Facebook X-twitter Linkedin
Call Us: 301.541.3237
blacksmith infosec compliance service caas

Zero Trust Meets the Real World Network: From VPN and Vibes to Measured Trust

Share Article:

Table of Contents:

How business leaders and their MSPs can move from flat, fragile networks to smaller blast radiuses in 90 days — without ripping everything out.

In slide decks, zero trust is all glass towers and pristine diagrams. In the real world, it looks more like an old castle that’s been expanded badly — new wings slapped on, secret doors nobody remembers, and a lot of people walking around with keys they probably shouldn’t have.

Inside the already-breached castle

Picture a mid-sized company on a Friday afternoon.

They have a robust firewall, antivirus everywhere, a VPN they’ve paid for faithfully, and an MSP who keeps the lights on. On paper, they’re doing security the “right” way.

In practice:

  • Everyone shares a couple of VPN logins because “it’s easier that way.”

  • The office network and the plant floor or warehouse are bridged “temporarily” and nobody’s quite sure when that started.

  • The MSP has domain admin “just in case,” plus a few old service accounts nobody wants to touch.

From the inside, it feels like a castle with thick stone walls. From an attacker’s perspective, once you’re past the drawbridge, there are no doors on any of the rooms.

If one laptop gets compromised, that user can walk into finance, HR, file shares, line-of-business apps, sometimes even OT or production systems, without ever being challenged again. “On the VPN” equals “trusted.” Inside the walls is safe; outside is dangerous.

That mindset is the exact opposite of zero trust.

What zero trust really means

Most business leaders encounter zero trust as a product category: platforms, fabrics, reference architectures. It sounds expensive and abstract, and it rarely starts from where they actually are.

At its core, zero trust is far simpler: stop assuming that anyone inside the castle is automatically safe. Every person, device, and application has to show ID at every door.

For a business leader or an MSP, that translates into three plain ideas:

  • Identity first: People don’t share keys. Every user and admin has their own account, and you know who they are.

  • Least privilege: Each role only gets the rooms it genuinely needs, not the whole castle “just in case.”

  • Segmentation: There are hallways and locked doors between sensitive rooms, not one big open-floor warehouse.

Zero trust is not about perfection. It’s about shrinking how much damage any one bad key — or one bad laptop — can do.

The first 90 days: season one, not a reboot

Most organizations won’t bulldoze their existing network and rebuild it as a shining zero trust fortress. They will, however, survive and benefit from a first 90-day “season” that focuses on a single goal: shrink the blast radius.

Think in episodes, not an epic.

Days 1–30: Who actually has keys?

The first step is not buying anything. It’s asking a deceptively simple question:

Who actually has access to what?

When a business leader sits down with their MSP and starts listing accounts, a few patterns usually emerge:

  • Shared VPN logins for whole departments or even the entire company.

  • Former employees whose accounts are still active “because nothing broke.”

  • MSP and internal admin accounts with highest-level access, used for everyday tasks.

This is where the castle story gets uncomfortable. You discover you have no accurate list of who can walk into the treasury, the archives, or the armory.

In this first month, progress looks like:

  • Turning shared accounts into named individual accounts.

  • Disabling obviously stale accounts that are no longer needed.

  • Putting strong authentication (MFA) on the highest-risk access paths first: admin accounts, MSP logins, remote access into crown jewel systems.

No diagrams, no buzzwords — just a cleaner keyring.

Days 31–60: Map the blast radius

Next, the conversation shifts from “who has keys?” to “if one key is stolen, how far can the intruder get?”

Here, a simple mental model helps. Draw three circles:

  • The inner circle: Crown jewels (billing, EMR, ERP, IP repositories, core line-of-business systems).

  • The middle circle: Systems that directly support or feed into those crown jewels.

  • The outer circle: Everything else — general office apps, shared drives, test environments.

Then ask:

  • Which users, groups, and VPN profiles can reach the inner circle today?

