Zero Trust Without the Buzzwords: A Practical Small-Business Checklist#

How to use this guide: Two audiences live here. If you’re the business owner or decision-maker, read the plain-English summaries under each pillar heading — they tell you what and why. If you’re the IT person or MSP tech doing the work, the checklists and tool callouts are yours. Both audiences should read Where to Start before diving in.

What Is Zero Trust, Actually?#

Forget the vendor pitch. Zero Trust is a single, unsexy idea:

Never assume something is safe just because it’s inside your network.

Traditional security drew a line around the office — firewalls, VPNs, a hard perimeter. Everything inside was trusted. Everything outside wasn’t. That model collapsed when employees started working from coffee shops, when apps moved to the cloud, and when attackers learned that stealing one set of credentials was enough to roam freely once they were “inside.”

Zero Trust replaces implicit trust with continuous verification. Every user, every device, every application has to prove it deserves access — every single time, for every resource it touches. No free passes. No “you’re on the company Wi-Fi so you’re fine.”

What Zero Trust is NOT:

A product you buy and install
Something only enterprises need
Expensive by definition
An all-or-nothing overhaul

You probably already have some Zero Trust controls in place without calling them that. This guide helps you find the gaps and close them systematically.

The Five Pillars#

The Cybersecurity and Infrastructure Security Agency (CISA) organizes Zero Trust around five pillars. Each pillar is a domain where you make access decisions. Strengthen all five and you’ve eliminated most of the attack surface that catches small businesses.

Pillar	Plain-English Version
Identity	Are you really who you say you are?
Devices	Is the thing connecting to us actually safe?
Network	Can you only reach what you need to reach?
Applications	Does this app let in only what it should?
Data	Is the data itself protected, not just the path to it?

Pillar 1 — Identity#

What It Means#

Identity is the front door. Before any user or system gets access to anything, you need to be confident they are who they claim to be — and that they only get in to the specific room they need.

Most small-business breaches start here: a phished password, a reused credential leaked from another site, or a former employee whose account was never deactivated.

Owner Summary#

Turn on multi-factor authentication for everything. Use a single sign-on system so you can see (and revoke) access in one place. Make a habit of reviewing who has access to what — especially after someone leaves.

IT Checklist#

Authentication

Multi-factor authentication (MFA) enabled for all users on all critical systems (email, cloud storage, billing, admin portals)
Phishing-resistant MFA deployed where possible — hardware keys (YubiKey) or passkeys preferred over SMS codes
SMS-based MFA replaced or supplemented with authenticator app (Microsoft Authenticator, Google Authenticator) for standard accounts
Password policy enforces minimum 12 characters; no complexity theater (no forced quarterly resets that encourage weak patterns)
Password manager deployed org-wide (Bitwarden free tier, 1Password Teams, or similar)

Identity Management

Single Identity Provider (IdP) in use — Microsoft Entra ID (formerly Azure AD), Google Workspace, or Okta
All applications federated to IdP via SSO where supported
Service accounts and shared accounts inventoried and minimized
Guest/vendor accounts time-limited and reviewed quarterly
Offboarding checklist includes: disable account same day, revoke sessions, transfer ownership of files

Least Privilege

Role-Based Access Control (RBAC) defined: who needs what, at what level
No user has standing Global Admin or Domain Admin rights for daily work
Admin actions use separate, dedicated admin accounts
Privileged access reviewed quarterly and trimmed to actual need
Access requests have an approval workflow (even informal is fine for small teams)

Conditional Access

Conditional Access policies configured to block logins from high-risk locations or impossible travel scenarios
Sign-in risk policies configured to step-up to MFA or block high-risk sign-ins
Legacy authentication protocols (Basic Auth, older SMTP/POP/IMAP without modern auth) blocked

Tools & Cost#

Tool	Cost	Use
Microsoft Entra ID (Free tier)	Free	SSO, basic Conditional Access, MFA
Microsoft Entra ID P1 (included in M365 Business Premium)	~$22/user/mo (bundled)	Full Conditional Access, Identity Protection
Google Workspace	$6–$18/user/mo	SSO + basic controls for Google-centric shops
Okta	From $2/user/mo	IdP for non-Microsoft environments
Bitwarden Teams	$4/user/mo	Password manager
YubiKey 5 NFC	~$50/key	Phishing-resistant hardware MFA

Pillar 2 — Devices#

What It Means#

A compromised device connecting to your systems is as dangerous as a stolen password — it just looks more legitimate. Every laptop, phone, and tablet that touches company data is a potential entry point.

