“Zero Trust Security” – it’s everywhere in software vendors’ pitches and security blogs. But for IT professionals managing mid-sized companies, separating marketing buzzwords from practical solutions has become increasingly challenging. Industry analysts warns that many companies are spending too much on zero trust security tools without really knowing what they’re buying into.
According to IBM’s 2024 research, the average cost of a data breach has skyrocketed to $4.88 million – and mid-sized companies are increasingly becoming prime targets. With employees working from anywhere and everywhere, traditional security approaches are struggling to keep up.
If you’re an IT professional at a growing organization trying to protect your business information while keeping operations smooth for both remote and in-office teams, understanding zero trust security is important. In this piece, we cut through the marketing noise and break down the concept and top pillars of zero trust security into practical, actionable steps you can actually use.
Zero Trust is not a technology; it’s a security philosophy that rewires how we think about access.
Neil MacDonald
EVP & Senior Distinguished Analyst at Gartner
What is zero trust security?
Traditional security models operate like a medieval castle: strong walls (firewall), a moat (network perimeter), and a drawbridge (VPN) protecting everything inside. Once someone crossed that drawbridge with the right credentials, they were trusted to roam freely within the castle walls. This “castle-and-moat” approach is how most organizations have handled security for years.
But here’s the problem: Just like medieval castles eventually proved vulnerable to clever attackers, this traditional security model has a critical flaw. It assumes anyone inside your network is trustworthy (implicit trust), which can be catastrophic when a breach occurs.
Zero Trust flips this model on its head. Despite its name, it’s not about trusting no one – it’s about verifying everyone, every time, everywhere. Whether someone’s working from the office, home, or a coffee shop, their access depends on who they are and what they need to do, not where they’re located.

According to Gartner’s 2023 research, over half of organizations believe they’re implementing zero trust just by using security monitoring tools and endpoint protection. That’s like thinking you’ve secured your castle just by adding more guards at the gate while leaving internal corridors unprotected.
Let’s break down what Zero Trust really means:
1. Continuous verification: Instead of checking credentials once, every access request is evaluated based on multiple factors:
- Identity (Who are you?)
- Device security (What are you using?)
- Location (Where are you?)
- Time (When is this happening?)
- Data sensitivity (What are you trying to access?)
2. Least privilege access: Imagine your office building. Just because someone needs access to the conference room doesn’t mean they should have access to the server room. Zero Trust works the same way – users get access only to what they specifically need, when they need it.
3. Assume breach: Here’s the mindset shift. Zero trust operates under the assumption that your network has already been compromised. This prevents lateral movement (jumping from one system to another) by continuously monitoring for suspicious behaviour.
Zero trust architecture is like having a security guard who’s trained to politely but firmly ask for ID – even if they just checked it five minutes ago. It’s not about trust or distrust; it’s about eliminating blind trust from digital systems.
John Kindervag
Creator of Zero Trust Security Model
What Zero Trust is NOT
- Not a product you can buy off the shelf
- Not just a set of security tools
- Not a one-time implementation
- Not about making systems completely inaccessible
Instead, zero trust is a security approach that requires rethinking how you manage access across your entire organization. Many vendors will try to sell “Zero Trust solutions,” but remember – true Zero Trust is about strategy first, technology second.
Zero trust security in action: Real world examples
Let’s start with three common scenarios that most mid-sized companies face, and show how Zero Trust principles transform each one:
Scenario | Before zero trust | After zero trust |
Remote Employee Access | – Employee connects through VPN – Gets access to entire network – Same level of access from any device | – Employee logs in from home – System checks: * Is this their registered laptop? * Is it up to date with security patches? * Is the location expected? * Is this their normal working hours? – Access granted only to specific applications needed for their role – Continuous monitoring throughout the session |
Third-Party Vendor Management | – Vendor gets VPN access – Can access network during contract period – Same credentials used by multiple vendor employees | – Each vendor employee gets individual credentials – Access limited to only specific systems they need – Time-limited access that expires automatically – All actions logged and monitored – Access reviewed and renewed periodically |
Project Collaboration | – Project team gets access to shared drive – All team members see all project files – Access remains until manually revoked | – Team members get access only to relevant documents – Access levels change as project roles change – System monitors for unusual download patterns – Authentication required for sensitive operations – Access automatically expires at project end |
Did You Know? In 2023, organizations took an average of 204 days to identify a breach and an additional 73 days to contain it (IBM Security Report). This is why assuming breach is crucial – attackers often lurk in systems for months before being detected.
