IT Pro Tutorials “Zero trust” has become one of those terms vendors slap on everything. Every security product claims to be “zero trust.” Every architecture slide deck has a zero-trust layer. The term has been stretched so far it risks meaning nothing at all.
But the core idea is powerful, practical, and directly relevant to how you manage network access for your team. Strip away the marketing, and zero trust comes down to one principle: never assume trust based on network location. Being “inside the network” doesn’t mean you’re authorized. Every access request is verified against identity, device posture, and policy — every time.
For IT pros managing small to mid-sized environments, zero trust isn’t an enterprise luxury. It’s the most practical way to secure a distributed team. Here’s what it means and how to implement it with tools you can actually deploy.
What Zero Trust Replaces: The Perimeter Model
Traditional network security works like a castle with a moat. Everything inside the perimeter (your office network, your VPN) is trusted. Everything outside is not. Connect to the VPN, and you can reach anything on the internal network.
This model has three problems in 2026:
- The perimeter doesn’t exist anymore. Your team works from home, coffee shops, co-working spaces, and client sites. Your servers are split between on-premises, cloud, and SaaS. There’s no single “inside” to protect.
- VPN access is too broad. A traditional VPN gives every connected user access to the entire internal network. The marketing intern and the infrastructure architect have the same network visibility. A compromised laptop on the VPN can scan and reach every internal resource.
- Lateral movement is trivial. Once an attacker is “inside” — through a phished credential, a compromised endpoint, or a vulnerable service — they can move freely across the flat internal network. This is how most breaches escalate.
Zero trust eliminates these problems by removing the concept of “inside” entirely.
The Five Principles of Zero Trust
1. Verify Identity, Always
Every access request starts with authentication. Who is this user? Is their identity confirmed through a trusted identity provider? Multi-factor authentication isn’t optional — it’s the baseline.
This isn’t just about the initial VPN login. Zero trust verifies identity per-resource, per-session. Accessing the file server requires authentication. Accessing the database requires separate authentication. No inherited trust.
2. Least Privilege Access
Users get access to exactly what they need and nothing more. A developer needs access to the staging server and the code repository. They don’t need access to the HR database, the financial reports, or the production database admin panel.
This sounds obvious, but it’s the opposite of how most VPNs work. Traditional VPN = connect once, access everything. Zero trust = connect once, access only what your policy permits.
3. Micro-Segmentation
Instead of one flat network, resources are segmented into groups with access controlled between them. The development environment is isolated from production. The guest Wi-Fi is isolated from internal systems. Each segment has its own access policies.
4. Assume Breach
Design your network as if an attacker is already inside. Limit blast radius. Monitor access patterns. Log everything. If one machine is compromised, the attacker shouldn’t be able to reach your most critical systems from it.
5. Continuous Verification
Access isn’t a one-time gate. Sessions are re-evaluated. Device posture is checked (is the OS updated? is disk encryption enabled?). Policies adapt based on context — accessing from a known corporate device is different from accessing from an unknown personal phone.
Zero Trust in Practice: What It Looks Like for a 30-Person Company
Let’s make this concrete. You’re a sysadmin managing a 30-person company with a mix of office and remote workers. Here’s what zero trust looks like in your environment:
Identity provider (SSO): Every employee authenticates through a central identity provider. You use Zitadel (self-hosted, open source) or a cloud provider like Google Workspace or Azure AD. MFA is enforced for everyone.
Network access: Instead of a traditional VPN that drops everyone onto the same network, you use a zero-trust mesh VPN like NetBird. Employees install the NetBird agent, authenticate through your identity provider, and get access only to the resources their group policy allows.
Access policies:
- Engineering group: Can reach the Git server, CI/CD pipeline, staging and production servers on SSH port 22
- Marketing group: Can reach the CMS, analytics dashboards, and shared file server
- Finance group: Can reach the accounting application and financial file server
- All employees: Can reach the internal wiki, the chat server, and the printer network
- Contractors: Can reach only the specific project repository and staging environment assigned to them
What happens when someone joins: Create their identity in your SSO, assign them to the right group. NetBird’s policy gives them access to exactly the right resources. No VPN config files, no firewall rules, no SSH key distribution.
What happens when someone leaves: Disable their identity in the SSO. They immediately lose access to everything. No revoking VPN certificates, no changing shared passwords, no hunting down SSH keys.
How to Implement Zero Trust with Open-Source Tools
You don’t need Zscaler or Palo Alto to implement zero trust. Here’s a practical stack using open-source tools:
Layer 1: Identity (Who Are You?)
