← ALL POSTS
CYBERSECURITY EXPLAINER

Zero trust, minus the buzzwords

Zero trust might be the most oversold phrase in security right now. Every vendor slaps it on the box, your insurance form asks about it, and the definitions you find read like they were written to win a buzzword bingo card. Underneath the marketing there's a genuinely useful idea, and for a 20-person company it mostly translates to settings you already pay for. Here's the idea without the fog.

The old model: castle and moat

Traditional network security assumed there was an inside and an outside. The firewall was the moat. Anything outside was dangerous, anything inside was trusted, and once you were in (in the office, or on the VPN), you could reach the file server, the printers, the accounting system, mostly without further challenge.

That model quietly died. Your files are in Microsoft 365 or Google Workspace, your accounting is a website, half the team works from home some days, and your data flows through laptops and phones on networks you've never seen. There is no "inside" anymore. Worse, the model fails catastrophically when it fails: one phished password or one infected laptop, and the attacker is inside the moat with the run of the castle. Nearly every ransomware disaster we've been called into followed exactly that script: one foothold, then a free walk to everything else.

The idea, in one sentence

Zero trust means no request is trusted because of where it comes from; every request gets verified on its own. Being on the office Wi-Fi proves nothing. Every access to every system checks: is this really the right person (strong authentication), on a healthy device (patched, encrypted, running your security agent), asking for something their role actually needs (least privilege)? And the checking keeps happening, rather than one login granting all-day, all-systems access.

The mental flip that matters: assume breach. Design as if one account or laptop is already compromised, and ask what the attacker could reach from there. In a castle-and-moat network the answer is "everything." In a zero-trust setup the answer is "that one account's slice, until the anomaly gets flagged." You're not promising break-ins never happen. You're making sure one stolen password isn't the whole company.

What it means in practice for a 20-person company

You don't buy zero trust in a box, no matter what the box says. It's a series of settings and habits, most of which live in licenses you already have. In rough order of value:

What zero trust is not

It's not a product, so any quote for "a zero trust" should get a raised eyebrow. It's not a project with an end date; it's a direction you keep tightening. It's not paranoia toward your employees; the "trust" being zeroed is network location, not people. And it doesn't have to make daily work miserable. Done right it's often smoother: sign in once with MFA on a healthy laptop, and the checks ride along silently after that. If a rollout makes everyone's day slower, the design is wrong, not the idea.

Where to start, and how to know you're getting there

Don't try to do the list in a quarter. The order above is the priority order: MFA enforced this month, sign-in rules and device enrollment next, then the permissions audit, then network segmentation as time allows. Each step is independently worth having even if you never finish the list.

The test that cuts through all of it is one question: if an attacker had one employee's password right now, what could they reach? Walk it honestly. If the answer is "email, files, and everything on the network, from any computer on earth," you're still castle-and-moat. If the answer is "nothing without the second factor, and even then only that user's apps, only from an enrolled device, with the odd sign-in flagged," then congratulations: you're doing zero trust, whatever the vendors call it.

Stuck on this, or want it done for you? That's the job.

Email us →
RELATED READING
Do you still need a VPN? Explainer
Set up a company password manager the right way Step-By-Step Guide
PCI DSS for small business: what taking cards commits you to Explainer
SOC 2 prep without the panic Explainer
Who’s watching your network at 3 a.m.? Explainer
NO FORMS. JUST EMAIL.
mason@hurbs.io
or (832) 457-4317, LA and Houston