Cybersecurity
Zero Trust Security: A Practical Guide for SA Enterprises
12 January 2026 · 0x1m3 · 7 min read
Beyond the Buzzword
Zero trust security has become one of the most discussed — and most misunderstood — concepts in cybersecurity. Vendors attach the label to everything from firewalls to email filters. But zero trust is not a product. It is an architectural principle: never trust, always verify.
In practice, this means every access request is authenticated, authorised, and encrypted — regardless of where it originates. A user inside your office network receives no more implicit trust than a user connecting from a coffee shop in Sandton.
For South African enterprises navigating POPIA compliance and an increasingly hostile threat landscape, zero trust security is not optional. It is the framework that makes compliance achievable and breaches survivable.
The Five Pillars of Zero Trust
Zero trust is best understood through five pillars. Each pillar represents a trust boundary that must be independently verified. Here is how OAS maps real tools to each one.
Pillar 1 — Identity
The principle: Verify every user, every time. No session should persist without continuous validation.
The tool: Microsoft Entra ID (formerly Azure Active Directory) provides conditional access policies, risk-based authentication, and single sign-on across your application estate. Combine it with MFA enforcement to eliminate password-only access entirely.
Implementation step: Enable conditional access policies in Entra that require MFA for all external access and flag sign-ins from unfamiliar locations or devices. Start with your finance and executive teams — they are the primary BEC targets.
Pillar 2 — Endpoints
The principle: Every device that touches your data must be verified, healthy, and monitored.
The tool: SentinelOne Singularity provides Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) across workstations, servers, and cloud workloads. Its behavioural AI detects threats that signature-based tools miss. Autonomous response contains compromised endpoints in seconds.
Implementation step: Deploy SentinelOne to every endpoint — including personal devices used for remote work. Configure device health checks as a condition for network access. An unpatched device should not reach production resources.
Pillar 3 — Network
The principle: Segment your network so that a breach in one zone cannot cascade to others. Encrypt all traffic.
The tool: NetScaler provides application-layer security, Web Application Firewall (WAF) capabilities, and SSL offloading. It inspects traffic at the application level, not just the network perimeter. Micro-segmentation ensures that compromised credentials in one department cannot access resources in another.
Implementation step: Deploy NetScaler in front of all externally facing applications. Enable the WAF to block SQL injection, cross-site scripting, and other OWASP Top 10 threats. Configure micro-segmentation for your most sensitive workloads — typically finance, HR, and customer data.
Pillar 4 — Data
The principle: Classify, encrypt, and control access to data based on sensitivity — not location.
The tool: Microsoft Defender for Information Protection applies sensitivity labels, Data Loss Prevention (DLP) policies, and encryption rules across Microsoft 365 and beyond. ShareFile provides secure file sharing with on-premises storage zones for POPIA-sensitive data that must remain in South Africa.
Implementation step: Start with data classification. Label your most sensitive data categories — customer PII, financial records, intellectual property. Apply DLP policies that prevent these categories from being shared externally without encryption. Use ShareFile's SA-based storage zones for documents that require local data residency.
Pillar 5 — Applications
The principle: Grant application access based on identity, device health, and context — not network location.
The tool: Citrix Secure Private Access replaces traditional VPN with zero-trust network access (ZTNA). Users access specific applications through an authenticated, encrypted channel. No broad network access. No exposed attack surface.
Implementation step: Identify your top 10 most-accessed internal applications. Migrate access from VPN to Citrix Secure Private Access. Configure contextual policies: managed devices get full access, unmanaged devices get browser-only access with watermarking and download restrictions.
How Zero Trust Supports POPIA Compliance
The Protection of Personal Information Act (POPIA) does not mention zero trust by name. But its requirements map directly to zero trust principles:
| POPIA Requirement | Zero Trust Pillar |
|---|---|
| Access control for personal information | Identity (Entra) |
| Endpoint security measures | Endpoints (SentinelOne) |
| Network security and encryption | Network (NetScaler) |
| Data classification and protection | Data (Defender DLP) |
| Breach detection and notification | Endpoints + Network (XDR) |
| Secure data processing | Applications (Secure Private Access) |
Implementing zero trust does not guarantee POPIA compliance on its own. But it builds the technical foundation that makes compliance demonstrable and auditable.
Where to Start
Zero trust is not a weekend project. It is a phased transformation. Here is a practical starting sequence for SA enterprises:
1. Month 1-2: Deploy MFA across all user accounts via Microsoft Entra. This single step blocks over 99% of credential-based attacks. 2. Month 2-3: Roll out SentinelOne to every endpoint. Establish a baseline of device health and threat telemetry. 3. Month 3-4: Replace VPN access with Citrix Secure Private Access for your highest-risk applications. 4. Month 4-6: Implement data classification and DLP policies. Deploy NetScaler WAF for external-facing applications. 5. Ongoing: Monitor, refine policies, and extend zero trust principles to new workloads as they are deployed.
OAS has guided SA enterprises through this journey for over 40 years. As a Citrix Platinum Partner and trusted partner for SentinelOne, Microsoft, and NetScaler, OAS brings the integration expertise that makes zero trust work as a unified architecture — not a collection of disconnected tools.
---
<div style="background: linear-gradient(135deg, #1B2A4A 0%, #2E5090 100%); padding: 40px; border-radius: 8px; text-align: center; margin: 32px 0;"> <p style="color: #FFFFFF; font-size: 20px; font-weight: 700; margin: 0 0 12px 0;">Ready to implement zero trust?</p> <p style="color: #E0E0E0; font-size: 16px; margin: 0 0 24px 0;">OAS maps the right tools to every trust boundary.</p> <a href="/contact/sales" style="background: #FFFFFF; color: #1B2A4A; padding: 12px 32px; border-radius: 4px; text-decoration: none; font-weight: 700; display: inline-block;">Book a Zero Trust Assessment →</a> </div>
---