Top pillars of zero trust security
A successful zero-trust implementation requires considerations around what the analysts call as pillars of zero trust security. But like many things in cybersecurity, Zero Trust security framework can get complicated fast.
Government agencies like Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. federal government, recommend five different pillars, while some vendors push for seven or more. CISA’s five pillars are: Identity (who you are), Device (what you’re using), Network/environment (where you’re connecting from), Applications and Workloads (what you’re trying to use), and Data (what you’re trying to access).
Related: Top Cybersecurity Certifications for 2025
While thorough, this creates five separate things to manage, monitor, and maintain. For many growing companies, this can be too resource-intensive, unnecessarily complex, expensive to implement fully, and challenging to maintain.
A more practical approach combines these elements in a way that makes more sense for regular businesses. Let’s break it down into four essential pillars, as recommended by Gartner research, that make sense for your business:
1. Identity: Know who and what
This focusses on implementation of verification concepts. It’s like facial recognition for your phone, but for everything in your network, which verifies both users and their devices and checks credentials continuously, not just at login to assess:
- Who’s trying to get in (the user)
- What they’re using (their device)
- Whether everything checks out (security status)
Real-world example: When your employee Sarah logs in from her laptop at a coffee shop, the system checks:
- Is this really Sarah? (password + multi-factor authentication or MFA)
- Is she using her company laptop? (device verification)
- Is her laptop’s security up to date? (security check)
2. Applications control: What they’re doing
This pillar watches how people use your company’s tools and data:
- Which apps they’re accessing
- What they’re doing in those apps
- Whether their behaviour looks normal
Real-world example: If Sarah suddenly tries to download 1,000 customer records at 3 AM, the system flags this as unusual behaviour and blocks the action.
3. Security rules enforcement: How things work
This is where you set and enforce your security rules:
- Setting up access permissions
- Encrypting sensitive data
- Implementing security policies
Real-world example: Sarah can access customer data during work hours but needs special approval for after-hours access. All customer data she views is automatically encrypted.
4. Active monitoring: Keeping watch
Think of this as your security system’s brain:
- Constantly watching for suspicious activity
- Automatically responding to threats
- Learning from patterns over time
Real-world example: The system notices Sarah trying to access financial records (which she normally doesn’t need) and automatically requires additional verification.
How to get started without getting overwhelmed
Here’s a simple step-by-step guide to implement the four pillars of zero trust security discussed above.
First, take stock of what you have
Before diving in, assess your current situation. To do that:
Map out what you’re protecting (data, applications, assets). Start with a simple spreadsheet. List:
- Critical business applications (like CRM, ERP, email)
- Type of data it contains (like key company assets including intellectual property, customer data, financial records)
- Who currently has access
- Where it’s hosted (cloud/local servers)
Then, review your current security tools. Many companies already have useful security features in Microsoft 365 or Google Workspace that they aren’t using. So,
- List all security tools you’re already paying for
- Note which features you’re actually using
- Check if your existing tools have unused security features
- Document current security settings and policies
Then, spot your biggest security gaps and risks. For example, look for patterns in help desk tickets – they often reveal security gaps.
- Review last year’s security incidents
- Check where employees frequently request access
- List manual security processes that could be automated
- Identify outdated access permissions
Finally, understand your IT team’s capabilities. Create a simple skills matrix showing who can handle what.
- List your IT team’s current skills
- Identify who can manage which security tools
- Note any training needs
- Document current security responsibilities
Current situation assessment in action
A mid-sized marketing agency found they had five critical applications, three different file sharing solutions, unused security features in Microsoft 365, and several former employees with active accounts.
