Zero Trust vs traditional network segmentation for ERP security architecture

Cloud Platforms Microsoft Azure
, , , , , , , ,
1

Our organization is redesigning our ERP security architecture in Azure and we’re debating between implementing a full Zero Trust model versus maintaining our traditional network segmentation approach with enhanced controls.

Currently we use a classic hub-spoke topology with NSGs, Azure Firewall, and subnet-based segmentation (web tier, app tier, database tier). It works but requires constant firewall rule updates and VPN access for remote users. Management is pushing for Zero Trust after reading analyst reports, but I’m concerned about the complexity and whether it’s actually better for our use case.

We have about 500 ERP users, mix of office and remote workers, with some third-party vendor access to specific modules. The ERP runs on Azure VMs with Azure SQL backend. I’m trying to understand if Zero Trust is genuinely more secure or just a buzzword, and whether we can achieve similar security with our current network segmentation model enhanced with identity controls.

What are people’s real-world experiences with Zero Trust implementations for ERP systems? Is it worth the migration effort or should we evolve our existing architecture?

2

This discussion has been incredibly valuable. Let me synthesize what I’m hearing into a practical framework:

Zero Trust Principles for ERP Architecture:

The core Zero Trust principles - verify explicitly, use least privilege access, and assume breach - are universally applicable. But implementation should be pragmatic, not dogmatic. Here’s how these principles map to Azure-native controls:

1. Verify Explicitly (Identity-First Security)

  • Replace VPN access with Azure AD authentication for all ERP access
  • Implement Conditional Access policies requiring MFA, device compliance, and location/risk checks
  • Use Azure AD Application Proxy for remote access to on-premises ERP components
  • Enable Continuous Access Evaluation so sessions are terminated immediately when conditions change
  • For vendor access: Azure AD B2B with time-limited guest accounts and app-specific permissions

This addresses the ‘never trust, always verify’ principle by making identity the primary security perimeter rather than network location.

2. Network Segmentation Strategies (Defense in Depth)

Don’t abandon network segmentation - evolve it:

  • Keep hub-spoke topology but implement micro-segmentation using Application Security Groups
  • Tag VMs with ASGs based on function: ERP-Web-ASG, ERP-App-ASG, ERP-DB-ASG
  • Write NSG rules using ASG references rather than IP ranges: ‘Allow ERP-Web-ASG to ERP-App-ASG on port 8080’
  • This provides network-level segmentation without the management overhead of IP-based rules
  • Implement Private Link for Azure SQL Database to eliminate public endpoints entirely
  • Use Azure Firewall for egress filtering with threat intelligence enabled

The key insight: network segmentation complements Zero Trust by providing layered security. If identity controls fail, network controls limit blast radius.

3. Azure-Native Security Controls (Least Privilege)

  • Just-in-Time VM access replaces standing admin access to ERP VMs
  • Azure RBAC with custom roles for ERP operations (not Owner/Contributor)
  • Managed identities for VM-to-SQL authentication (eliminates credentials entirely)
  • Azure Policy to enforce security baseline (require disk encryption, approved VM SKUs, etc.)
  • Security Center continuous assessment with automated remediation

Practical Implementation Roadmap:

Phase 1 (Month 1-2): Identity foundation

  • Deploy Azure AD Conditional Access for ERP user access
  • Implement MFA for all users
  • Configure device compliance policies
  • Set up Azure AD B2B for vendor access

Phase 2 (Month 3-4): Network evolution

  • Deploy Application Security Groups
  • Refactor NSG rules to use ASGs
  • Implement Private Link for Azure SQL
  • Enable JIT VM access

Phase 3 (Month 5-6): Advanced controls

  • Deploy Azure Application Gateway with WAF for web tier
  • Implement continuous access evaluation
  • Enable Security Center advanced threat protection
  • Configure automated response playbooks

Cost/Benefit Analysis:

Zero Trust implementation costs (licensing, engineering time, training) are significant but justified by:

  • Elimination of VPN infrastructure and licensing
  • Reduced attack surface (no public endpoints, no standing access)
  • Improved compliance posture (identity-based audit trails)
  • Better user experience (seamless access from any location)
  • Reduced incident response time (automated controls)

My Recommendation:

Implement Zero Trust principles incrementally while maintaining network segmentation. This hybrid approach provides the security benefits of Zero Trust without requiring a wholesale architecture replacement. Start with identity controls (highest ROI, least disruption), evolve network segmentation to micro-segmentation, then layer on advanced Azure-native controls.

The goal isn’t to choose between Zero Trust and network segmentation - it’s to implement Zero Trust principles using network segmentation as one of multiple security layers. This pragmatic approach delivers measurable security improvements while managing complexity and cost.

For your specific scenario with 500 users and vendor access requirements, I’d prioritize Conditional Access and Azure AD B2B (Phase 1) as these provide immediate security value. The network segmentation evolution (Phase 2) can happen in parallel without disrupting users.

3

Zero Trust isn’t just a buzzword, but it’s also not a binary choice. The core principle is ‘never trust, always verify’ - which means you’re authenticating and authorizing every request regardless of network location. Traditional segmentation assumes everything inside the perimeter is trusted, which is risky in modern threat landscapes.

For ERP specifically, Zero Trust makes sense because you’re dealing with sensitive financial data and need granular access controls. The question isn’t whether to adopt Zero Trust principles, but how gradually to implement them.

4

The management challenge is real but Azure Policy and Application Security Groups solve it. Instead of managing individual NIC-level NSGs, you tag VMs with ASGs (WebTier-ASG, AppTier-ASG, DB-ASG) and write NSG rules based on ASGs rather than IP addresses. This gives you micro-segmentation with macro-level management. Combine this with Azure Private Link for your SQL databases and you eliminate public endpoints entirely. That’s Zero Trust principles applied through network controls rather than requiring application-level changes.

5

Rachel’s point about Private Link is crucial. One of the biggest wins in Zero Trust is eliminating implicit trust in network location. With traditional segmentation, being on the right subnet grants access. With Private Link, Azure AD authentication, and Just-in-Time VM access, you’re verifying identity and intent for every connection regardless of network path.

For your vendor access scenario, Zero Trust is clearly superior. Instead of giving vendors VPN access to your network (traditional model), you can use Azure AD B2B collaboration with Conditional Access policies that restrict them to specific applications only. No network access, no lateral movement risk.