GUIDE

Guide

Why zero trust security is no longer optional? + How does it quietly improve compliance?

24 Mar 2026

A couple of months ago, we were approached by the owner of a small business with a big worry.

 

His worry?

 

Not upgrading his security, not an approaching compliance audit, but a concerned IT security team.

 

They noticed that:

 

  • Systems were behaving weirdly
  • Employees were being locked out unexpectedly
  • They were getting login alerts at odd hours
  • Occasional access issues without any clear root cause

 

They weren’t breached, but the signs did point to something uncertain going on. They wanted us to evaluate.

What is zero trust security?

Zero trust security works on the principle of “never trust, always verify” where trust is never assumed and access is verified and validated, on every attempt.

What did we observe?

When the organization approached us, they had a concern – on paper, they had invested in firewalls, VPNs, endpoint protection, and all the basic monitoring tools, but they didn’t feel “secure”. We observed that they were facing three critical challenges that most organizations face across industries.

 

And this wasn’t an isolated case. We have seen similar patterns across multiple real-world assessments we have conducted – they are equipped with the right tools but lack a unified approach to access control, visibility and identity verification.

 

Different tools, but no centralized visibility

We observed that they had different tools, but were facing difficulty answering questions like:    

 

  • Who has access to what?
  • Which devices are accessing what systems?
  • Which activities are authorized/whitelisted and which are potentially suspicious/blacklisted?

 

Due to limited visibility, early detection and response to threats can be highly challenging.

 

Excessive Access Permissions

There were unassessed access-related issues, like:

 

  • Accumulated employee access over time
  • Unremoved vendors’ access that were “temporarily” given
  • Admin-level privileges were granted unnecessarily to users

 

Too many unnecessary permissions can increase the attack surface.

 

Implicit Trust Across Systems

No additional verification checks were performed once a user logged in.

 

A single compromise can lead to massive exposure.

 

Anyone logged in:

 

  • were treated as trusted without any security checks
  • can gain complete access to a system
  • could move across systems

 

A high-risk environment is created this way where one compromised identity can impact the entire system.

 

These critical challenges posed severe risks to the organization, such as:

 

  • Stolen passwords/credentials can be leveraged for full system access
  • A compromised device can be connected without facing any restrictions
  • A vendor account can be used maliciously without being detected

How did we solve it?

We identified that the real problem wasn’t that the organization lacked any security tools or solutions; it was the way they approached access. We helped them shift to a zero trust security approach that, as the name implies, does not assume trust and verifies on every attempt of access. And it worked wonders in helping them establish a strong foundation of security against even some of the most sophisticated threats.

 

Through a four-set move, we implemented zero trust security using NIST guidelines:

 

Verification on every login/access attempt

  • Enabled Multi-Factor Authentication for all users
  • Removed shared accounts
  • Enabled contextual access controls based on location, device and risk

 

Limit access

  • Identified and removed all the unnecessary permissions
  • Enabled role-based access
  • Restricted vendors to access only specific systems within specific timeframes

 

Continuously monitor and control

  • Enabled centralized logging and monitoring using their SIEM
  • Used UEBA to monitor user behavior and access patterns
  • Enabled real-time alerting in case of suspicious activities

 

Secure devices before access

  • Implemented measures/policies that only allowed compliant & managed devices
  • Blocked all the risky and unknown devices

 

The result: a shift from ‘uncertain’ to “in control”

The organization was already seeing the results within weeks:

 

  • Improved & unobstructed visibility into users, devices, and access (with context)
  • Significant elimination of unnecessary access
  • Instantaneous flagging & blocking of suspicious attempts
  • Access was time-bound and controlled for vendors
  • Improved compliance with regional and global regulations

How does zero trust security help quietly improve compliance?

Some of the controls we implemented already adhere to requirements in the top regulations. Most global regulations expect organizations to take measures for:

 

  • Identity Verification (MFA)
  • Least privilege access
  • Monitoring and logging
  • Data protection

 

This applies not just to global regulations but also regulations in the UK (GDPR, Cyber Essentials), the US (HIPAA, PCI DSS), the UAE (PDPL), Saudi Arabia (PDPL, NCA, SAMA, CITC), New Zealand (Privacy Act, PSR, NZISM), Australia (Privacy Act 1988, Essential Eight), and Malaysia (PDPA).

How does zero trust fulfil multiple compliance (SOC2, ISO27001, HIPAA, NIS2, and DORA)?

Compliance 

How Zero Trust helps?  

SOC 2 

Zero Trust’s continuous authentication, access logging, and micro-segmentation satisfy SOC2’s – CC6, CC7, and CC9 requirements. 

ISO27001 (Annex A) 

Access control satisfies A.9 
Information security incident management satisfies A.16 
Operations security satisfies A.12 
Audit logs generated by zero-trust architecture satisfy A.12.4 

HIPAA 

Zero trust’s identity-centric access model and continuous session monitoring goes with  
Unique user identification 
Automatic log off 
Encryption  
Audit controls 

NIS2 

Zero Trust’s behavioral monitoring and incident response capabilities offer real-time visibility that NIS2’s reporting timelines demand. It also meets NIS2’s risk management and reporting requirements for energy, transport, health, and digital infrastructure. 

DORA 

Zero trust meets DORA’s ICT access controls, incident classification, and resilience testing requirements through micro-segmentation, behavioral analytics, and continuous monitoring components. 

Conclusion

Zero trust security can work wonders in giving an organization a security makeover with an added bonus of quietly helping them improve their compliance. It is just a matter of shifting the approach rather than adding tools. Most global regulations requirements converge – identity, access, monitoring, data protection that zero trust security helps fulfill through principles like “Never trust, always verify”, “Least privilege”, and “Assume breach”.

SharkStriker Partner Center

To provide our partners with continuous support we have tailored a dedicated hub for all that will provide them with the much-needed tools for cybersecurity, compliance and business growth. Features are tailored to render insights on security, sales, marketing and business of their customers.  

LEARN MORE

Experiencing a security breach? 
Get instant emergency incident response support! 

PARTNER WITH US