This assessment helped them prioritize:
- Consolidating file sharing
- Enabling existing security features
- Cleaning up user access
- Training staff on security tools they already had
Second, create a three-month plan
After taking stock of your current situation, it’s time to begin your zero trust journey. Remember, this isn’t a race – it’s about making sustainable changes that improve your security posture. Essentially, start small and think big. Here’s how to structure your first three months:
Month 1: Building your identity foundation
Start with the simplest but most important part of zero trust – identity management. Begin with implementing multi-factor authentication (like getting a code on your phone after entering your password) for your most critical applications, say your main collaboration tool or customer database. While you might face some initial resistance from employees, remember that even basic MFA can prevent 99% of automated attacks.
As employees adapt to this change, use this time to review and clean up existing user access rights. You’ll likely find accounts for people who left years ago or people who have access to things they don’t need anymore. This is also a good time to make a clear list of who should have access to what.
Month 2: Watching your application controls
Now that you know who’s who, focus on your business applications. Make a simple list of your important apps and who uses them. You might be surprised – many companies find they’re paying for apps nobody uses, or worse, have sensitive data in apps they’d forgotten about.
Start keeping track of how these apps are being used. Focus first on cloud applications – they typically have built-in logging features that are easier to activate. For legacy applications, document their current state and plan for future updates or replacements.
If you’re a retail company, during this phase you may discover that your inventory management system has the same login shared among 30 employees – a significant security risk you could now address.
Month 3: Setting up smart alerts
Your third month focuses on putting your security insights to work. Set up basic alert systems for unusual activities, but be selective – alert fatigue is real. Start with monitoring critical patterns like:
- After-hours access attempts (someone trying to log in at 3 AM)
- Multiple failed login attempts
- Downloading unusually large amounts of data
Pro tip A common pitfall is trying to watch everything and getting too many alerts. You’ll eventually start to ignore them all. Cut back to watching just three important things and actually catching a potential data breach in its first week. |
Measure progress along the way
Throughout these three months, track these key metrics:
- Number of blocked unauthorized access attempts
- Time taken to respond to security incidents
- Complaints about security getting in the way of work
- Number of help desk tickets related to access issues
Remember: Zero trust is a journey, not a destination. Each month builds on the previous one, creating a stronger security foundation for your organization.
Tools you need for Zero Trust
Let’s cut through the vendor noise and focus on essential tools you actually need to implement zero trust security. Think of these as your security toolkit – you don’t need every tool in the hardware store, just the right ones for your job.
1. Identity and access management (IAM)
What it does: Manages who can access what
Basic needs: Multi-factor authentication (MFA) tool, Single sign-on (SSO) service
Popular options: Microsoft Azure AD, Okta, Google Workspace
2. Device Management
What it does: Ensures only secure devices connect
Basic needs: Mobile device management (MDM) solution, Endpoint protection platform
Budget tip: Many cloud platforms include basic device management
3. Network Security
What it does: Controls and monitors network access
Basic needs: Cloud-based firewall, VPN or Zero Trust Network Access (ZTNA) solution
Start with: Your existing firewall’s zero trust features
4. Monitoring and Analytics
What it does: Watches for suspicious activity
Basic needs: Security information and event management (SIEM) tool, Log management system
Quick win: Enable built-in monitoring in your cloud platforms
Important Note Remember: Zero trust isn’t about buying new tools – it’s about using tools smartly. Most mid-sized companies can implement basic zero trust using 70% of tools they already own. Focus on configuration before buying new solutions. |
Key Takeaways
- Zero Trust isn’t about buying new tools – it’s about changing how you think about security.
- Build zero trust security gradually in three phases: identity verification, application control, and smart monitoring. You don’t need to do everything at once.
- Start with identity management – it’s the foundation of Zero Trust and often the quickest win. Even basic multi-factor authentication can prevent 99% of automated attacks.
- Take stock before spending money. Many companies discover unused security features in tools they already own.
Final words
While government agencies and large enterprises might need elaborate frameworks, mid-sized companies can achieve solid security by focusing on the basics: knowing who’s accessing what, monitoring how they’re using it, and staying alert for unusual behaviour.
Remember, security is not about building walls; it’s about making smart decisions about who gets the keys and when.