why cloud providers are switching from VPN to Zero Trust

The major cloud providers (hyperscalers) are relying on Zero Trust to replace the classic VPN paradigm. All access, whether internal or external, must be authenticated and authorized, regardless of location. The following have become established:

• Identity-based access instead of IP addresses: Each access is only granted according to identity, device status and context (e.g. location, behavior). This has led to 90% fewer successful phishing attacks, as stolen credentials can no longer be used without device compliance.
• Micro-segmentation: Networks are divided into small, isolated zones. Lateral movement of attackers has been reduced by 80%.
• Continuous Authentication : Users are not only checked at login, but continuously based on context signals (e.g. device status, location, anomalies in behavior).

• 5+ years of implementation show: Zero Trust is not a sprint, but a cultural transformation.
• Costs versus benefits: The initial investment is high. Nevertheless, the long-term reduction in security incidents justifies the expenditure.

Practical tip: Start small, think big: multi-factor authentication (MFA) and micro-segmentation still have potential for expansion.

Cloud-first with zero trust: how identities and AI control access

Some cloud providers rely on a complete zero-trust architecture to protect cloud services and internal systems.

• "Never Trust, Always Verify" for all services: even internal teams use Zero Trust Network Access (ZTNA) to access resources.
• AI-supported systems and heuristics detect unusual access patterns such as "impossible travel" or atypical login times.
• Conditional Access Policies: Access is dynamically granted or blocked based on risk scores (e.g. suspicious login attempts).
• Integration into modern operating systems: Standard security functions (e.g. Credential Guard, behavioral biometrics) enforce Zero Trust principles.

A critical reflection:

• Cloud-first makes zero trust easier: integrated zero trust features in cloud platforms (e.g. identity management, conditional access) lower the barriers to entry. Legacy systems are more complicated to integrate.
• Acceptance problems: Employees initially find the re-authentication requests annoying until the benefits are convincing (e.g. no more VPNs).

Practical tip: Many cloud services offer zero trust functions as standard. For a rapid security gain, these should be activated in a targeted manner, configured correctly and used consistently.

Zero Trust for SMEs: ZTNA, SASE and SIEM from the cloud

Zero Trust can also be implemented for SMEs without their own infrastructure:

• ZTNA is increasingly supplementing or replacing traditional VPNs, especially for cloud and SaaS applications.
• Security Information and Event Management (SIEM), User and Entity Behavior Analytics (UEBA) monitor real-time behavior.
• Secure Access Service Edge (SASE) combines network security (e.g. ZTNA, Firewall-as-a-Service, CASB) in a cloud platform for holistic protection without proprietary hardware or complex infrastructure.

A critical reflection:

• "Zero-Trust-as-a-Service" lowers the barriers to entry, but data sovereignty and compliance must be clarified.
• Measurability is crucial: the provider uses the average time until a security incident is detected, phishing rate and compliance status as key performance indicators (KPIs).

Practical tip: Define clear KPIs: Without measurable targets (e.g. reducing the phishing rate by 50%), it is unclear whether the measures are effective.

A Zero Trust Readiness Assessment from InfoGuard provides information about the current maturity level of your security architecture and defines the next steps for effective Zero Trust implementation.

You will receive a prioritized list of measures that will make your environment fit for current and future security and collaboration requirements. Interested? Request a non-binding assessment now.

Zero Trust in OT: certificates, segmentation and monitoring

Larger industrial groups rely on Zero Trust for Operational Technology (OT) to protect production facilities and critical infrastructures.

• Device-based authentication: Each OT device (PLC, SCADA) receives a digital certificate. Where native certificate support is lacking, gateways with integrated certificate management are used. Access is based exclusively on the device status check.
• Micro-segmentation in OT: Networks are divided into logical zones (e.g. production, maintenance, remote access).
• Passive monitoring: SIEM and OT-specific anomaly detection as well as monitoring of unusual commands to control systems.

A critical reflection:

• Legacy systems are the biggest obstacle: many OT devices do not support modern authentication - gateways (e.g. industrial routers with certificate management) help here.
• Real-time requirements require passive rather than active blocking.

Practical tip: OT needs adapted zero trust models: Use hybrid approaches (e.g. air gaps for critical systems + ZTNA for remote access).

SMEs can noticeably strengthen their IT security by introducing modern solutions such as identity management (e.g. with Azure AD), central device control (e.g. Intune) or secure remote access. These measures help to gradually implement zero trust principles. This gives you more transparency and reduces the administration effort.

Zero trust in SMEs succeeds with MFA, segmentation and SOC

SMEs rely on zero trust strategies to protect themselves effectively against phishing and ransomware.

• MFA for all accounts (including OT admins).
• Micro-segmentation: Production networks have been divided into isolated zones.
• SOC and SIEM are not a luxury, but a necessity: without real-time monitoring, Zero Trust is blind in one eye.
• Training: Employees learn to recognize phishing emails.

A critical reflection:

• Zero Trust is also feasible for SMEs if it is implemented gradually.
• MFA combinedwith microsegmentation are the most effective measures against ransomware.
• Managed SOC (Security Operations Center) with continuous 24/7 eyes-on-glass monitoring, without own personnel costs for rapid intervention.

Practical tip: Combine technology and training: The most effective measure against ransomware is MFA + microsegmentation + awareness training.

Zero Trust requires gradual cultural change and clear priorities

Zero Trust is not a project with an end date. Zero Trust is an ongoing strategy that evolves with each new technology and threat. Successful companies rely on a gradual introduction rather than a big bang. By using AI and automation, the model can be scaled, while measurable metrics such as mean-time-to-detect (MTTD) or phishing rate prove the actual return on investment.

In the OT world, zero trust is being adopted more slowly but increasingly, usually in hybrid form. Adapted models with passive monitoring and device certificates are necessary to protect sensitive production environments. Legacy systems remain a challenge, but gateways and proxy solutions create transitions. Increasing regulatory pressure, for example from NIS2 or IEC 62443, will accelerate the introduction.

The greatest danger remains half-hearted implementation. Zero Trust is not a product, but a cultural change that encompasses technology, processes and people.

"Technology is rarely the problem; a lack of planning and corporate culture are the real stumbling blocks on the road to Zero Trust."

Four steps for effective Zero Trust in IT and OT

Zero Trust succeeds when priorities are clear, the maturity level is verifiable and IT and OT are brought together in a meaningful way.

Precisely because Zero Trust goes far beyond technology, it requires a strategy that brings together technical reality, organizational maturity and regulatory requirements. Those who take a holistic view of IT and OT and make progress measurable will noticeably reduce risks and create a resilient security basis.

Four recommendations for action that should be the focus now:

1. Reduce attack surfaces: Strengthen identities, enforce micro-segmentation and secure remote access.
2. Gain transparency: Continuously monitor IT and OT environments and detect anomalies early.
3. Measure maturity: Use MTTD, phishing rate and compliance status as a basis for effective decision-making.
4. Use hybrid models: Automate Zero Trust where possible and customize OT-specific where necessary.

A scalable zero trust architecture with InfoGuard

It is crucial to understand where your organization stands today and how you can reach the next level of maturity in a targeted manner. This is exactly where our Zero Trust Readiness Assessment comes in. It shows how your security architecture is currently set up, what gaps exist and how prioritized measures can be effectively planned and implemented.

InfoGuard's experts will assist you with the actual implementation. With over 350 specialists, we support you in anchoring Zero Trust effectively, scalably, future-proof and tailored to your individual requirements.

Zero Trust is like an airbag - you only realize how important an airbag is when you need it. Arrange a non-binding initial consultation now.

Caption: Image generated with AI