When I hear the term Zero Trust thrown around in the MSP space, my honest reaction is that it has become a label, very similar to how “AI” is being used right now. It gets slapped onto every tool and turnkey solution even when it doesn’t truly apply. The reality is much simpler: Zero Trust is not a product. It’s not a license tier. It’s not a magical silver bullet. Zero Trust is a methodology, one that exists independently of any one vendor or toolset.
The core idea is really just an evolution of least privilege. Instead of checking someone’s identity once at the door, you check it every single time they access something. That constant validation is what eliminates lingering access, unintended permissions, and the kinds of blind spots that open the door to threat actors. One of the most tangible benefits our clients experience is how much this approach reduces their external attack surface. No matter how well you think you’ve locked down your firewall, if something is open, someone out there is trying to get in.
What Zero Trust Actually Looks Like Today
There’s a misconception that Zero Trust is too expensive or too complex for most organizations to adopt. That simply isn’t the case. Yes, there can be some investment required to move the needle, but that doesn’t mean you need to rip out everything you currently use.
More often than not, the first step is making sure clients are already using the features they’ve paid for, and Microsoft licensing is a big one. Many firewall vendors bundle in capabilities that align with Zero Trust principles without advertising them clearly. Sometimes clients are already partway through a transition from on-prem AD to Entra ID without realizing they can decommission a legacy service or application for a quick yet meaningful win in attack surface reduction.
It’s important to take stock of old pathways you may no longer need. I’ve seen environments still running a VPN for a single legacy resource when the safer and simpler option is to offload it to a vendor’s SaaS platform instead. In some cases, the best Zero Trust move is removing the thing that creates risk.
Tools like Zscaler absolutely offer deep granularity and control, but depending on your size or complexity, that may be more capability than you realistically need. Zero Trust isn’t about buying the biggest platform, it’s about using the right approach.
The Fundamentals That Actually Matter
Independent of any specific vendor, the fundamentals are where Zero Trust succeeds or fails. If a product supports MFA, it should be enabled. Leaving it off is leaving yourself open to unnecessary risk. The lift is small, and the reward is substantial.
Identity is foundational. You cannot build Zero Trust on fragmented identity. Centralized identity, through Active Directory, Entra ID, Okta, or another identity provider, is what gives you the ability to enforce access policies consistently and evaluate risk for every login and every resource request.
In environments where I see shared accounts, I know attribution and auditing are already compromised. Shared credentials might feel convenient, but they make it nearly impossible to understand who did what, and they create a huge blind spot from a security perspective. Cleaning up those legacy patterns is just as important as implementing any new technology.
All of this, identity, MFA, eliminating shared access, sets the stage for Zero Trust. Without these basics, the advanced controls don’t land the way they should.
MFA, Conditional Access, and Client Experience
One thing I expected early on, but haven’t actually seen, is major user pushback around MFA or conditional access. Once users get familiar with Microsoft Authenticator or Okta FastPass, they usually find it more convenient, not less. The friction tends to come from service accounts or automated processes, but even in those cases we have compensating controls like application passwords that let us maintain security without breaking workflows.
A Real-World Example of Zero Trust Working
One of the most validating moments I’ve seen came after a client finished a Zscaler rollout with us. We spent time fine-tuning the access controls, making sure everything was as granular and intentional as possible. When they brought in an external auditor to run a penetration test, the tester’s feedback was that it was one of the most frustrating environments they had worked in in a long time.
That kind of frustration is exactly what you want from a pen tester. They’re using real-world methodologies and tools. If their standard playbook doesn’t get them anywhere, that means Zero Trust is doing what it’s supposed to do.
Where Zero Trust Hits Friction: Legacy Apps
We’re lucky that most of our clients haven’t attempted Zero Trust before we arrive, so we’re guiding them from the start. That means we can walk them through not just what we’re doing, but why it matters and how certain workflows or processes may need to adapt.
The biggest complications usually come from older line-of-business applications. Some don’t support SSL inspection. Some don’t run encrypted connections. Some simply don’t understand modern authentication. Tools like Zscaler can work around a lot of this, but sometimes the better discussion is whether the application should be modernized or replaced.
Zero Trust doesn’t break these applications – these applications break Zero Trust.
What “Minimum Viable Zero Trust” Really Means
If I had to define the smallest, most achievable version of Zero Trust, it comes down to three things:
A centralized identity provider.
MFA everywhere.
No traditional VPN.
Removing VPNs is one of the biggest and most immediate wins. Even if you configure them securely, they’re still an exposed door. With something like Zscaler Private Access, or any modern ZTNA solution, you don’t need inbound connectivity at all. Everything is outbound-only. You eliminate port forwarding. You eliminate lingering RDP exposure. And you eliminate one of the most common attack surfaces on the internet.
Recently, I’ve seen an uptick in scanners hitting VPN endpoints thousands of times in a row. Sometimes it’s a nuisance, sometimes it’s crippling. But the best VPN is simply not having one.
Final Thoughts
Zero Trust isn’t something you buy but instead, it’s something you build. And you build it by focusing on identity, removing unnecessary trust, and eliminating exposure wherever you can. You don’t need a perfect Zero Trust architecture to meaningfully reduce risk. What you need is a clear starting point, clean fundamentals, and incremental progress in the right direction.
At EMBER, that’s exactly how we guide clients one intentional, achievable step at a time. Because the goal isn’t to hit perfection; it’s to make your environment safer tomorrow than it was yesterday.