Zero trust is everywhere in vendor marketing, but the implementation decisions that matter are far less glamorous than the pitch decks suggest.
The Core Principle Without the Marketing
Zero trust means: never trust, always verify. Every access request — regardless of whether it originates inside or outside your network — must be authenticated, authorised, and continuously validated. The network perimeter is no longer a meaningful security boundary when your users are remote, your applications are SaaS, and your data is in the cloud. Zero trust replaces perimeter trust with identity trust.
The Identity Foundation Is Non-Negotiable
Every zero trust implementation starts with identity infrastructure. If your Active Directory is a mess — service accounts with excessive privileges, stale user accounts, no privileged identity management — zero trust controls built on top of it will have the same holes. Before purchasing any zero trust product, audit your identity posture. Clean up stale accounts. Implement least-privilege access. Enforce MFA on every user, not just the VPN. This is not glamorous work, but it is the foundation everything else depends on.
Device Trust Is the Second Pillar
In a zero trust model, only known and compliant devices should access corporate resources. This requires a device management solution — Microsoft Intune, Jamf, or similar — with compliance policies that check device health before granting access. Conditional access policies in Azure AD or Okta can then block access from unknown devices, even when credentials are valid. For mid-market companies, this combination alone eliminates a significant portion of credential-based attack scenarios.
Where Mid-Market Companies Start
A pragmatic zero trust starting point for a 100-500 person company: enforce phishing-resistant MFA for all users, implement conditional access with device compliance requirements, segment your network so that lateral movement from a compromised endpoint cannot reach critical systems, and deploy privileged access workstations for admin accounts. These four controls, implemented well, provide more security value than any single zero trust platform product.
- Zero trust replaces network perimeter trust with identity trust — it is a strategy, not a product
- Identity infrastructure quality determines the ceiling of your zero trust implementation
- Device compliance checks via Intune/Jamf plus conditional access eliminate a large class of credential attacks
- For mid-market: MFA everywhere, conditional access, network segmentation, and privileged access workstations are the practical starting point