The traditional security model was built on a simple premise: everything inside the corporate network can be trusted. Build a strong perimeter — firewalls, VPNs, DMZs — keep attackers out, and your data is safe. That model worked when employees sat in offices, data lived in on-premises data centres, and business applications were accessed through managed endpoints on a controlled network.
None of those conditions reliably hold today. Singapore enterprises run hybrid cloud environments, support remote and hybrid workforces, rely on third-party SaaS platforms, and extend network access to contractors, vendors, and partners. The perimeter has dissolved — and attackers know it. The 2024 Singapore Cyber Landscape Report noted that advanced persistent threats (APTs) increasingly target Singapore's financial and critical infrastructure sectors, often through legitimate credentials rather than brute-force intrusion. A compromised account inside your perimeter looks exactly like a trusted user.
Zero Trust Architecture (ZTA) addresses this reality directly. It replaces implicit trust with continuous verification — every user, every device, every request, every time. This article explains what Zero Trust means in practice, how it maps to Singapore's regulatory landscape, and the concrete steps organisations can take to implement it.
What Zero Trust Actually Means
Zero Trust is not a product you buy. It is a security philosophy operationalised through a set of architectural principles, summarised by the US National Institute of Standards and Technology (NIST) in SP 800-207:
- Never trust, always verify — no user or device is trusted by default, regardless of network location
- Least-privilege access — users and systems receive only the access they need, for only as long as they need it
- Assume breach — design controls assuming an attacker is already inside the network; limit blast radius and lateral movement
- Continuous verification — trust is not granted once at login; it is re-evaluated continuously based on identity, device posture, behaviour, and context
- Microsegmentation — network access is broken into small zones; a compromised segment cannot freely reach others
In practice, Zero Trust shifts security controls from the network perimeter to the identity, device, and application layer — closer to the resources being protected.
Why Zero Trust Matters for Singapore Organisations
Singapore's regulatory environment increasingly expects Zero Trust principles, even if it does not use the term explicitly.
The MAS Technology Risk Management (TRM) Guidelines require financial institutions to implement strong access controls, including multi-factor authentication for privileged and remote access, user activity monitoring, and the principle of least privilege. These are foundational Zero Trust controls. MAS examiners specifically look for evidence that privileged access is tightly controlled, monitored, and periodically reviewed.
The CSA's Cyber Trust Mark — Singapore's highest cybersecurity certification — evaluates organisations against controls that align directly with Zero Trust: identity and access management maturity, network segmentation, endpoint security, and monitoring. Organisations pursuing Cyber Trust Mark certification will find that a Zero Trust programme covers a significant portion of the required controls.
Zero Trust and MAS TRM Section 9
MAS TRM Section 9 (Access Control) requires financial institutions to implement the principle of least privilege, enforce MFA for privileged and remote access, conduct periodic access reviews, and monitor privileged user activity. Every one of these requirements is a Zero Trust control. Implementing Zero Trust Architecture is not just a security improvement — for MAS-regulated entities, it is the path of least resistance to demonstrating Section 9 compliance.
