Zero trust might be the most oversold phrase in security right now. Every vendor slaps it on the box, your insurance form asks about it, and the definitions you find read like they were written to win a buzzword bingo card. Underneath the marketing there's a genuinely useful idea, and for a 20-person company it mostly translates to settings you already pay for. Here's the idea without the fog.
The old model: castle and moat
Traditional network security assumed there was an inside and an outside. The firewall was the moat. Anything outside was dangerous, anything inside was trusted, and once you were in (in the office, or on the VPN), you could reach the file server, the printers, the accounting system, mostly without further challenge.
That model quietly died. Your files are in Microsoft 365 or Google Workspace, your accounting is a website, half the team works from home some days, and your data flows through laptops and phones on networks you've never seen. There is no "inside" anymore. Worse, the model fails catastrophically when it fails: one phished password or one infected laptop, and the attacker is inside the moat with the run of the castle. Nearly every ransomware disaster we've been called into followed exactly that script: one foothold, then a free walk to everything else.
The idea, in one sentence
Zero trust means no request is trusted because of where it comes from; every request gets verified on its own. Being on the office Wi-Fi proves nothing. Every access to every system checks: is this really the right person (strong authentication), on a healthy device (patched, encrypted, running your security agent), asking for something their role actually needs (least privilege)? And the checking keeps happening, rather than one login granting all-day, all-systems access.
The mental flip that matters: assume breach. Design as if one account or laptop is already compromised, and ask what the attacker could reach from there. In a castle-and-moat network the answer is "everything." In a zero-trust setup the answer is "that one account's slice, until the anomaly gets flagged." You're not promising break-ins never happen. You're making sure one stolen password isn't the whole company.
What it means in practice for a 20-person company
You don't buy zero trust in a box, no matter what the box says. It's a series of settings and habits, most of which live in licenses you already have. In rough order of value:
- MFA everywhere, enforced. Verifying every request starts with verifying identity, and passwords alone don't. Authenticator apps for everyone, hardware keys for admins. This is the foundation; nothing else on this list matters much without it.
- Sign-in rules that consider context. Microsoft 365 Business Premium includes Conditional Access: block sign-ins from countries you don't operate in, require MFA on every new device, flag impossible travel. Google Workspace has context-aware access on its higher tiers. This is the "keep verifying" part, running automatically.
- Device health checks. A valid password from a compromised laptop is still a compromised session. Use Intune or Google's device management to require that company data is only reachable from devices that are enrolled, encrypted, patched, and running your EDR. Start with a simple rule like "must be enrolled and encrypted" and tighten from there.
- Least privilege on accounts. Audit who can touch what. The bookkeeper doesn't need admin rights, nobody does day-to-day work from an admin account, and the marketing hire can't open the finance share. Every permission someone doesn't need is free attack surface you're donating.
- Least privilege on the network. If you still run a flat office network where every device can talk to every other device, split it: guest Wi-Fi truly separate, servers reachable only on the ports they serve, the smart thermostat and cameras on their own segment. Any business-grade firewall or switch can do this with VLANs.
- Retire the moat-flavored VPN. A classic VPN that drops remote users onto the full internal network is castle-and-moat with extra steps. If people only need cloud apps, they may not need a VPN at all. If they need internal systems, per-app access tools (Cloudflare Access, Tailscale, Twingate) grant reach to the specific application, not the whole network, and check identity and device on the way in.
What zero trust is not
It's not a product, so any quote for "a zero trust" should get a raised eyebrow. It's not a project with an end date; it's a direction you keep tightening. It's not paranoia toward your employees; the "trust" being zeroed is network location, not people. And it doesn't have to make daily work miserable. Done right it's often smoother: sign in once with MFA on a healthy laptop, and the checks ride along silently after that. If a rollout makes everyone's day slower, the design is wrong, not the idea.
Where to start, and how to know you're getting there
Don't try to do the list in a quarter. The order above is the priority order: MFA enforced this month, sign-in rules and device enrollment next, then the permissions audit, then network segmentation as time allows. Each step is independently worth having even if you never finish the list.
The test that cuts through all of it is one question: if an attacker had one employee's password right now, what could they reach? Walk it honestly. If the answer is "email, files, and everything on the network, from any computer on earth," you're still castle-and-moat. If the answer is "nothing without the second factor, and even then only that user's apps, only from an enrolled device, with the odd sign-in flagged," then congratulations: you're doing zero trust, whatever the vendors call it.
Stuck on this, or want it done for you? That's the job.
Email us →