Zero Trust Rollout for a Top-3 Hong Kong Insurer

The Brief

The insurer had completed a multi-year cloud migration but the security architecture had stayed in 2010. Internal traffic was implicitly trusted; branch offices reached HQ via MPLS and were treated as part of the core network; the privileged access model was "log into a jump server with your Active Directory password and hope".

The 2023 red-team exercise produced a 26-page report. Time to first foothold: 90 minutes. Time to domain admin: 4 hours. The remediation budget was approved within a week.

The mandate from the CISO was specific: "I don't want a Zero Trust strategy document. I want a working architecture deployed in 12 months that, when re-tested, doesn't fall over."

The Architecture

The design centred on three control planes:

1. Identity — Okta as IdP, with conditional policies based on user, device, and risk
2. Edge — Cloudflare in front of every internal application, with policies enforced before traffic reaches the origin
3. Privilege — BeyondTrust managing every privileged session, with full recording and just-in-time elevation

All three feed telemetry into Splunk, where a unified risk score is calculated per user-session. High-risk sessions trigger step-up authentication or are terminated.

Approach

Months 1–2: Discovery + design We catalogued every internal application (146 in scope), every privileged account (487), and every implicit-trust assumption in the network. The output was a Zero Trust target architecture with a phased migration plan and a measurable success metric: pass a red-team re-test.

Months 3–5: Identity foundation Okta deployed with HR-driven provisioning. Conditional access policies built from scratch — including device-trust integration with CrowdStrike, geo-fencing, and risk-score thresholds. Microsoft 365, ServiceNow, and the customer-facing portals were the first wave.

Months 6–8: Edge enforcement Cloudflare Access placed in front of all 146 internal applications. The riskiest stage — required parallel-run for 30 days per application before full cut-over. The MPLS network was kept operational throughout but increasingly bypassed.

Months 9–10: Privileged access BeyondTrust deployed for all 487 privileged accounts and 142 admin users. Just-in-time elevation enforced (no permanent admin rights). Session recording enabled for all privileged actions. This was the largest cultural change — admins resisted having their sessions recorded — and required exec sponsorship to push through.

Month 11: Red-team re-test The same red-team team from 2023 re-engaged for a 5-day exercise. They achieved foothold via a phishing pretext (as expected), but the post-foothold lateral movement that had previously taken 90 minutes failed at every step: device-trust blocked the compromised endpoint from reaching admin tools, BeyondTrust required just-in-time approval for any privileged session, and Cloudflare Access blocked direct access to internal apps without a valid Okta session.

The test concluded without compromise. The CISO's mandate was met.

Outcome

The headline metric is the red-team re-test — but the operational metrics matter more day-to-day:

• Termination → access-revoked: dropped from 4.5 days (manual ticket-based) to 8 minutes (automated via Workday → Okta → SCIM cascade)
• Privileged session control: every admin action is now logged, recorded, and reviewable
• Network policy simplification: 2,400+ legacy firewall rules replaced by 47 Zero Trust policies — easier to audit, easier to change

What I'd Do Differently

The privileged access rollout (Month 9–10) should have started in parallel with identity foundation, not after. Admins formed habits during the Cloudflare Access rollout that we then had to unwind when BeyondTrust changed their session-flow.

Future engagements: PAM tooling design now happens in Phase 1 alongside identity, even if the deployment is later.