Zero Trust for small and mid-market: what to do first

Zero Trust is one of the most misused terms in cybersecurity. In vendor marketing it refers to whatever product the vendor is selling. In federal guidance it refers to a specific architectural philosophy. In a small or mid-market company it usually refers to a vague aspiration the CFO is hearing about from the audit committee without any clear starting point.

The core idea is actually simple. Do not assume that anything inside the network perimeter is trustworthy. Verify every access request against the identity of the user, the posture of the device and the sensitivity of the resource, every time. The hard part is translating that idea into a sequence of practical moves a 150-person company can actually execute.

What follows is a working sequence for companies of 50 to 500 employees that want to move toward a Zero Trust posture without either overspending or pretending they have done the work when they have not.

What Zero Trust is not, at the mid-market level

Worth clarifying up front. For a company below the enterprise threshold, Zero Trust is usually not:

• A single product purchase from any one vendor.
• Ripping out the existing network and rebuilding from scratch.
• Eliminating VPNs entirely in year 1.
• An achievable certification. (There is no Zero Trust certification body.)
• A board-reportable binary state. It is a gradient.

What it actually is, at this scale: a deliberate sequence of architectural decisions that progressively reduce the implicit trust the environment extends to users, devices and networks.

Step 1, identity as the first perimeter

Zero Trust starts with identity. Before you can verify every access request, you need a single, authoritative source of identity for users and devices.

The practical moves:

• Consolidate identity providers. Most mid-market companies have 2 to 5 identity silos (on-prem Active Directory, Microsoft Entra ID, Google Workspace, multiple SaaS-native directories). Pick a primary and federate the rest through it.
• Enable single sign-on for every SaaS application that supports it. This is the unglamorous infrastructure work that makes the rest of Zero Trust possible.
• Enforce phishing-resistant MFA on every account, with FIDO2 or passkeys on privileged accounts. SMS and push-based MFA are degrading faster than most firms admit.
• Implement conditional access policies. Access decisions conditioned on device posture, location, risk score. Even basic policies (“block access to admin consoles from outside trusted countries”) meaningfully reduce attack surface.

Most of this work is achievable with Microsoft 365 E3 or E5 plus proper configuration, for companies in the Microsoft ecosystem. Google Workspace with BeyondCorp Enterprise is the Google-ecosystem equivalent.

Step 2, device posture as a trust signal

A user logging in from a managed, patched, encrypted laptop is materially more trustworthy than the same user logging in from an unmanaged home PC. Zero Trust treats that difference as a decision input.

The practical moves:

• Enroll every corporate endpoint in a device-management platform. Intune, Jamf, Kandji, Mosyle, depending on device mix.
• Require compliant-device status as a condition for accessing sensitive resources. The access-control system should check in with the device-management system before granting access.
• Deploy endpoint detection and response on 100% of managed endpoints. The EDR posture becomes part of the device trust signal.
• Decide what to do about unmanaged devices. Block them entirely from sensitive resources. Allow read-only access to less-sensitive resources. Provide virtual desktops for contractors. There is no single right answer, but there needs to be an explicit decision.

The posture check is where many mid-market Zero Trust projects break down. The identity side is relatively easy; the device side requires operational discipline across a long tail of platforms and personal devices.

Step 3, network access, progressively

The classic VPN model grants broad network access after authentication. Zero Trust grants narrow, application-specific access after continuous verification.

The practical moves:

• Inventory every internal application that is currently accessed over VPN. For each, decide whether it can be delivered via a modern identity-aware proxy instead.
• Move the most-accessed, highest-risk applications to an identity-aware proxy first. Usually the admin consoles, the source code management system, the document management system. Tools like Cloudflare Access, Zscaler Private Access or Tailscale ACLs can deliver this.
• Retire the VPN only when every critical application has been moved. In practice, most mid-market companies keep a narrow-scope VPN for operational tooling years longer than the marketing suggests, and that is fine.
• Segment the remaining internal network. Even if full Zero Trust network access is a multi-year project, basic segmentation (separating user, server and any operational-technology zones) reduces blast radius meaningfully.

Full elimination of implicit network trust is a multi-year project for most mid-market companies. Useful progress can happen in quarters.

Step 4, data-layer decisions

Zero Trust architectures protect data directly, not just the networks and systems that house it.

The practical moves:

• Classify data by sensitivity. Public, internal, confidential, regulated. Not every document, every category. Use existing data sources (HR systems, finance systems, customer records) as anchors.
• Apply access controls at the data layer. Microsoft Purview or Google Workspace data loss prevention, at mid-market scale. More advanced companies use dedicated tools.
• Encrypt data at rest and in transit, everywhere. This is largely a done-by-default state in modern SaaS, but on-prem systems and legacy applications frequently miss it.
• Decide what to do about SaaS data exfiltration risk. Cloud access security broker tools address this at the upper end of the mid-market. Smaller companies typically accept some residual risk and focus on access controls instead.

Data-layer work tends to be the slowest part of a Zero Trust program and the hardest to execute without a dedicated information-security function.

Step 5, the operating model

Zero Trust is not a finished state. It is a continuous assessment of trust decisions against evolving risk.

The practical moves:

• Quarterly access reviews of privileged and high-risk accounts. Not the annual ritual. Quarterly, documented, with accountability.
• Continuous monitoring of authentication anomalies. Most identity platforms produce useful signal here with minimal configuration.
• Annual review of the Zero Trust roadmap against the threat landscape. Which decisions that were defensible 12 months ago have degraded in the interim.

A realistic maturity curve

A 150-person company starting from a typical baseline can expect:

• 6 months in. Identity consolidated. MFA universal. Conditional access deployed. Initial device management coverage. First identity-aware-proxy application live.
• 12 months in. 80%+ device management coverage. Multiple critical applications moved off VPN. First access review cycle complete. Basic network segmentation in place.
• 18 to 24 months in. Most critical applications on identity-aware proxy. Data classification pilot complete. VPN scope dramatically reduced. Access review cadence is part of the operating rhythm.
• Beyond year 2. Data-layer controls mature. Residual network-perimeter dependencies have been explicitly accepted or retired. Zero Trust is an operating discipline rather than a project.

What this looks like at Atticus Rowan

We build and operate Zero Trust architectures for mid-market clients as part of managed engagements. The work is typically sequenced across quarters, paced to the company’s operational reality, and anchored on identity first. A typical engagement starts with the Microsoft 365 or Google Workspace baseline, moves to device posture and conditional access, and then progressively addresses network and data layers as the operational discipline builds.

The practical point is that Zero Trust at the mid-market is an architectural direction, not a destination. Companies that make progress every quarter over 2 years end up in meaningfully better shape than companies that sign a large Zero Trust consulting engagement, spend 6 months in workshops and never actually deploy anything.

If your company is 50 to 500 employees and you are weighing how to start a Zero Trust program without overspending or overpromising, schedule a discovery call. We can walk through the current state and scope the first 2 to 3 quarters of practical moves.