Zero Trust Security Architecture for Business Applications: Never Trust, Always Verify

At 10:14 PM, Marcus Tanuwijaya, IT Security Manager at Semarang-based freight company Cakra Logistics, got an alert from the SIEM platform his team had installed only weeks earlier: a VPN login from an IP address in a city none of their staff were based in, followed immediately by direct access to the finance module of their ERP system — the one holding receivables data and partner bank account details. The account belonged to a former finance staffer who had resigned five weeks prior. HR had already revoked her email and building access, but nobody had thought to disable her VPN account, because VPN and ERP access were managed by two different teams, and neither system automatically re-verified her identity once she was inside the network. The incident was caught before any data left the building. But it exposed a hard truth for Marcus: once someone — or something — gets past the front door, legacy systems almost never ask again, "do you actually still belong here?" That is exactly the problem Zero Trust architecture is built to solve.
What Is Zero Trust Architecture
Zero Trust is a security model built on one core principle: never trust, always verify. Unlike the classic perimeter model — often called castle-and-moat, where anything inside the corporate network is assumed safe and anything outside is treated as a threat — Zero Trust recognizes no safe zones at all. Every access request, whether from an employee at headquarters, a remote worker in Bali, a third-party vendor, or one internal service calling another's API, must have its identity verified, its device checked for health, and its authorization continuously re-evaluated — not just validated once at login. Access is granted based on identity and context (who, from what device, to which resource, under what conditions), not on network location. In the old model, once someone got past the VPN or firewall, they could typically move freely across most internal systems. In Zero Trust, every system, every API, every network segment enforces its own verification gate.
The Real Cost of Perimeter-Based Security in a Distributed World
Castle-and-moat security was built for an era when employees worked from one office, applications ran on internal servers, and "outside" was clearly separate from "inside." Today's business reality looks nothing like that, and the gap carries real consequences:
Remote and hybrid work risk — the moment employees access ERP or CRM systems from home, a coffee shop, or a branch office, the notion of a "safe internal network" loses all meaning; a laptop on public Wi-Fi becomes a potential doorway into core business systems.
Lateral movement after a breach — once an attacker obtains a single weak credential, a flat network without segmentation lets them hop from server to server unchecked, turning a minor incident into a full-scale data breach.
Uncontrolled third-party vendor access — many businesses hand out generic VPN accounts to IT contractors, auditors, or consultants with no defined boundaries, so one careless vendor becomes an attack vector into the entire network.
Former employees with lingering access — like Marcus's case, manual offboarding routinely leaves weeks-long gaps in which old credentials still work fully on systems that aren't wired into a central directory.
Compliance and audit failures — regulators and ISO 27001 auditors increasingly demand proof of granular, resource-level access control; a perimeter model that only logs "who connected to the VPN" can't answer who accessed what specific data.
Single points of failure at the firewall/VPN layer — once the VPN appliance itself is breached or misconfigured, the entire defense collapses at once, because there's no second layer of verification behind it.
The pattern is the same across all six: once the outer boundary is crossed, there's no further layered checking inside. Zero Trust flips that assumption entirely.
Core Components of a Zero Trust Implementation
Building Zero Trust isn't about buying one product — it's about assembling several mutually reinforcing layers of control. The must-have elements are:
A centralized Identity Provider (IdP) with SSO and MFA — every business application, from ERP to email, should authenticate through a single identity source (Azure AD/Entra ID, Okta, Google Workspace) with mandatory multi-factor authentication, so one leaked credential doesn't unlock every door.
Device posture verification — the system checks whether the connecting device is encrypted, has active antivirus, and is fully patched before granting access to sensitive data — not just who's asking, but what they're asking from.
Network micro-segmentation — the network is broken into small zones (e.g., the finance database server isolated from the file-sharing server), so an attacker who compromises one segment can't automatically reach another.
Least-privilege and just-in-time (JIT) access — every account, including admin accounts, gets only the minimum permissions needed for its task, and privileged access is granted temporarily with automatic expiry rather than standing permanently.
A centralized policy engine — a decision engine that evaluates every access request in real time based on identity, device, location, data sensitivity, and risk score, then allows, denies, or demands step-up verification.
Continuous monitoring and logging — every access to sensitive systems is logged and analyzed by a SIEM or equivalent, so anomalies like a login from an unusual location or off-hours access are caught automatically, not discovered weeks later.
API gateway enforcement — for modern microservices-based applications, every API call — internal or third-party — must pass through a gateway that verifies tokens, enforces rate limits, and logs every transaction.
Encryption everywhere — data is encrypted both at rest and in transit, including between internal services, not just at the public entry point.
These eight components reinforce one another; skipping just one — say, deploying MFA but ignoring micro-segmentation — leaves a large gap that's still exploitable through lateral movement.