Zero Trust says: before a device gets access, verify it meets your security baseline. Is it encrypted? Up to date? Running endpoint protection? Managed by the company?

Owner Summary#

Know what devices are connecting to your systems. Company devices should be managed centrally — that means you can lock or wipe them if they’re stolen. Personal devices used for work need at minimum a policy governing what they can and can’t access.

IT Checklist#

Inventory

Complete inventory of all endpoints: company-owned laptops, desktops, phones, tablets
Inventory includes OS version, owner, last-seen, encryption status
BYOD (personal devices) policy defined: what data can be accessed, what controls are required

Device Health Baseline

Full-disk encryption enabled on all company devices (BitLocker on Windows, FileVault on macOS)
Endpoint Detection & Response (EDR) or at minimum Microsoft Defender enabled and monitored
Auto-update policy enforced: OS and critical applications patched within defined SLA (e.g., 14 days for critical patches)
Screen lock with PIN/password enforced after idle timeout (5–10 minutes)
Local admin rights removed from standard user accounts

Mobile Device Management (MDM)

MDM solution deployed for all company-owned devices
Conditional Access policies require device compliance before granting access to corporate resources
Remote wipe capability tested and documented
BYOD devices enrolled in MAM (Mobile App Management) at minimum — company data containerized from personal data

Endpoint Posture in Access Decisions

Conditional Access (or equivalent) configured to block access from unmanaged or non-compliant devices
Device compliance signals fed into access policy (managed + compliant = full access; unmanaged = limited or blocked)

Tools & Cost#

Tool	Cost	Use
Microsoft Intune (in M365 Business Premium)	Bundled	MDM/MAM for Windows, iOS, Android, macOS
Microsoft Defender for Business (in M365 Business Premium)	Bundled	EDR for SMBs
Mosyle (Apple-only)	Free up to 30 devices	MDM for Apple fleets
Google Endpoint Manager	Included in Google Workspace	Basic device controls for Google shops
Malwarebytes for Teams	~$4/device/mo	EDR for mixed environments

Note for M365 shops: Microsoft 365 Business Premium bundles Intune + Defender for Business + Entra ID P1 at ~$22/user/month. For most SMBs, this is the single highest-ROI security purchase available.

Pillar 3 — Network#

What It Means#

Traditional networks trusted everything inside the building or the VPN. Zero Trust flips this: the network is untrusted by default. Users and devices get the minimum network access needed to do their job — nothing more.

In practice, this means replacing open internal networks and blanket VPN access with segmented zones and application-level tunnels. An attacker who compromises one system shouldn’t be able to reach every other system from there.

Owner Summary#

You’re not trying to build a fortress wall. You’re trying to make sure that if one computer gets infected, the malware can’t easily jump to your accounting system, your customer database, or your backups. Network segmentation does exactly that.

IT Checklist#

Network Segmentation

Network segmented into at least three zones: user/corporate traffic, servers/infrastructure, guest/IoT devices
Guest Wi-Fi completely isolated from corporate network (separate VLAN, no cross-traffic)
IoT devices (printers, cameras, HVAC controllers, smart TVs) on their own isolated VLAN
Inter-VLAN routing restricted to explicitly permitted traffic only
Servers and critical systems not directly reachable from general user VLAN without explicit allow rules

VPN & Remote Access

Legacy perimeter VPN assessed for replacement with Zero Trust Network Access (ZTNA)
If VPN retained: split tunneling configured so only corporate-bound traffic goes through VPN
VPN access requires MFA + compliant device
Contractor and vendor remote access limited to specific systems, time-limited, not full network access

DNS Security

Protective DNS deployed — blocks known malicious domains at the resolver level
DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) enabled on managed devices
Internal DNS does not expose internal hostnames externally

Firewall & Perimeter

Default-deny egress rules — outbound traffic explicitly permitted, not open by default
East-west traffic (internal network to internal network) logged and monitored
Firewall rules reviewed annually; unused rules removed
Unnecessary open ports closed; exposed services inventoried

Tools & Cost#

Tool	Cost	Use
Cloudflare Zero Trust (Free tier)	Free up to 50 users	ZTNA, secure web gateway, DNS filtering
Cloudflare Gateway	Free / $7/user/mo	DNS filtering, threat intelligence
Tailscale (Free tier)	Free up to 3 users	Mesh VPN / lightweight ZTNA
pfSense / OPNsense	Free (open source)	Firewall with VLAN support
Cisco Umbrella	From $2.25/user/mo	DNS security for SMBs
OpenVPN Access Server	Free up to 3 connections	VPN with MFA support

The Cloudflare free tier is legitimately useful. For up to 50 users, Cloudflare One provides ZTNA, secure web gateway, and DNS filtering at no cost. It integrates with Entra ID. For many SMBs, this is the right starting point for network-level ZT controls.

Pillar 4 — Applications & Workloads#

What It Means#

Applications are where work happens — and where attackers want to go. Zero Trust for applications means each app makes its own access decisions rather than relying on network location as a proxy for trust. An app should only be reachable if you’re supposed to use it, and it should only show you the features you’re supposed to have.

This pillar also covers SaaS apps, internal tools, APIs, and anything else that processes your data.

Owner Summary#

Every app you use should require a login through your main identity system, not its own separate username and password. Apps should be reviewed regularly to make sure old employees don’t still have access, and that permissions haven’t crept beyond what people actually need.

IT Checklist#

Application Access

All business applications integrated with your SSO/IdP where supported
No applications using shared/generic credentials (everyone using the same login)
Application access inventory maintained: who has access to what app, at what permission level
Quarterly access review process for all critical applications
Application offboarding included in employee offboarding checklist

SaaS Security Posture

OAuth app permissions reviewed — revoke apps that have excessive permissions or are no longer used
Third-party app access to Microsoft 365 / Google Workspace audited
Admin consent policies restrict which OAuth apps users can approve themselves
SaaS applications configured to enforce SSO (disable direct username/password login where possible)

Internal Applications & APIs

Internal web applications not exposed directly to the internet; protected behind ZTNA or reverse proxy
APIs require authentication (no unauthenticated endpoints for sensitive operations)
API keys and secrets stored in a secrets manager, not in code repositories or environment files on developer machines
Web applications scanned for common vulnerabilities (OWASP Top 10) at least annually

Software Supply Chain

Software sources restricted — users cannot install unapproved software
Application allowlist enforced on critical systems where feasible
Open-source dependencies reviewed and updated regularly
Browser extensions inventoried and restricted to approved list

Tools & Cost#

Tool	Cost	Use
Microsoft Entra App Proxy	Included in Entra ID P1	Secure internal app access without VPN
Cloudflare Access	Free up to 50 users	Zero Trust access proxy for internal apps
Bitwarden Secrets Manager	From $6/mo	Secrets and API key management
OWASP ZAP	Free	Web app vulnerability scanner
Microsoft Defender for Cloud Apps	In M365 E5 / standalone	SaaS security posture management

Pillar 5 — Data#

What It Means#

Data protection is the end goal of everything else. The previous four pillars are about controlling access to systems. This pillar is about making sure the data itself is protected even when access controls fail — because they will, eventually.

Zero Trust for data means: classify it, encrypt it, know where it lives, and control what can be done with it.

Owner Summary#

You need to know where your sensitive data lives — customer records, employee information, financial data, intellectual property. Once you know, you can make sure it’s encrypted, backed up, and that only people who need it can access it. You also need a plan for when something goes wrong.

IT Checklist#

Data Discovery & Classification

Data inventory completed: where does sensitive data live? (cloud storage, file shares, databases, email, endpoints)
Data classification scheme defined and communicated — at minimum: Public, Internal, Confidential, Restricted
Sensitive data not stored in uncontrolled locations (personal Dropbox, personal email, unmanaged USB drives)
Data retention policy defined and enforced: what gets kept, for how long, and where

Encryption

Data encrypted at rest: full-disk encryption on endpoints (covered in Devices pillar), encryption for cloud storage and databases
Data encrypted in transit: TLS 1.2+ enforced for all connections; TLS 1.0 and 1.1 disabled
Email encryption available for communications involving sensitive data (S/MIME or Microsoft Purview Message Encryption)
Backups encrypted and stored separately from primary data

Data Loss Prevention (DLP)

DLP policies configured to detect and block transmission of sensitive data types (SSNs, credit card numbers, etc.) via email and cloud storage
External sharing reviewed in cloud storage (Microsoft SharePoint / OneDrive, Google Drive) — audit who can share and with whom
USB and removable storage restricted on managed endpoints for sensitive systems
Screen capture / clipboard policies considered for highly sensitive roles

Backup & Recovery

3-2-1 backup rule implemented: 3 copies, 2 different media types, 1 offsite/offline
Backups tested (actually restored) at least quarterly
Backup system isolated from primary network — ransomware should not be able to reach backups
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined and documented
Incident response plan documented for data breach scenarios

Tools & Cost#

Tool	Cost	Use
Microsoft Purview (in M365 Business Premium)	Bundled	DLP, sensitivity labels, data classification
Veeam Community Edition	Free	Backup for up to 10 workloads
Backblaze Business Backup	$9/computer/mo	Cloud backup with versioning
Acronis Cyber Protect	From $85/device/yr	Integrated backup + endpoint protection
Veracrypt	Free	Encryption for portable drives and containers

Cross-Cutting: Visibility & Monitoring#

What It Means#

Zero Trust only works if you can see what’s happening. All five pillars generate signals — login attempts, device health checks, network connections, application access. You need to aggregate those signals somewhere and act on anomalies.

This doesn’t require a full Security Operations Center (SOC). For SMBs, the goal is: know when something unusual happens, and know quickly enough to respond.

IT Checklist#

Logging

Centralized logging enabled for: identity events (sign-ins, MFA, failed attempts), endpoint activity, network perimeter, critical application access
Log retention policy defined — minimum 90 days accessible, 12 months archived (adjust for compliance requirements)
Logs protected from deletion by the users and systems they monitor

Alerting

Alerts configured for: impossible travel / multiple geography sign-ins, mass file downloads or deletions, privilege escalation events, account lockouts exceeding threshold, new device enrollment
Alert escalation path defined: who gets paged at 2am for a critical alert?
Alert fatigue managed — tune alerts to reduce noise, document why each alert matters

Security Information & Review

Monthly security review cadence established (review sign-in logs, DLP alerts, device compliance)
Vulnerability scanning scheduled — at minimum quarterly for externally facing systems
Penetration test or security assessment conducted at least annually

Tools & Cost#

Tool	Cost	Use
Microsoft Sentinel	~$2.46/GB ingested	SIEM — log aggregation and alerting
Microsoft Defender XDR (in M365 Business Premium)	Bundled	Unified threat visibility across identity, endpoints, apps
Graylog (Open Source)	Free	Self-hosted SIEM for log aggregation
Wazuh	Free / open source	HIDS + log management + threat detection
Elastic Security	Free tier available	Log search and alerting

Common Misconceptions#

“We’re too small to be a target.”#

You’re the exact right size to be a target. Automated attacks don’t discriminate by company size. Ransomware gangs specifically target SMBs because the defenses are weaker and the organizations are more likely to pay. The Verizon Data Breach Investigations Report consistently shows SMBs comprising a significant share of breach victims.

“Zero Trust means I need to replace everything.”#

No. It means you change how you make access decisions. Many Zero Trust controls are additive — you enable MFA on your existing M365 tenant, configure a Conditional Access policy, deploy Cloudflare Zero Trust in front of an existing app. Start with the highest-impact, lowest-cost controls.

“VPN already does this.”#

A VPN gives authenticated users full network access. Zero Trust gives authenticated users in compliant devices access to specific applications, nothing else. These are fundamentally different trust models.

“We use the cloud, so this doesn’t apply.”#

Cloud workloads need Zero Trust more than on-premises ones. SaaS apps, cloud storage, and cloud-hosted infrastructure are exposed to the internet by definition. Identity and access controls are the primary perimeter.

“MFA is good enough.”#

MFA solves one thing: credential theft. It doesn’t protect against malware on an unmanaged device, against an over-privileged account, or against data exfiltrated through a legitimate application. MFA is table stakes, not the whole game.

“This is a one-time project.”#

Zero Trust is a continuous program, not a deployment. Access patterns change. New applications are added. Employees join and leave. Threats evolve. The checklists above need to be revisited regularly — schedule it.

Where to Start#

Don’t try to implement everything at once. Here’s a prioritized sequence based on risk reduction per dollar and hour spent:

Week 1–2: Highest ROI, Lowest Cost#

Enable MFA on email and identity provider — this single control blocks the majority of credential-based attacks
Audit and terminate inactive accounts — run an access report, disable anyone who has left
Deploy a password manager — Bitwarden free tier works for small teams; end password reuse immediately

Month 1: Foundation#

Configure Conditional Access — require MFA + compliant device for access to sensitive apps
Enable full-disk encryption on all company devices (BitLocker / FileVault)
Segment guest Wi-Fi from corporate network (most modern routers support this)
Deploy DNS filtering — Cloudflare Gateway free tier takes 30 minutes to set up

Quarter 1: Core Controls#

Enroll devices in MDM — Microsoft Intune if on M365 Business Premium
Audit SaaS app permissions — revoke OAuth apps employees connected and forgot about
Test your backups — actually restore something; verify the 3-2-1 rule is met
Define and communicate data classification — even a simple three-tier scheme helps

Quarter 2–4: Depth#

Deploy ZTNA for remote access — evaluate Cloudflare Zero Trust or Tailscale as VPN replacement
Configure DLP policies in M365 or Google Workspace
Set up centralized logging and alerting — even basic Microsoft Sentinel ingestion for identity events
Conduct first penetration test or security assessment

Quick Reference: Framework Mapping#

This guide maps directly to the CISA Zero Trust Maturity Model (Version 2.0, 2023) and aligns with NIST SP 800-207. If you’re working toward CMMC Level 1 or 2, these controls overlap significantly with the required practices.

ZT Pillar	NIST 800-207 Principle	CMMC Overlap
Identity	All communication authenticated	AC, IA domains
Devices	Least-privilege access enforced	CM, SI domains
Network	Network access granted per-session	SC, CA domains
Applications	Resources verified before access	AC, CM domains
Data	Data protected regardless of location	MP, AU domains

Sources & References#

Frameworks & Standards#

CISA Zero Trust Maturity Model (Version 2.0, April 2023) — Primary framework this guide is structured around; defines five pillars and four maturity stages
CISA Zero Trust Maturity Model v2.0 — Full PDF — Direct PDF of the official CISA document
NIST Special Publication 800-207: Zero Trust Architecture — NIST’s foundational ZT architecture definition; basis for the framework mapping table
CISA Zero Trust Topic Page — Ongoing CISA guidance and updates

Microsoft Documentation#

Zero Trust with Microsoft Intune — Intune’s role in device pillar; MDM/MAM controls and compliance policies
Zero Trust Deployment Plan with Microsoft 365 — End-to-end ZT deployment guidance for M365 environments
Microsoft 365 Business Plans and Pricing — Source for M365 Business Premium pricing ($22/user/mo annual)

Cloudflare#

Cloudflare Zero Trust for Startups — Reference Architecture — Practical ZT architecture guide for small/growing organizations; basis for Cloudflare tool recommendations
Cloudflare Zero Trust Plans & Pricing — Source for free tier (up to 50 users) and paid tier ($7/user/mo) pricing

SMB-Specific Guidance#

SEI Investments: A Zero-Trust Checklist for SMBs — SMB-focused ZT prioritization; informed the “Where to Start” sequence
Adopting Zero Trust in 2025: A Practical Guide (Seraphic Security) — Practical implementation considerations for resource-constrained organizations

Tool Pricing Sources#

Bitwarden Business Pricing — Teams plan $4/user/mo (annual); Enterprise $6/user/mo
Tailscale Pricing — Personal free plan: 3 users, 100 devices