Momentum in the zero trust security market is not slowing down. Grand View Research values the global market at $36.96 billion in 2024 and projects it to reach $92.42 billion by 2030, at 16.6% CAGR.
Behind those numbers lies a straightforward problem: organisations running workloads across private data centres, AWS, Azure, and Google Cloud have simultaneously outgrown perimeter-based security models. A hybrid and multi-cloud infrastructure has no single boundary to defend.
Operationalising zero trust across these environments requires a structured, phased approach tied to real architecture decisions, and not policy documents alone.
Once workloads exit the corporate data centre, the classic castle-and-moat model becomes operationally irrelevant. Threat actors today exploit misconfigured IAM roles, over-provisioned service accounts, and identity gaps far more reliably than network perimeters.
Each cloud provider runs its own identity framework. AWS uses IAM, Azure relies on RBAC, and GCP maintains separate permission hierarchies. These inconsistencies make uniform policy enforcement genuinely difficult across environments. Compounding the problem, non-human identities such as APIs, service accounts, and CI/CD pipelines have multiplied rapidly, and a Cloud Security Alliance survey found that 68% of organisations remain concerned about inadequate governance over these accounts.
Zero trust follows a simple rule: never trust, always verify. In hybrid and multi-cloud setups, this involves five operational pillars:
Security teams operating across multiple clouds frequently inherit incompatible toolsets that do not share telemetry or enforce a unified policy model. The result is inconsistent enforcement and slower incident response.
Zero trust controls applied without user experience consideration generate friction and workarounds. Modern MFA implementations should provide seamless access for legitimate users while blocking threats, rather than creating operational bottlenecks that erode adoption.
On-premises identity systems do not integrate cleanly with multi-cloud environments, and cloud-native systems were not built with legacy infrastructure in mind. Without a federated identity strategy, organisations accumulate orphaned accounts and privilege creep across every provider.
Step 1: Map and classify every asset, identity, and data flow across all environments before enforcing any control. Ungoverned resources create direct policy gaps.
Step 2: Implement a unified identity platform with MFA and SSO across all cloud providers to eliminate credential sprawl and siloed directory services.
Step 3: Enforce least-privilege access policies and review them on a regular cadence. Standing elevated access is a persistent, exploitable vulnerability.
Step 4: Deploy micro-segmentation to isolate workloads and limit lateral movement. A phased, identity-based approach works well for organisations operating in complex hybrid environments.
Step 5: Establish centralised logging and SIEM integration. Correlating telemetry across environments surfaces patterns that no single-cloud tool captures independently.
Step 6: Automate policy enforcement using cloud-native security tools and SOAR platforms. Manual enforcement does not scale across distributed workloads.
Step 7: Continuously test and refine controls through red team exercises and compliance reviews. Zero trust is a persistent operational posture, not a one-time deployment.
Each tool category here addresses a specific gap that hybrid and multi-cloud environments create:
No single tool solves the zero trust challenge in isolation. The organizations making meaningful progress are those that have matched the right tools to the right gap, and built the operational discipline to use them consistently across every environment they run.
For practitioners working through these decisions in real environments, IndoSec 2026 offers direct access to the expertise and peer exchange that makes the difference.
Taking place on 15–16 September at The Ritz-Carlton Jakarta, Pacific Place, the summit brings together 2,000+ security professionals, senior officials from BSSN and KOMDIGI, and C-level executives from Indonesia’s leading enterprises. Zero trust architecture is a core agenda track alongside cloud security, cyber warfare, and enterprise threat protection.
Register at indosecsummit.com today!
What does operationalising zero trust mean in practice?
It means actively enforcing identity controls, micro-segmentation, continuous monitoring, and automated response across every environment.
Why is zero trust more complex in multi-cloud environments?
Each provider uses different identity and policy frameworks, creating enforcement gaps that require a federated identity layer and consistent tooling to close.
What is the right first step toward zero trust in a hybrid environment?
A complete asset and identity inventory. Organizations cannot enforce controls over resources and accounts that they have not yet mapped and classified.
How does micro-segmentation reduce risk across hybrid workloads?
It isolates workloads so a compromised system cannot move laterally, significantly reducing the blast radius of any breach.
Which sectors gain the most from zero trust in cloud environments?
Financial services, healthcare, government, and telecom are environments where regulated data moves across distributed infrastructure, and see the highest risk reduction from a mature zero trust architecture.