August 25, 2025

Zero Trust 2025: A 30-day identity-first MVP you can launch

Table of Contents
Introduction

In 2025, Zero Trust has moved from a forward-looking aspiration to the default enterprise security model. 

According to recent analysis, most new remote access deployments are shifting from VPN to Zero Trust Network Access (ZTNA), emphasizing identity verification, least privilege, and real-time access governance. However, implementing Zero Trust Architecture comes with its set of challenges. A study published in the International Journal of Engineering Research & Technology (IJERT) shows that tech teams struggle with integrating Zero Trust principles with outdated infrastructures, while managers fail to understand the return on investment (ROI) of Zero Trust implementations, particularly for SMEs.

Zero Trust 2025: Get the fundamentals right

Zero Trust is an architectural and operational shift: continuous verification per session, policy decision/enforcement points, segmentation and isolation, analytics, and automation/orchestration across identity, device, network, app/workload, and data pillars. Often, it’s about getting the fundamentals right.

NIST’s ZTA blueprint and CISA’s maturity model both start with those fundamentals—strong identity, device posture, per-request authorization, and pervasive telemetry—because you can’t do Zero Trust without them. Based on Unosecur’s experience in assessing the identity and access models of organizations across the world, Unosecur has prepared a minimum viable, identity-first Zero Trust plan you can start in 30 days and scale across the enterprise in 90-120 days. It prioritizes access discovery, MFA + passwordless with risk-based controls, least privilege via JIT, machine identity hygiene, and ITDR detections—all with realistic guardrails (fallbacks, exception handling, and phased rollouts). 

You also get a starter KPI dashboard so progress is visible to security, IT, and leadership from week one.

Guiding principles: Identity-first, risk-based, passwordles

Lead with identities and entitlements before networks—this is Zero Trust Identity Security grounded in Zero Trust Architecture. Replace blanket prompts with risk-based authentication and adaptive/activity-based access control. 

Prefer passwordless authentication for sensitive actions, but keep SSO and modern fallbacks to avoid lockouts. Shrink standing privilege toward least privilege with JIT. Prioritize entitlement right-sizing via CIEM and governance via IGA/PAM. Use identity orchestration (and where safe, no-code policy orchestration) to change policies quickly without breaking access.

Week 1: Discover and baseline (Days 1–7)

Goal: Know who exists, what they can reach, and where privilege concentrates.

Run access discovery across IDP/AD/Entra, cloud accounts, and top SaaS to map users, groups, roles, non-human identities (NHIs), and effective permissions. Tag privileged identities, externals/contractors, and break-glass accounts; reconcile duplicates; and assign owners for critical apps. 

Baseline authentication: MFA coverage (overall/admins), passwordless share, legacy/basic auth usage, and prompts per user. In hybrid identity environments, identify where policy is enforced (IdP vs app vs device).

Reality check: Aim for more than 95% identity inventory coverage, but accept that some fringe systems surface in Weeks 2–3. Capture a “top 10 risks” list (excess privilege, orphaned accounts, legacy hot spots) and publish it on your program dashboard.

Week 2: Authentication uplift (Days 8–14)

Goal: Cut friction without losing security.

Move toward 100% MFA for admins with a managed exception-handling process. The objective is to target 100% while formally retiring legacy “forever exemptions.” Launch a passwordless pilot (FIDO2/passkeys) for one admin team and one business cohort, and design risk-based authentication rules: allow on known user + managed healthy device; step-up for unmanaged/new device or privileged action; deny when multiple high-risk signals combine.

Fallbacks matter. Many estates mix devices, browsers, and legacy apps. Provide modern fallbacks (e.g., platform passkeys, OTP via authenticator app) with tight risk limits to prevent lockouts during the pilot. Begin migrating apps behind SSO and deprecate basic/legacy auth where feasible.

Reality check: Don’t flip every app in one week. Prove the pilot works, then schedule broader enablement during the 90-day scale-out.

Week 3: Least privilege and machine identities (Days 15–21)

Goal: Shrink blast radius and remove silent backdoors.

Use early CIEM insights to prioritize entitlement fixes. Full CIEM onboarding across clouds typically exceeds 30 days; for the MVP, focus on the top ten over-permissioned roles in one cloud or business unit and convert daily “admin” work to JIT elevation for sensitive tasks. Bind elevation to passwordless step-up and strict expiry.

