Zero Trust migration: where do I start?

Summary

This NCSC blog explains practical first steps for migrating to a zero trust architecture. It assumes you have already decided zero trust fits your business goals and covers how to begin: discovery (inventory of users, devices, services and data), identity consolidation and multi-factor authentication, device management and BYOD considerations, risk-informed planning, and building an iterative technology roadmap. The post finishes with a compact checklist of core actions to kick off your zero trust journey.

Key Points

Start with a comprehensive inventory of users, devices, services and data; automate where possible.
Consolidate identities into a single directory and enforce least privilege plus multi-factor authentication (MFA) as a minimum.
Deploy a mobile device management (MDM) that provides unique device identities and granular policy control.
Treat BYOD as untrusted by default; focus on controlling data, services and authentication rather than device ownership.
Perform an early risk assessment to identify what zero trust can and cannot mitigate and to choose services with required security features.
Create an iterative technology roadmap: use proxies for legacy systems now, but aim for native cloud/SaaS or modernised replacements.
Retain necessary existing controls where zero trust cannot fully mitigate certain risks (for example availability threats).

Content summary

The blog recommends a methodical, phased migration rather than a big-bang swap. Begin by discovering and documenting what you have and who has access. Consolidate identity sources into an apparent single directory and scope permissions to the least privilege. Enable MFA (or consider password-less options) to raise assurance with minimal user disruption.

Assess devices early: choose an MDM that supports the operating systems and level of control you need, and use it to signal device compliance into your policy engine. During service discovery, ensure your directory and identity approach work across all services to provide consistent sign-on and stronger identity guarantees.

For BYOD, assume the device itself is untrusted and concentrate on protecting data, services and authentication controls. Carry out a risk assessment to find gaps that zero trust cannot address and pick services that provide required security functions. Finally, build a flexible roadmap that lets you introduce legacy apps via proxies now, while moving to native cloud or modernised services over time.

Context and relevance

Zero trust is increasingly the default security approach for organisations moving to hybrid and cloud-first IT estates. This guidance is targeted at security architects and IT leads planning that migration, giving practical, action-oriented steps that map to NCSC’s zero trust principles. It links discovery, identity, device posture and risk assessment into a coherent starting plan — useful for organisations that need to balance legacy systems, BYOD and cloud adoption.

Why should I read this?

Short and practical — this post tells you exactly what to do first so you don’t get lost or drag old insecure patterns into your new design. If you’re responsible for security or infrastructure, it saves you time by turning broad zero trust theory into a pragmatic checklist.

Author style

Punchy: clear, practical and aimed at getting you moving. If you care about making zero trust real rather than just talking about it, this is essential reading.

Checklist: starting actions

Inventory users, accounts and permissions; remove inactive accounts and define least privilege.
Consolidate identity into a single directory and enable MFA (consider password-less later).
Select and configure an MDM that supports your device mix and enforces continuous compliance checks.
Map services with a discovery phase and ensure directory compatibility for single sign-on.
Conduct an early risk assessment to identify gaps and select services that meet security requirements.
Create an iterative roadmap: use proxies for legacy apps now, plan migration to cloud-native or modernised services.