Build In-House vs. Adopt a Zero Trust Platform
For most Indonesian businesses, the real question isn't "do we build every component ourselves," but "how much do we build versus adopt from a mature platform." Platforms like Okta, Microsoft Entra ID (formerly Azure AD), or a BeyondCorp-style approach from Google already ship identity provider, policy engine, and device posture checking as managed services — licensing is priced per user per month, but implementation time is dramatically shorter and your internal team doesn't have to maintain core security infrastructure. This is the right call for businesses with lean IT teams or those racing to satisfy enterprise-client due diligence requirements.
Building in-house — say, writing a custom policy engine on top of Open Policy Agent, or manually segmenting networks with internal firewalls — makes sense when business needs are highly specific, transaction volume is large enough that per-user commercial licensing becomes prohibitively expensive, or sector-specific regulation (banking, healthcare) requires full control over identity infrastructure. In practice, most realistic implementations are hybrid: adopt a commercial IdP for SSO and MFA (because rebuilding secure authentication from scratch is a high-risk undertaking), but build custom micro-segmentation policies and API gateway rules tailored to your unique internal application architecture. AFSS typically recommends starting from a mature IdP platform as the foundation, then building the policy and ERP integration layer on top — this cuts risk while accelerating time to production.
Cost and Timeline Estimates in Indonesia
Zero Trust implementation cost depends heavily on organizational scale and how far the rollout extends. As a rough guide for businesses in Indonesia:
Starter tier (SMBs with 20-100 users, focused on SSO + MFA + basic access policies for ERP and email): IDR 150-350 million (roughly $9,500-22,000), delivered over 2-3 months. Suited to businesses just beginning to tighten access controls and needing to quickly satisfy corporate-client due diligence requests.
Mid-tier (companies with 100-500 users, covering network micro-segmentation, device posture checks, and API gateway integration for several core business applications): IDR 450 million - 1 billion (roughly $28,000-63,000), over a 4-7 month timeline including phased piloting by department.
Enterprise tier (organizations with 500+ users, multiple branches, strict compliance needs such as ISO 27001 or UU PDP audits, including a custom policy engine and fully integrated SIEM): IDR 1.8-4.5 billion (roughly $114,000-285,000), over an 8-14 month timeline given the complexity of migrating legacy systems and training across divisions.
Beyond implementation cost, budget annually for IdP platform licensing (typically $3-8 per user per month depending on feature tier) and periodic compliance audit costs — two line items that are frequently missed in initial budget planning.
Case Study: Cakra Logistics
After the former-employee VPN incident, Marcus Tanuwijaya pitched a phased Zero Trust project to the board at Cakra Logistics, a freight and logistics company with 340 employees across six cities. Phase one (months 1-3) replaced the legacy VPN with mandatory MFA-backed SSO via Azure AD for all access to the ERP and fleet-tracking systems. Phase two (months 4-6) rolled out micro-segmentation, isolating the finance database server from the warehouse operations servers, plus just-in-time access policies for all admin accounts. Phase three (months 7-8) integrated an API gateway for the shipment-tracking system accessed by external partners.
Nine months into full implementation, the results: mean time to detect suspicious activity dropped from 11 days to 4 hours, thanks to continuous monitoring wired into the SIEM. Mean time to respond fell from 3 days to under 2 hours, because the security team could now revoke access per session without shutting down entire systems. An access audit found and revoked 47 over-privileged accounts, including 9 belonging to former employees that were still active. The micro-segmentation layer blocked 23 lateral-movement attempts in the first six months alone — incidents that would never have been detected at all under the old architecture. The board also noted an 18% drop in cyber insurance premiums at the next policy renewal, driven in part by significantly stronger compliance reporting.
Metrics to Track After Launch
Zero Trust isn't a project you finish and walk away from — its effectiveness has to be measured continuously:
- Mean time to detect (MTTD) — how long between suspicious activity occurring and the system flagging it.
- Mean time to respond (MTTR) — how long between detection and access being revoked or the incident contained.
- Number of over-privileged accounts found and revoked each quarterly audit cycle.
- MFA adoption rate across the entire user base, including service accounts and API credentials.
- Number of lateral-movement attempts blocked by micro-segmentation controls.
- Average onboarding/offboarding access time — how quickly new employees get provisioned and departing employees get fully deprovisioned.
- Device posture compliance rate — the percentage of devices meeting minimum security standards when accessing sensitive systems.
Tracking these metrics regularly, ideally through a dashboard reviewed monthly by IT and leadership, ensures your Zero Trust investment keeps delivering value instead of quietly decaying into a one-time project that's forgotten a year later.
If your business is still relying on a VPN and a firewall as its only line of defense, an incident like Marcus's is only a matter of time. AFSS helps businesses in Indonesia design and build Zero Trust architecture sized to their real scale and budget, from basic SSO all the way to full micro-segmentation. Check our pricing or go ahead and submit a project for an initial consultation.
Have a similar project?
Free consultation, no commitment. Tell us what you need — we'll help you find the best solution.
Free Consultation

