Skip to main content

A ‘zero-trust’ checklist for SMBs

March 19, 2024
clock 3 MIN READ

Zero trust may be daunting for SMBs, but it isn’t impossible. Learn the recommended steps to building a zero-trust network and what to prioritize for maximum efficacy.

The uphill battle for SMBs 

Most companies see the value in moving to a zero-trust model, and many large organizations and government agencies have either already begun the process or are well-practiced in enforcing the approach. 

For smaller companies, however, there are significant barriers to moving to a zero-trust model, including cost, infrastructure, and skilled staff who can implement and enforce a feasible zero-trust plan. As a result, SMBs have been slower to get on board despite the cybersecurity benefits.

Daunting, but doable 

These barriers might make building a zero-trust architecture more daunting, but it isn’t impossible. A number of the tools and processes needed to begin building a zero-trust foundation may already be in place as a result of compliance with data regulations and other fundamental cybersecurity best practices. 

John Kindervag, the founder of Zero Trust, offers five steps1 to building a zero-trust network, recognizing that the framework will be a long journey for some: 

  1. Define your protect surface. Start with building microperimeters around the smallest and least sensitive units (a single asset or application, for example) to learn and practice; then, move to larger, more critical assets.
  2. Map the transaction flows. A map can be a powerful weapon in cyber warfare—you’d rather be wrong than lost. 
  3. Architect a zero-trust network.
  4. Create a zero-trust policy.
  5. Monitor and maintain the network.

The White House released a memo2 with guidelines for a zero-trust strategy, which uses CISA’s Zero Trust Maturity Model.3 Although the strategy is designed for government agencies, it still offers a North Star for SMBs to see what types of tools they’ll need to begin their zero-trust implementation. For example: 

  • Identity. Identity is at the center of zero trust. Whether human or nonhuman, identity is how data is accessed and controlled. Verifying identities and restricting access through authentication is key to successful zero trust. Therefore, multi-factor authentication (MFA) should be at the top of your zero-trust action plan.
  • Devices. You can’t protect what you can’t see. As a final state, your action plan should include inventory and monitoring of every device that touches your company’s network and data. 
  • Networks. As a goal, your organization’s best practices should include:
    • Encrypting all traffic across your environment
    • Setting up microperimeters around sensitive data
    • Isolating the most sensitive information

Detection and response capabilities are still crucial 

In an ideal world, an airtight zero-trust strategy would have no need for detection and response. But in the real world, zero trust cannot and should not replace the need for detection and response controls. In fact, detection and response should be factored into the zero-trust methodology for maximum effectiveness. Your zero-trust strategy should also include:

  • Regular testing across applications and workloads to check for vulnerabilities
  • Constant traffic monitoring of sensitive data through logging

SMBs may not have the in-house staffing for these tasks. Working with managed service providers can fill in the missing parts of cybersecurity hygiene that are needed to implement zero trust.

Prioritize hygiene and the right partner 

Let’s be clear: Zero trust is tough to implement—even in large enterprise environments with bigger security budgets and security teams. But simplicity remains at the heart of this framework; overhauling the management of what’s trusted versus untrusted can be freeing in the long run. As a starting point, SMBs should keep the scope small. Have policies and security tools in place to practice good cybersecurity hygiene, especially MFA and data encryption. Then, find the right partners to help build and maintain your zero-trust architecture. 

Looking for help implementing your zero-trust strategy?

As a managed service provider, SEI Sphere® partners with leading technologies for IAM, network monitoring, and endpoint protection.

1Charlie Bedell, “John Kindervag’s Five Steps for Zero Trust,” illumio, February 2, 2024. 

2Shalanda D. Young, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” Memorandum for the Heads of Executive Departments and Agencies, January 26, 2022. 

3 Cybersecurity and Infrastructure Security Agency, “Zero Trust Maturity Model,” April 2023.

Insights for cybersecurity professionals