What is Zero Trust?
Zero trust is a simple idea with a blunt name: never assume anyone or anything is safe just because it's "inside" your network. Every person and device must prove itself, every time it asks for access. It replaces the old "castle and moat" model that fails the moment an attacker gets past the wall.
"Never trust, always verify."
For decades, networks were built like a castle: a strong wall (the firewall) around the outside, and everyone inside trusted freely. The problem is obvious in hindsight — once an attacker tricks one employee or steals one password, they're "inside the walls" and can roam almost anywhere. Modern work made it worse: people log in from home, from phones, from coffee shops, and data lives in cloud apps that have no walls at all.
Zero trust throws out the assumption that "inside" equals "safe." Instead, it treats every request as if it came from an open, hostile network — even one from a familiar laptop in your own office. Before granting access, it asks: Who are you? Is your device healthy? Are you allowed to reach this specific thing, right now? The phrase you'll hear is "never trust, always verify."
Importantly, zero trust is a strategy, not a product. No single tool makes you "zero trust." It's an approach you apply across identity, devices, and access — formalized by the US National Institute of Standards and Technology (NIST) in its zero trust architecture guidance.
Verify every request, grant the least access.
Zero trust rests on a handful of practical principles that work together.
Verify identity, strongly
Every access starts with proving who you are — backed by multi-factor authentication, not just a password. Identity becomes the new perimeter.
Least privilege
People and apps get access only to the specific things their job requires — nothing more. If an account is compromised, the blast radius is small.
Assume breach
Design as if an attacker is already inside. That mindset drives monitoring, segmentation, and quick containment rather than blind trust.
Check the device, too
It's not just who you are, but what you're using. Is the laptop known, patched, and free of obvious risk? An unhealthy device gets limited or no access.
Micro-segmentation
The network is divided into small zones so a foothold in one area can't spread freely to the rest — walls inside the castle, not just around it.
Continuous evaluation
Trust isn't granted once and forgotten. Context — location, behavior, device health — is re-checked, and access can be pulled if something looks wrong.
A common, concrete piece of this is Zero Trust Network Access (ZTNA), which often replaces the traditional VPN. Instead of dropping you "inside" the whole network, ZTNA connects you to one application at a time and re-verifies you each time.
Most breaches abuse trust you didn't mean to give.
When an attacker phishes one set of credentials, the damage usually comes not from that single account but from how far it can travel. Flat networks, shared admin rights, and over-broad access let a small compromise become a company-wide incident. Zero trust directly attacks that pattern: even a valid stolen login can only reach a little, and only after passing identity and device checks.
For a small business, the appeal is that you don't need enterprise budgets to get most of the benefit. The identity tools, MFA, and device policies bundled with Microsoft 365 or Google Workspace cover the essentials. The shift is more about discipline — turning off default trust — than about buying something new. To see how attackers move laterally through over-trusted networks (and how least privilege stops them), our Active Directory Attack-Path Playbook walks the whole chain.
Practical first steps — no big project required.
1. Get identity right
Enforce MFA everywhere and use single sign-on so every app goes through one well-protected front door. This is the foundation of zero trust.
2. Apply least privilege
Review who can reach what. Remove standing admin rights, retire access for people who changed roles, and grant only what each job needs.
3. Know your devices
Require that laptops and phones be enrolled, encrypted, and up to date before they connect. Unknown or unhealthy devices get restricted.
4. Rethink remote access
Where a broad VPN gives blanket access, move toward per-application access (ZTNA) so a connection reaches one tool, not the whole network.
5. Watch and respond
Log access and sign-ins, and have a way to spot and react to anomalies — the "assume breach" half of the model. This is where detection and response come in.
6. Iterate
Zero trust is a journey, not a switch. Tighten one area, confirm it doesn't break workflows, then move to the next. Progress beats perfection.
Not sure where your trust assumptions are hiding? Red Hound runs pragmatic zero-trust readiness reviews for SMBs. Book a 30-minute call and we'll map a realistic path.
Zero trust, answered.
Is zero trust a product I can buy?
No. Zero trust is a security model and strategy, not a single product. Vendors sell tools that help you implement it — identity providers, MFA, device management, network access controls — but zero trust itself is the principle of verifying every request rather than trusting anything by default.
Is zero trust only for large enterprises?
No. The principles scale down well. A small business can adopt the core ideas — strong identity with MFA, least-privilege access, and managed devices — using tools it likely already pays for in Microsoft 365 or Google Workspace. You don't need a big budget to start, just a deliberate approach.
What is the difference between zero trust and a VPN?
A traditional VPN trusts you broadly once you're connected, putting you "inside" the network. Zero trust grants access to one specific application at a time, re-checking your identity and device each time. Zero Trust Network Access (ZTNA) is increasingly used to replace or wrap around VPNs for exactly this reason.
How does a small business start with zero trust?
Start with identity: enforce MFA everywhere and use single sign-on. Then apply least privilege so people can only reach what their role needs, and require that devices be known and healthy before they connect. These three steps deliver most of the benefit without a major project.
Related Cybersecurity 101 topics
- What is MFA? — the identity check at the heart of zero trust.
- What is a VPN? — the model zero trust network access often replaces.
- What is a firewall? — the "castle wall" zero trust moves beyond.
- What is an attack surface? — what least privilege helps you shrink.
See where over-trust lets attackers roam.
Our free Active Directory Attack-Path Playbook shows how lateral movement works — and how least privilege shuts it down.
Or get plain-English security tips by email: