Zero-trust as a slide deck is overwhelming. Zero-trust as a 90-day delivery plan is achievable. The goal of the first quarter isn't a finished architecture — it's removing the three or four assumptions that, today, would let a single compromised laptop or credential cause a serious incident.
Days 0–30: identity is the perimeter
Consolidate workforce identity behind a single IdP (Okta, Entra ID, Google Workspace). Enforce phishing-resistant MFA — WebAuthn or hardware keys, not SMS. Turn on conditional access policies that check device posture before granting access to sensitive apps.
On the workload side, remove long-lived AWS access keys. Issue short-lived credentials via IAM Identity Center for humans and IAM Roles for Service Accounts (IRSA) for workloads. The day you can prove no static AWS keys exist in your org is the day half of your worst-case incidents become impossible.
Days 30–60: networks stop trusting themselves
Replace the flat VPN with an identity-aware proxy or a zero-trust network access (ZTNA) product. Access decisions move from "are you on the network?" to "who are you, on what device, asking for what?".
Inside the cluster, enable default-deny NetworkPolicies and only open the flows you need. Most lateral-movement incidents we've investigated would have stopped at this step.
Days 60–90: detection that actually fires
Centralise logs in a SIEM your team will actually triage — small and well-tuned beats large and ignored. Wire up a handful of high-signal detections first: impossible-travel logins, new IAM principals created, root-account use, anomalous data egress. Each one should map to a runbook.
By day 90 you should be able to answer three questions in under five minutes: who is logged in where, what is running in production, and what did an attacker just touch? Everything else is iteration.