More of a philosophy than a platform or product, zero trust has quickly become the model from which cyber professionals are building their architectures.

Its spread has been rapid, with Gartner estimating that as of 2024, 63 percent of organisations worldwide had begun implementing a zero-trust strategy.

At its core, zero trust assumes no device or user is trusted by default, and requires continuous, multi-dimensional verification.

Achieving this vision is easier said than done, with Gartner estimating that by 2026 only 10 percent of larger enterprises globally would have a mature and measurable zero trust program in place. The path to maturity is also not an easy one, with Gartner reporting that 35 percent of organisations had encountered a failure that disrupted their zero-trust implementation.

That gap between ambition and execution is driving significant investment. Mordor Intelligence has estimated that the zero trust security market was expected to grow from US$41.72 billion ($59.87 billion) in 2025 to US$48.43 billion ($69.50 billion) in 2026, on its way to US$102.01 billion ($146.39 billion) by 2031.

According to Forrester senior analyst Tope Olufon, spending is concentrating in three primary areas.

The first is identity and access control, where organisations are investing in strong authentication, device posture validation, identity governance, and continuous authorisation. The second is network access transformation, as organisations replace virtual private networks with zero trust network access (ZTNA) and identity-aware access brokers, while the third is telemetry, analytics, and policy enforcement, which is driving consolidation across endpoint detection and response (EDR) and extended detection and response (XDR) platforms.

“In APAC, regulatory pressure across financial services, government, and critical infrastructure is accelerating movement toward identity centric security models and stronger device trust enforcement,” Olufon said.

Operational realities are also shaping investment patterns. The need to bring multiple capabilities into a coherent framework is pushing organisations toward integrated security platforms, with the aim of achieving consistent policy enforcement, reduced integration overhead, and simpler operating models.

“That said, most large enterprises still run hybrid architectures,” he said.

“Core controls such as identity, endpoint, and access are often platform-based, while specialist tools remain for areas like identity governance, cloud security posture management, or advanced analytics.

“In practice, the direction is toward fewer, more tightly integrated control planes, rather than large collections of loosely connected point products.”

However, overcommitting to a single vendor introduces the risk of coverage gaps. While no single platform can yet deliver the full set of capabilities required for zero trust maturity, organisations must balance platform adoption with best-of-breed tools, making interoperability and layered architectures essential.

While most organisations are still working their way towards zero trust maturity, the goalposts are also constantly shifting.

Olufon highlighted several newer components of a zero-trust platform that were becoming indispensable, including the ability to perform non-human identity governance in an increasingly agentic world, and the need for identity threat detection and response,

“As identity becomes the control plane for zero trust, protecting it from credential theft, privilege abuse, and directory compromise is increasingly critical,” he said.

Case Study: Estia Health

As Australia’s second-largest residential aged care provider, Estia Health supports more than 10,000 residents annually across nearly 100 aged care homes.

Delivering that care and support requires a workforce of over 14,000 employees and casual roles, alongside a broad ecosystem of visiting doctors, allied health professionals and specialists.

This dynamic workforce, combined with the need to safeguard sensitive personal and health data, creates a uniquely complex cybersecurity challenge.

For Estia Health’s head of information security, Tharaka Perera, addressing that complexity requires a firm commitment to Zero Trust.

According to Perera, it all starts with identity.

“Identity is our fundamental pillar – making sure everyone has a unique identity so we know who is accessing what,” Perera said.

“From there, we look at the role and determine what they can and can’t access.”

The constantly changing nature of the workforce means Estia Health has simplified role-based access management by standardising access profiles across similar job functions.

“It is a journey we are constantly refining,” Perera said.

“We continuously monitor access to see what is actually being used, and if it’s not, we revoke it. That ongoing feedback loop helps us improve the model.”

The organisation has a unique family code of ‘A family where everyone belongs’, and Perera has adapted this sentiment by ensuring every application within the technology stack is accessible through single sign-on provided by Okta.

“We operate on the principle of one user, one identity,” Perera said.

“Any application not integrated into that ecosystem effectively creates a back door, so we don’t allow it.”

Beyond identity, data forms the second pillar of Estia Health’s Zero Trust strategy.

While structured data within core systems can be secured through role-based controls, Perera said unstructured data, such as files stored across shared environments, presents a more complex challenge.

“We are streamlining our data risk management program so we can apply classification-based controls when people access data,” Perera said.

“Historically, data risk management has been quite manual, but emerging technologies, particularly those leveraging AI, are helping us achieve better outcomes with less effort.”

Regulatory requirements add another layer of complexity, particularly restrictions on offshore access to certain types of data. This further influences how Estia Health approaches its third Zero Trust pillar: endpoints.

“We need to ensure that endpoints reside in Australia and have appropriate security controls in place so that we know they are a trusted endpoint,” Perera said.

While in an ideal scenario all access would occur only fully managed devices, the nature of the Estia Health workforce and interaction with visiting care professionals makes this unachievable. However, Perera said Estia Health did enforce baseline standards before granting access, coupled with clear communication regarding Estia Health’s controls and expectations.

“Even for visiting doctors, we want to make sure that they access systems from a fully patched device,” Perera said.

“The best security controls are those that people understand and support. We try to keep people aware of the things we are doing, and why.”

By aligning identity, data, and endpoint controls, Estia Health is working towards a mature Zero Trust model that enables precise, context-aware access decisions.

“And our end game is to connect these three dots so that we can accurately profile access and then enforce the necessary policies, ensuring the right person gets access to the right data at the right time, while leaving an audit trail so we can trace who did what,” Perera said.