Zero Trust isn't a product; it's an operating posture. In Indian banks, that posture must be defensible against the RBI IT Governance Framework, the Cyber Security Framework, and (for the largest banks) the SAR-style supervisory audits — not against a vendor's marketing deck.
The Zero Trust conversation arrived in Indian banking around 2022 with the RBI's increasing emphasis on identity-based controls. By 2024-25 most large private banks had committed to a Zero Trust roadmap; by 2026 the question has shifted from 'should we' to 'how do we sequence the rollout under existing IT Governance Framework constraints'. This post is the sequencing playbook our architecture team uses for Indian bank engagements, mapped to the five Zero Trust pillars (CISA framework) and to RBI ITGF control families.
What changed in 2025-26
Three regulatory updates have shifted the centre of gravity. First, RBI's IT Governance Framework (notified November 2023, enforced 2024 onward) replaces sections of the older IT Risk circular and explicitly references identity-based and least-privilege controls. Second, RBI's Master Direction on Outsourcing of IT Services tightened third-party access expectations — Zero Trust is now the only architectural pattern that satisfies the access-segmentation requirement at the level of granularity RBI inspects against. Third, RBI's Digital Lending Guidelines and the DPDP Act 2023 layer customer-data-handling expectations on top of the bank's own perimeter — internal lateral movement is now also a customer-impact event.
The five Zero Trust pillars — what RBI inspectors look for
CISA's Zero Trust Maturity Model defines five pillars: identity, device, network, application/workload, and data — wrapped in three cross-cutting capabilities (visibility/analytics, automation/orchestration, governance). For Indian bank engagements, each pillar maps cleanly to one or more RBI ITGF control families:
| ZT Pillar | Core capability | RBI ITGF alignment |
|---|---|---|
| Identity | Strong auth, identity-as-perimeter, JIT privilege, identity threat detection | IT Governance — access management, PAM, MFA mandates |
| Device | Posture-based access, MDM, EDR coverage, supply-chain validation | IT Risk — endpoint controls; outsourcing — vendor device posture |
| Network | Microsegmentation, encrypted east-west, SDP, application-aware policy | IT Risk — network segregation; CSF — internal network security |
| Application / workload | Workload identity, runtime protection, application-tier policy enforcement | CSF — application-layer controls; resilience requirements |
| Data | Classification, encryption-at-rest, encryption-in-transit, DLP, rights management | DPDP §8 — data protection; CSF data-handling; sectoral guidance |
Sequencing — what to roll out first
Across our Indian bank engagements, the sequence that survives RBI audit cycles and produces measurable risk reduction inside 12 months is: identity first, device second, network third, application fourth, data alongside throughout. The temptation to start with network (because firewalls are familiar) leads to micro-segmentation rollouts that stall because workload identity hasn't been established. Identity is the dependency for everything else.
Stage 1 · Identity foundation (months 0-6)
- Inventory every identity store — Active Directory, Azure AD / Entra, Oracle Identity Cloud, LDAP, application-local accounts.
- Enforce MFA on every privileged identity (RBI mandate). FIDO2 hardware where possible; TOTP/push minimum.
- Stand up PAM with session brokering for Tier-0 and Tier-1 admin work. Vault every shared admin credential.
- Implement Just-In-Time admin — no standing Domain Admin or Enterprise Admin membership outside of break-glass.
- Tier the AD/Entra environment per Microsoft's Enterprise Access Model (Tier 0 / 1 / 2 / Cloud).
- Roll out ITDR (identity threat detection and response) — BloodHound delta monitoring, PingCastle weekly scans, ADCS template review.
Stage 2 · Device posture (months 4-10)
- MDM / UEM on every endpoint (Intune, Workspace ONE, Jamf for Mac). RBI ITGF expects this for any device accessing critical systems.
- EDR on every server and every workstation, including DCs and Tier-0 admin hosts.
- Device posture signals fed into the conditional-access policy — non-compliant devices cannot access sensitive workloads.
- Privileged-access workstation (PAW) rollout for Tier-0 admins — clean-source principle.
- Supply-chain validation for hardware refresh — firmware integrity, BIOS attestation.
Stage 3 · Network microsegmentation (months 8-14)
- Replace flat VLANs with application-aware microsegmentation (Illumio, Akamai Guardicore, Cisco Secure Workload, or native cloud equivalents).
- Encrypt east-west traffic for any flow touching customer or financial data (mTLS at the service-mesh layer for cloud workloads).
- SDP / ZTNA for remote access — replace traditional VPN for any non-administrative remote work.
- Policy-as-code — every microsegment policy in version control, change-controlled, auditable.
- Continuous traffic analytics fed into the SIEM / SOC.
Stage 4 · Application & workload (months 12-18)
- Workload identity — every service, every container, every serverless function authenticates with a non-human identity (SPIFFE / cloud-native equivalents).
- Runtime protection — RASP for critical apps; cloud workload protection for IaaS/PaaS.
- Application-tier policy enforcement — authorisation decisions at the API layer, not just at the gateway.
- Continuous security validation — pen-test cadence aligned with release cycles, not annual.
- Software supply-chain security — SBOM generation, dependency scanning, image signing.
Stage 5 · Data — alongside throughout
- Data classification baseline at month 0 — what is the bank's customer-PII, financial-data, internal-confidential and public taxonomy?
- Encryption-at-rest on every database, every backup, every object store (RBI ITGF baseline).
- Encryption-in-transit on every internal flow, not just the perimeter.
- DLP integrated with the email and endpoint stack — outbound channels monitored.
- Rights management for sensitive documents (AIP / equivalent) — protection that survives the document leaving the perimeter.
- DPDP §8 alignment — data-subject access workflows, consent management, breach-notification readiness.
Budget reality — what a Zero Trust programme costs an Indian bank
Across our engagements with Indian private banks (Tier-1 to Tier-3), the 18-month Zero Trust programme cost lands between ₹15-60 crore depending on starting maturity and the cloud-vs-on-prem mix. The single biggest line item is identity (PAM + ITDR + MFA rollout) at 30-40% of total spend. Network microsegmentation is the second largest at 20-30%. The rest distributes across device, application, data, and the programme management overhead. RoI is measurable through the reduction in lateral-movement dwell time (typically 90% reduction at month 12) and the reduction in privileged-access incident frequency.
Common pitfalls in Indian bank Zero Trust rollouts
- Buying microsegmentation before establishing workload identity — segmentation that can't tell a real workload from an attacker's lateral movement.
- Rolling out PAM without breaking the standing Domain Admin habit — the vault gets populated but the JIT discipline never lands.
- Treating MFA as the destination, not the foundation — RBI expects FIDO2-class auth for privileged identities by 2027.
- Letting third-party vendors stay on legacy access patterns — outsourcing-circular finding waiting to happen.
- Skipping the data-classification work because it's slow — every downstream control becomes a guess without it.
How Macksofy helps
Our architecture and audit practices deliver Zero Trust programme work for Indian banks, NBFCs and insurers — from the 8-week current-state assessment through the 18-month rollout governance and the RBI inspection-readiness deliverables. CERT-In empanelled; RBI IT Governance Framework alignment as a standard output. See /services/identity-security-zero-trust for the identity-pillar engagement and /audit/rbi-it-governance for the inspection-readiness audit.