  • Are there networks or sites where “anyone who connects” automatically sees the crown jewels?

  • Can the MSP or a single compromised admin account jump anywhere, anytime?

This is blast radius mapping.

You’re not redesigning the castle — you’re walking through it with a flashlight and noticing that the treasury currently opens from the lobby, the kitchen, and the broom closet.

Days 61–90: Carve a zero trust enclave

The most important shift is resisting the urge to “fix everything.” Instead, pick one crown jewel system and decide: this room gets a proper door and guest list.

A zero trust enclave is a protected bubble around that critical system. Inside 90 days, you can usually:

  • Put that application behind strong identity: individual user accounts, integrated with your directory or SSO, and protected by MFA.

  • Define role-based access: finance staff, managers, auditors, MSP support, each with clearly scoped permissions.

  • Tighten the network path: instead of “on the VPN, access everything,” users reach the app through a narrower, monitored access path — whether that’s a modern VPN profile, an identity-aware gateway, or a ZTNA-style service.

The measure of success is straightforward and business-friendly: fewer people can reach this system, and you can name exactly who they are and why they have access.

At the end of 90 days, you haven’t rebuilt the castle, you’ve just ensured that one of your most important rooms finally has solid walls, a proper door, and a managed list of keys.

A mini-case: from VPN and vibes to measured trust

Consider a fictional but familiar company: a regional manufacturer with about 250 employees and a long-standing MSP relationship.

Their accounting system runs on a server in the main office. Before their journey:

  • Anyone on the corporate network — or on the VPN — could connect to it.

  • The three accounting staff shared a single “ACCOUNTING” login for the app.

  • The MSP had full database access because “we might need to fix something quickly one day.”

For years, this worked. It was convenient. Then a story hit the news about a similar business where stolen VPN credentials led to a ransomware incident. The attacker stepped through the VPN and immediately saw the entire network.

The CEO asked a direct question most MSPs dread: “If someone stole one of our VPN logins, could they get to our financials?”

The honest answer: “Yes, they probably could.”

That answer became the start of their zero trust enclave.

Over the next three months, this company and their MSP made a modest set of changes:

  • Each accounting employee got their own directory account tied to HR records, with individual logins for the accounting app.

  • Access to the application was moved behind an SSO portal with MFA, so logging in required proving identity, not just being “on the network.”

  • The network rules were adjusted so that only the accounting team and a very small set of administrative paths could reach the accounting server.

  • The MSP retired blanket database access, creating a limited support account used only with approval and logged each time.

From the staff’s point of view, the change was mostly a new login page and a prompt on their phone.

From a security perspective, the world changed: a stolen VPN credential no longer opened the whole castle. At worst, it put an attacker in a monitored hallway with very few unlocked doors.

Same network. Same people. Same MSP. The difference was that one bad key now hit a locked door instead of the vault.

How business leaders and MSPs share the work

Zero trust can’t be shoved off entirely onto IT or entirely onto the business. It works best when both sides take a share of the load.

Business leaders own the why:

  • Deciding which rooms are truly crown jewels and making them a priority.

  • Accepting a small amount of friction — MFA prompts, approvals, sometimes new login flows — in exchange for a big reduction in risk. This often hinges on cultivating a strong security culture.

  • Putting blast radius into risk discussions, not just “do we have a firewall?”

MSPs own much of the how:

  • Turning zero trust ideas into concrete steps: identity clean-up, access groups, network rules, and clear support paths.

  • Proposing targeted enclaves instead of massive, disruptive overhauls.

  • Reporting progress in plain language: “Last quarter, we cut the number of people who can reach your financial system from 60 to 8, and every access is now logged.”

In the end, zero trust in the real world isn’t a gleaming new fortress, it’s your existing castle, with some honest light shone into the corners, a few dangerously open rooms finally locked, and a steadily improving list of who has which keys.

Additional Articles

Check Out Our Compliance Podcast on Spotify!

Get NIST-y!