Cover Photo by ChatGPT
Beyond the Hype: Making Zero Trust a Reality with Cloud Application Security Model
If you’ve worked in security for more than five minutes, you’ve heard of Zero Trust.
It’s everywhere. Every vendor, every security blog, every conference panel–it’s the silver bullet that will fix everything.
Except that’s not true.
Most of what you hear about Zero Trust is marketing hype. Vendors will tell you that their product is the missing puzzle piece–the one thing that will make your organisation “Zero Trust compliant.” They’ll promise airtight security, regulatory approval, and a stress-free audit season, all for the low, low price of whatever their licensing model dictates.
The reality? Zero Trust isn’t a product. It’s a mindset shift.
It’s about continuously assessing access, trust, and risk–not just at login, but throughout a session. It’s about adapting to modern threats instead of clinging to outdated perimeter security models. It’s about security that enables business, rather than blocking it.
In my day job, we’ve spent the last few years operationalising Zero Trust–without throwing money at new tools. The result is something we call the Cloud Application Security Model (CASM), a practical, scalable approach that actually works in the real world.
This post will cover:
- What Zero Trust actually means (and what it absolutely does not).
- The business problem we were trying to solve.
- How we built CASM as a vendor-agnostic framework.
- Practical ways to implement and automate Zero Trust using existing tools.
Let’s dive in.
What Zero Trust Is (And What It’s Not)
First, let’s clear up some misconceptions.
Zero Trust IS:
- Continuous security validation – You don’t just authenticate once and assume everything is fine. Every action is reassessed based on context.
- A business enabler – Security that slows down innovation will be ignored or worked around. A Zero Trust model should help the business move fast without introducing unnecessary risk.
- A shift away from perimeter security – Forget the idea that your firewall is the boundary between “trusted” and “untrusted” users. Identity, data, and applications are the new perimeter.
Zero Trust IS NOT:
- A single product – No matter what vendors tell you, there is no one-size-fits-all Zero Trust solution.
- A static security model – Threats evolve, user behaviour shifts, and your security controls need to adapt in real time.
- Just another compliance checkbox – It’s not about ticking off NIST or CISA recommendations. It’s about real risk reduction.
Zero Trust is a shift in approach, not a shopping list. The good news? You don’t need new tech to get started.
The Real Problem: Shadow IT, Cloud, and the Modern Attack Surface
Zero Trust isn’t just a trendy term–it’s a response to a real problem.
In a world where anyone can sign up for a SaaS tool with a credit card, traditional security models don’t cut it anymore.
Your employees don’t need IT approval to spin up a cloud service. They just do it. And while that’s great for innovation, it also means:
- Security teams lack visibility into how business data is used.
- SaaS apps store sensitive information outside traditional security controls.
- Users create weak or duplicate passwords across unmanaged apps.
- Attackers don’t need to “hack” your environment–they just log in.
Meanwhile, the nature of attacks has changed. Threat actors don’t need to exploit complex vulnerabilities when they can just steal credentials and bypass weak identity controls.
In fact, Google’s Threat Horizons Report for the first half of 2024 showed that 47% of cloud security incidents were related to identity compromises.
Think about that. Almost half of cloud breaches were not because of malware, zero-day exploits, or rogue insiders. They happened because attackers gained access through weak, stolen, or misconfigured identities.
This is the reality we need to secure against.
How We Built CASM: The Cloud Application Security Model
Faced with these challenges, we didn’t start by looking for a new tool. We started by asking:
What does good security actually look like?
Rather than cataloguing every possible threat, we flipped the model:
- What do we expect users to do?
- How can they do it securely?
- How can we consistently enforce those security controls?
This led us to CASM: a framework for applying Zero Trust principles in a structured, repeatable way.
The Five Pillars of CASM
| Pillar | What It Covers | Why It Matters |
|---|---|---|
| Visibility | Logging, monitoring, and observability | You can’t secure what you can’t see. If you don’t know what’s happening in your environment, you’re blind to threats. |
| Identity | Authentication, authorisation, and user behaviour | Identity is the universal perimeter in cloud security. Weak authentication = compromised security. |
| Data | Protection, classification, and ownership | Know where your data is, who has access, and what they can do with it. |
| Legal & Compliance | Regulatory requirements, governance | Compliance isn’t an annual audit–it’s an ongoing process. |
| Enforcement | Policy enforcement, automation, adaptive security | Security should respond dynamically to risk, rather than just blocking everything. |
This structure ensures that security controls are aligned, consistent, and business-friendly.
Implementing CASM: A Risk-Based Access Model
Theory is great. But how do we make this work in practice?
The answer: risk-based, real-time access decisions.
Rather than static security policies, we use dynamic risk scoring to assess every access request.
Step 1: Observe Everything
For every request, we gather as much context as possible:
- Location – Is this a trusted or high-risk location?
- Identity – Is the user behaving normally? Have they passed MFA?
- Device – Is this a corporate-managed device?
- Application – Is the user trying to access a known SaaS tool?
Step 2: Assign a Risk Score
Every factor adds or subtracts points from a total trust score.
Example:
- Logging in from a corporate device on a trusted network? +30 points
- Accessing from a new location with a personal laptop? -40 points
- MFA passed successfully? +20 points
- Guest account? -30 points
Step 3: Apply Adaptive Enforcement
- High trust (>200 points) → Full access
- Medium trust (100-200 points) → Require step-up authentication (MFA)
- Low trust (<100 points) → Block or apply restrictions
This approach allows real-time risk assessment without blocking legitimate business activity.
Final Thoughts: Making Zero Trust Work for You
Zero Trust isn’t about spending more money. It’s about thinking differently.
Start with what you have, focus on visibility, identity, and enforcement, and iterate over time.
Zero Trust isn’t about buying tools. It’s about taking control.
Are you ready to move beyond the hype?