Zero Trust Network Enforcement

In a Zero Trust architecture, granting network access is not enough — every request must prove identity, device health, and context. We implement Microsoft Entra ID Conditional Access policies that evaluate six signals before granting access: user identity, device compliance state, location, application sensitivity, session risk score, and real-time sign-in risk calculated by Microsoft's ML models.

For high-sensitivity applications such as financial ERP or HR systems, we require hardware FIDO2 security keys rather than SMS-based MFA, which is trivially bypassed by SIM-swap attacks — a growing threat in the UAE.

Even with strong perimeter controls, a compromised endpoint inside the network can pivot laterally to reach sensitive servers. We implement network microsegmentation using Fortinet FortiNAC or Cisco ISE, placing every device into a dynamically assigned VLAN based on its identity and health state. An unpatched laptop automatically moves to a quarantine VLAN with internet-only access until it is remediated.

East-west firewall policies between segments ensure that even a fully compromised endpoint in the sales VLAN cannot initiate connections to the finance or database segments — limiting blast radius to a single segment.

Traditional VPN gives remote users the same level of access as if they were physically in the office — which means a stolen VPN credential provides unrestricted internal network access. We replace VPN with Zscaler Private Access or Cloudflare Access, which provide application-level access to specific internal apps based on identity, without exposing the entire internal network to the remote device.