Tool: Zitadel or Keycloak
Your identity provider is the foundation. Every access decision starts with “who is this person?” Zitadel is our pick for small to mid-sized teams — it’s open source, self-hostable, and supports OIDC, SAML, MFA, and user management out of the box.
Read our Zitadel review for deployment details.
Layer 2: Network Access (What Can You Reach?)
Tool: NetBird
NetBird is where zero trust meets the network layer. It’s a WireGuard-based mesh VPN with identity-based access policies. Users authenticate through your identity provider (Layer 1), and NetBird enforces which resources they can reach based on their group membership.
Key zero-trust features in NetBird:
- Identity-based policies: Access defined by user groups, not IP addresses
- Per-resource, per-port controls: Engineering can SSH into servers; marketing cannot
- Visual policy management: The Control Center shows every access relationship in your network
- Automatic revocation: Disable a user in your IdP, and they lose network access instantly
Layer 3: Credentials (What Do You Know?)
Tool: Psono or Bitwarden
Zero trust means no shared passwords, no sticky notes, no credentials in Slack messages. Use a team password manager for any credentials that can’t be replaced by SSO.
Psono is a free, self-hostable option for team password sharing.
Layer 4: Monitoring (What Are You Doing?)
Tools: NetBird activity logs + your SIEM
Zero trust requires audit trails. NetBird logs connection events and access policy evaluations. Feed these into your monitoring stack to detect anomalies — unusual access patterns, connections from unexpected locations, or attempts to reach resources outside a user’s policy.
Zero Trust vs Traditional VPN: A Comparison
| Factor | Traditional VPN | Zero Trust (NetBird) |
|---|---|---|
| Access model | Connect once, access everything | Per-resource, per-policy access |
| Authentication | VPN credentials (often shared) | SSO + MFA through identity provider |
| Network visibility | Full internal network | Only authorized resources |
| Compromised device | Can scan entire network | Can only reach permitted resources |
| Employee offboarding | Revoke VPN cert, change shared passwords, remove SSH keys | Disable identity in SSO, done |
| Compliance | Difficult to audit | Per-connection audit logs |
| Contractor access | Full VPN or separate VPN | Scoped policy, time-limited if needed |
Common Objections (and Why They’re Wrong)
“We’re too small for zero trust”
If you have 5+ people accessing internal resources, zero trust is simpler than managing VPN configs and SSH keys manually. NetBird’s free tier covers 5 users and 100 machines. The setup takes 10 minutes.
“It’s too complex to implement”
With modern tools, implementing zero trust is faster than setting up a traditional VPN with proper access controls. Install NetBird, connect your identity provider, define three or four group policies. You’re done.
“Our team won’t accept the friction”
Zero trust with tools like NetBird is less friction than a traditional VPN. Users install one agent, authenticate once through SSO, and their access works transparently. No VPN config files, no manual connections, no remembering which server is at which IP.
“We already have a firewall”
A firewall protects the perimeter. Zero trust protects the resources. They complement each other — zero trust handles what the firewall can’t: identity-based access control for users who are already “inside” your network.
Getting Started: A Three-Step Plan
Week 1: Identity
Deploy an identity provider (Zitadel or your existing Google Workspace/Azure AD). Enable MFA. Create user groups that match your team structure (engineering, marketing, finance, contractors).
Week 2: Network
Deploy NetBird. Connect it to your identity provider. Define access policies for each group. Install agents on your servers and team devices.
Week 3: Audit
Review access logs. Verify that policies are working as intended. Identify any resources that should be segmented further. Adjust policies based on actual usage patterns.
After three weeks, you have a working zero-trust network. No enterprise sales call required.
Frequently Asked Questions
What Is Zero Trust Networking?
Zero trust networking is a security model where no user or device is trusted by default, regardless of their network location. Every access request is verified against identity, device posture, and policy. Being “on the network” doesn’t grant access to anything.
Is Zero Trust Just a VPN?
No. A VPN provides encrypted connectivity. Zero trust provides identity-based access control. Modern tools like NetBird combine both: WireGuard encryption for connectivity, and identity-based policies for access control. The VPN is the transport layer; zero trust is the policy layer.
Can Small Businesses Implement Zero Trust?
Yes. Open-source tools like NetBird (network access), Zitadel (identity), and Psono (credentials) make zero trust accessible to teams of any size. The free tiers are generous enough for most small businesses.
What’s the Difference Between ZTNA and VPN?
ZTNA (Zero Trust Network Access) grants access to specific resources based on identity and policy. A traditional VPN grants access to an entire network. ZTNA is more granular, more secure, and better suited for distributed teams.
For the full VPN landscape, see our guide to the best self-hosted VPN solutions. For mesh networking fundamentals, see what is a mesh VPN.
