Is Zero Trust just rebranded best-practice security?

Partly, yes. Many of the practices Zero Trust packages (least privilege, MFA, microsegmentation, continuous monitoring) have been around for decades. What's new is the framing: 'don't trust the network', as a strategic stance, instead of a list of independent best practices. The framing matters because it forces every architectural decision to be justified against the model.

Do I need a specific vendor product to do Zero Trust?

No, and the vendors selling 'Zero Trust as a product' are usually selling something else with a Zero Trust label on it. The model is vendor-agnostic. The most effective Zero Trust deployments I've seen used a mix of open-source and commercial tools picked for fit, not for being on a Gartner quadrant.

Where do I start if I'm building Zero Trust from scratch?

Identity first. Single sign-on with MFA across every business app is the cheapest, biggest-impact step, and most agencies can land it in a quarter. Once identity is solid, move to device posture (encrypted laptops, EDR running, patches current). Network microsegmentation comes after. Continuous monitoring runs alongside all of it.

How does Zero Trust work for cloud-only or remote-first teams?

Better than the traditional perimeter model, actually. Zero Trust doesn't depend on the network having a 'shape' (a clear inside and outside), so it adapts naturally to fully-distributed teams, multi-cloud architectures, and hybrid setups. The hard part for these teams is identity (which IdP holds the truth?) and device posture (how do you verify a contractor's laptop?), not the conceptual fit.

Is Zero Trust required for compliance regimes like SOC 2 or ISO 27001?

Not by name. The frameworks are written in older language. But the controls SOC 2 and ISO 27001 actually want (access controls, audit trails, encryption, incident response) line up cleanly with Zero Trust principles. A Zero Trust architecture makes compliance audits easier, not harder.

Zero Trust Security: A Plain-English Overview of the Model

The way most networks were designed assumes a perimeter: firewall on the outside, trusted users on the inside, done. That model worked when employees sat in one office and connected to a server room down the hall. It started to break when laptops left the building. It collapsed when half the workforce moved home and the other half started using cloud services that don’t live behind any perimeter at all.

Zero Trust is the model that replaced “trust the network”. The short version: stop assuming anything inside your network is safe. Verify every connection at the moment it happens, regardless of where the user is or what device they’re using.

This post is the conceptual primer to my Zero Trust series. The follow-ups cover the practical pieces: virtual machines for workspace isolation, Netbird for the network layer, and Mistborn as the integrated suite that pulls many pieces together at the SMB scale.

What Zero Trust actually is

Zero Trust is a strategic approach to cybersecurity that removes the concept of “trusted network” from the architecture. The principle that drives it: never trust, always verify. Every user, every device, every connection has to be authenticated, authorized, and continuously validated before getting access to anything, regardless of whether they’re “inside” or “outside” the network.

Practically, this means:

The user logging in from the office cafe gets the same treatment as the user logging in from home: authenticate, authorize, log, monitor.
The internal microservice talking to another internal microservice has to authenticate. “We’re on the same network” is not authentication.
A laptop that connects to the network gets evaluated for posture (patches up to date, encryption enabled, EDR running) before it gets access to anything sensitive.

The three core principles

Every concrete Zero Trust deployment maps back to three principles:

1. Verify explicitly

Every access request gets authenticated and authorized based on the data points available: user identity, device identity, device posture, location, time of day, sensitivity of the resource being requested. The decision uses all of those signals, not just username and password.

In practice: MFA on every login. Device-based access policies. Conditional access rules that consider risk score.

2. Least-privilege access

Users (and services, and devices) get the minimum set of permissions they need to do the job in front of them. Not the maximum the team’s threat model allows; the minimum the task requires.

In practice: just-in-time access elevation. Time-bounded admin sessions. Per-resource ACLs instead of “you’re in the developers group, you can see everything”.

3. Assume breach

Designs assume an attacker is already inside, somewhere. Every part of the system is built to limit blast radius rather than to keep the perimeter intact.

In practice: microsegmentation so a breach in one segment can’t traverse the whole network. Continuous logging and detection rather than one-shot perimeter alarms. Fast credential rotation. Defense in depth, not defense at the edge.

Implementing Zero Trust in practice

The realistic implementation order:

Identity first. Single sign-on with MFA is the cheapest, biggest-impact step. Most agencies can land this in a quarter, and it covers more attack surface than any other single change.
Device posture next. Endpoint management that confirms the laptop’s encryption is on, patches are current, EDR is running, before granting access. The Cloud Infrastructure Audit & Hardening engagement typically includes this layer.
Network microsegmentation. Replace flat networks with per-service segments. The marketing intern doesn’t need a network path to the database server, even if the firewall would technically permit it. A mesh VPN like Netbird is the cheapest way to enforce this for distributed teams.
Continuous monitoring. A SIEM (Wazuh, Splunk, Sentinel) collecting events from every layer, with detection rules tuned to your environment. Logs you don’t review aren’t logs.

Each layer takes weeks to months for a real organization. The mistake is trying to do all of it at once and ending up with half-finished projects across the board. Pick one, ship it, move to the next.

What you actually get

When implemented well, Zero Trust gives you:

A smaller attack surface. Every connection is authenticated, every access is logged. There’s no “soft inside” for an attacker to traverse once they get in.
Easier compliance. Detailed access control and audit trails fit cleanly into the requirements of most modern compliance regimes (SOC 2, HIPAA, ISO 27001).
Better visibility. Continuous monitoring means you actually know what’s happening in your environment, instead of guessing from quarterly audits.
Adaptability. The model works for cloud, on-prem, and hybrid environments equally well, because it doesn’t depend on the network topology being a specific shape.

When Zero Trust is overkill

For a freelancer running a single laptop with a password manager, this is overkill. For a five-person agency handling client credentials and financial data, it’s where you should be heading. Where exactly to draw the line:

Under three people: the basics are fine. MFA, encrypted laptops, password manager, virtual machines for workspace isolation.
Three to ten people: identity provider with SSO + MFA, mesh VPN like Netbird, monitored backups.
Ten or more people, or any regulated data: full Zero Trust with microsegmentation, SIEM, and a real audit trail. Mistborn is one packaged option for the SMB end of this spectrum.

Closing the loop

Zero Trust is a stance, not a product. The principles are simple; the implementation is years of incremental work. The rest of this series covers the practical layers: virtual machines for workspace isolation, Netbird for the network mesh, and Mistborn for the integrated SMB-scale suite.

If you’re trying to reach a real Zero Trust posture and don’t know where to start, the Cloud Infrastructure Audit & Hardening engagement is the natural starting point. For more on the security side, the cybersecurity & hardening category has the rest.