The Five Pillars of Zero Trust Implementation
1. Identity — The New Perimeter
In a Zero Trust model, identity is the primary control plane. Every access request is authenticated and authorised based on verified identity — not network location. Practical implementation requires:
- Multi-factor authentication (MFA) enforced for all users, with phishing-resistant MFA (hardware keys or passkeys) for privileged accounts and administrators
- Single Sign-On (SSO) consolidated through an enterprise identity provider — Microsoft Entra ID, Okta, or equivalent — so that all application access flows through a central authentication point
- Privileged Identity Management (PIM) with just-in-time access for administrative accounts — privileged access is granted only when needed, for a defined time window, and requires additional approval
- Conditional access policies that evaluate risk signals — device compliance, location, behaviour anomalies — before granting access, not just once at login
2. Device — Trust the Endpoint, Not the Network
A verified user on a compromised device is still a threat. Zero Trust requires device health to be a factor in access decisions:
- Mobile Device Management (MDM) or Unified Endpoint Management (UEM) to enforce security policies on all managed endpoints — encryption, patch status, EDR agent presence
- Device compliance checks at the point of access — conditional access policies should deny or restrict access from non-compliant or unmanaged devices
- Endpoint Detection and Response (EDR) on all managed endpoints, providing behavioural monitoring and the ability to isolate compromised devices
3. Network — Microsegmentation and Least-Privilege Connectivity
Traditional flat networks allow lateral movement: an attacker who compromises one endpoint can reach most others. Microsegmentation limits this:
- Network segmentation by workload — application servers, database servers, administrative systems, and user endpoints in separate zones with explicit access rules between them
- Software-defined perimeter (SDP) or Zero Trust Network Access (ZTNA) to replace VPN — users are granted application-level access, not broad network access
- Deny-by-default east-west traffic — internal traffic between segments is blocked by default and only permitted where explicitly required
4. Application — Verify Before Granting Access
Access to applications should be granted at the application layer, not the network layer:
- Application-level access controls with role-based access control (RBAC) aligned to the principle of least privilege
- API security with authentication and rate-limiting on all APIs — APIs are a common lateral movement vector in modern environments
- SaaS security posture management to monitor and enforce configuration standards across cloud applications
5. Data — Protect the Crown Jewels
Data protection is the ultimate objective of Zero Trust:
- Data classification — know where your sensitive data lives, and apply stronger controls to higher-classification data
- Data Loss Prevention (DLP) to prevent sensitive data from leaving the organisation through email, file sharing, or removable media
- Encryption at rest and in transit as a baseline, ensuring that data is protected even if access controls fail
Practical Steps to Get Started
Zero Trust is a multi-year programme, not a project with a finish line. Organisations that try to implement everything at once typically stall. The most effective approach is phased, starting with controls that deliver immediate risk reduction:
- Phase 1 — Identity foundation: Deploy MFA across all users. Consolidate identity through an enterprise IdP. Implement PIM for privileged accounts. This is the highest-impact, lowest-disruption starting point — and it directly addresses MAS TRM Section 9 requirements.
- Phase 2 — Device visibility: Deploy MDM/UEM and EDR. Establish a device inventory. Begin enforcing device compliance in conditional access policies.
- Phase 3 — Network segmentation: Map your current network architecture. Identify high-value targets (database servers, financial systems, HR data). Implement segmentation around the highest-risk zones first.
- Phase 4 — Application access: Pilot ZTNA for remote access to replace VPN for a subset of users. Implement RBAC reviews. Enable API security controls on externally-facing services.
- Phase 5 — Data protection: Complete data classification. Deploy DLP. Implement monitoring and alerting on sensitive data access patterns.
Starting with Technology, Not Policy
Many organisations start their Zero Trust programme by purchasing a ZTNA solution or a new identity platform — before they have defined their access policies, completed their identity inventory, or documented which users need access to which systems. Technology without policy produces expensive security theatre. Before deploying any Zero Trust tooling, invest time in three things: a complete identity and access inventory, a data classification exercise, and a current-state network map. These are the foundations everything else builds on.
How Infinite Cybersecurity Helps Singapore Enterprises
Implementing Zero Trust Architecture requires expertise across identity, network, endpoint, and application security — and it requires understanding how each control maps to your specific regulatory obligations under MAS TRM, ISO 27001, or CSA frameworks.
Our CREST-certified team works with Singapore financial institutions, government-linked companies, and enterprises across sectors to design and implement Zero Trust programmes that are practical, phased, and aligned to your compliance requirements. We start with a Zero Trust readiness assessment — mapping your current state across all five pillars — and deliver a prioritised roadmap that sequences quick wins before longer-term architectural changes.
We also understand that Zero Trust is not a standalone project. Our advisory integrates with your MAS TRM compliance programme, your ISO 27001 ISMS, and your CSA Cyber Trust Mark journey — so the controls you implement serve multiple regulatory objectives simultaneously.
Ready to build a Zero Trust architecture for your organisation?
Our Singapore cybersecurity experts can assess your current state, map the gaps, and design a phased Zero Trust implementation plan aligned to MAS TRM, ISO 27001, and CSA requirements.