Tackle machine identity security in parallel. Inventory NHIs, assign owners, and rotate long-lived keys where safe. When legacy workloads require static secrets, move them into a vault (e.g., HSM-backed solutions) with audit, tight scope, and rotation windows. Prefer short-lived, scoped tokens with audience restrictions as you modernize.

Reality check: Document exceptions with owners and expiry dates. The outcome this week is prioritized reduction, not perfection.

Week 4: Detection, automation & operating model (Days 22–30)

Goal: Make Zero Trust continuous without breaking things.

Enable Identity Threat Detection & Response (ITDR) detections for anomalous token use, rogue privilege grants, suspicious session patterns, and legacy protocol use. Introduce automated remediation carefully: start with low-risk actions like token revocation or forced re-auth before full account disablement. Build playbooks that attach rich context to tickets so analysts can confirm intent quickly.

Align TPV (Time to Patch Vulnerabilities) with MTTR so patches ship as fast as incidents are fixed, but treat the first month as instrumenting the metric and agreeing on P1/P2 targets, not achieving every SLO. Publish your operating rhythms: weekly metric reviews, monthly entitlement cleanup, and quarterly access certification.

Reality check: “auto-contain everything” is not a Week-4 goal. Scope automation where lockout risk is minimal; expand after two to three tuning cycles.

Zero Trust 2025: The dashboard that steers you 

Use four lenses and keep each metric segmentable by app, team, and environment.

Coverage
Track identity inventory coverage, admin MFA progress toward 100% with managed exceptions, passwordless pilot adoption, and Tier-1 SSO coverage. Set targets as directional in the MVP and convert to SLOs during the 90-day scale-out.

Reduction
Show excess-privilege trending down, JIT replacing standing admin rights in the first target area, and dormant/orphaned identities decreasing. Log CIEM onboarding status and analysis depth so stakeholders see why the curve changes gradually.

Speed
Instrument identity MTTD/MTTR and the TPV vs MTTR delta. In the MVP, focus on data quality and alert routing; hard targets come as tuning stabilizes.

Automation
Report on low-risk auto-actions (token revokes, secret rotation) and on-time access reviews. Expand to higher-impact automation only after two clean weekly reviews.

Risks and real-world mitigations

Prompt fatigue is normal for a week or two; Risk-based authentication and passwordless should bring it down. 

Legacy systems resist modern auth; isolate them behind SSO gateways and use identity orchestration to sequence migrations safely. 

Cultural pushback eases when you show fewer prompts and fewer incidents on the same dashboard. 

Scope creep is managed by sprint discipline. Don’t add apps without adding test time and a rollback.

Zero Trust 2025: Your MVP plan to copy-paste

Week 1: Access discovery; assign owners; baseline MFA/passwordless/legacy usage; publish “top 10 risks.”
Week 2: Drive admin MFA toward 100% with managed exceptions; launch passwordless pilot + safe fallbacks; deploy starter RBA rules; move priority apps behind SSO.
Week 3: Convert one area’s standing admin to JIT; fix top-ten roles using CIEM findings; inventory NHIs; rotate keys or vault static secrets.
Week 4: Enable ITDR detections; automate low-risk responses (token revocation, secret rotation); align TPV tracking with MTTR; schedule weekly reviews and monthly Access Certification.

The MVP keeps you moving: identity visibility, safer authentication with fewer interruptions, tighter privileges, and detections you can trust. Use this month to prove value, then expand by business unit and cloud over the next two to four quarters. 

Explore our other blogs

Rethinking identity for AI agents and other non-human identities
No items found.
August 28, 2025

Rethinking identity for AI agents and other non-human identities

Read more
Salesforce Breach 2025: Understanding shared responsibility and how Unosecur could prevent the breaches
No items found.
August 26, 2025

Salesforce Breach 2025: Understanding shared responsibility and how Unosecur could prevent the breaches

Read more
ABAC vs RBAC: Six practical differences for Zero Trust identity security
No items found.
August 22, 2025

ABAC vs RBAC: Six practical differences for Zero Trust identity security

Read more
View all Blogs

Don’t let hidden identities cost
you millions

Discover and lock down human & NHI risks at scale—powered by AI, zero breaches.