Zero Trust is not a product you can buy. It is not a single tool and not a firewall rule. Zero Trust is an architectural philosophy — and one that can be implemented without a multimillion budget. NIST defined the reference framework with SP 800-207: no user, no device and no network segment is automatically treated as trustworthy. Every access is explicitly verified. Every time.
Why the perimeter model no longer works
The classic security model is based on a simple assumption: inside the network it is safe, outside it is not. The firewall is the castle wall; behind it, everything is trusted. This model had its justification when all employees sat in the same building and all data resided on local servers.
This reality no longer exists. Employees work remotely, applications run in the cloud, partners access internal systems via VPN. The network boundary has become porous — if it even still exists. And once an attacker is inside the perimeter — via phishing, stolen credentials or a compromised VPN — they move laterally through the network as if they belong there.
The three core principles
NIST SP 800-207 defines Zero Trust through seven tenets. For practical implementation, these can be condensed into three core principles:
1. Verify explicitly — always verify explicitly
Every access is authenticated and authorised based on all available data points: user identity, device state, location, time of day, access patterns. Not once, but with every request. An authenticated user on a compromised device should not be granted access to sensitive data.
2. Least privilege — minimal permissions
Users and systems receive only the rights necessary for the current task. No more. Time-limited where possible. The accountant does not need admin access to the file server. The developer does not need write access to the production database. It sounds obvious, yet it is rarely enforced consistently in practice.
3. Assume breach — plan for the worst case
Planning assumes that an attacker is already inside the network. This assumption fundamentally changes the design: microsegmentation, end-to-end encryption, continuous monitoring. The focus shifts from prevention alone to detection and containment. The goal: limit the damage even in the event of a successful breach.
Five steps to implementation for SMEs
Zero Trust is often portrayed as an enterprise-only concept — too complex, too expensive for SMEs. This is wrong. Implementation does not have to happen all at once. CISA describes four maturity levels in the Zero Trust Maturity Model v2.0, from “Traditional” to “Optimal”. Every organisation can start where it stands and progress step by step.
Step 1: Deploy MFA everywhere
Multi-factor authentication is the single most effective measure with the best cost-benefit ratio. For all users, on all systems — email, VPN, cloud services, admin accounts. No exceptions for senior management. Hardware tokens or authenticator apps are sufficient; SMS-based MFA is better than nothing, but vulnerable to SIM swapping.
Step 2: Segment the network
Dividing the network into VLANs with dedicated firewall rules between segments limits an attacker’s lateral movement. At a minimum: separate office IT, production systems, server infrastructure and the backup network. Every managed switch supports VLANs — the hardware is already present in most SMEs.
Step 3: Reduce permissions to the minimum
Role-based access control (RBAC) instead of individual permissions. Regular access reviews: who has access to what, and is it still justified? Local admin rights on workstations are unnecessary in most cases and a common attack vector. Service accounts with minimal rights and their own passwords, not running under the domain admin account.
Step 4: Establish monitoring and logging
Those who cannot see what is happening in the network can neither detect attacks nor demonstrate compliance. Centralised log collection, monitoring of failed login attempts, alerting on unusual access patterns. A SIEM does not have to be expensive — open-source solutions such as Wazuh or the ELK Stack offer solid functionality for SME environments.
Step 5: Verify device health
A trusted user on a compromised device is not a trusted access. Device health checks verify before granting access: is the operating system up to date? Is endpoint protection running? Is disk encryption active? Microsoft Entra (formerly Azure AD) Conditional Access can implement these checks for Microsoft 365 environments — at no additional cost with most business licences.
The CISA Zero Trust Maturity Model as a roadmap
In version 2.0 of the Zero Trust Maturity Model, CISA defines five pillars: Identity, Devices, Networks, Applications & Workloads, and Data. Four maturity levels span each pillar: Traditional, Initial, Advanced and Optimal. This model is an excellent tool for assessing your current position and planning your journey — including for SMEs.
Most SMEs start at the “Traditional” or “Initial” level. That is not a problem. What matters is the direction, not the current position. An SME that has deployed MFA, segmented its network and cleaned up permissions is already better protected than many significantly larger organisations.
Swiss context: ISA and regulatory pressure
The Swiss Information Security Act (ISA) requires operators of critical infrastructure to maintain effective security management. By the end of 2026, affected organisations must establish an ISMS. The principles of Zero Trust — explicit verification, minimal permissions, continuous monitoring — directly align with these requirements.
At the European level, NIS2 is driving the same development. Swiss companies with EU customers or partners will increasingly need to measure up to these standards. Zero Trust is not a compliance trick but the technical implementation of what regulators have been demanding for years: risk-based security management, traceable access controls and end-to-end monitoring.
Common misconception: Zero Trust does not mean distrust
The term sometimes triggers cultural resistance: “We no longer trust our employees?” This is a misconception. Zero Trust is not directed against people but against assumptions. It is not about distrusting employees but about designing technical systems so that a compromised account or a stolen device does not automatically mean full access.
Well-implemented Zero Trust is barely noticeable for end users. MFA becomes a habit, permissions match the role, and monitoring operates in the background. Security increases without productivity suffering.
How Zerberos can help
Introducing Zero Trust starts with an honest assessment of your current position: where do you stand today, and which measures deliver the greatest security benefit? Our services:
- Risk Assessment — Analysis of your current architecture and identification of the largest gaps with respect to Zero Trust principles
- Penetration testing — Testing how far an attacker can move laterally after initial access
- Security Roadmap — Step-by-step implementation plan, prioritised by risk and feasibility
Contact us for an assessment of your Zero Trust maturity.