Zero Trust gets sold as a product, but it's really a way of designing access and monitoring. You don't need a full replatform to start using it in your hybrid environment. Here's how I approach it with teams that have a mix of on-prem and cloud.

1. Treat on-prem and cloud as equally untrusted

Stop assuming that anything "inside the network" is safe. I've seen too many incidents where that assumption was the weak link.

• Require strong authentication for internal admin tools.
• Expose management planes through controlled entry points (VPN, ZTNA, or hardened bastions).
• Log and inspect traffic between tiers, not just at the edge.

2. Move toward identity-aware access everywhere

Wherever you can:

• Replace shared accounts with named identities.
• Use role-based access instead of static local permissions.
• Tie access approvals to business roles and tickets, not "just in case" requests.

This is where a lot of CMMC and DoD readiness overlaps with Zero Trust identity is the backbone.

3. Shrink implicit trust zones

Look for large, flat networks and shared admin domains. Those are the spots I target first.

• Segment by sensitivity and function, not only by environment (prod vs. non-prod).
• Tighten controls around domain controllers, CI/CD, and build systems.
• Make east-west movement more visible with targeted logging and detections.

The goal isn't perfection. It's making every step an attacker takes noisier and more expensive. Small, consistent moves add up, and that's what gets you closer to both CMMC and real resilience.