Skip to content

What Is Zero Trust Security? A Plain-English Guide

Published June 11, 2026

What Is Zero Trust Security? A Plain-English Guide

Zero trust security is a simple idea applied rigorously: no user or device is automatically trusted just because it is inside your network, so every request to reach an app or file is verified first, every time. The phrase people use to sum it up is “never trust, always verify.” This guide is for owners and IT leaders who keep hearing “zero trust” from vendors, insurers, and auditors and want a clear, plain-English picture of what it means, how the major tools deliver it, and what it costs to put in place. The payoff is concrete: done well, zero trust keeps one stolen password or one infected laptop from turning into a full breach.

What zero trust security actually means

For years, security worked like a castle with a moat. You built a strong wall around the office network, and once someone was inside, they were largely trusted to move around. That made sense when everyone worked in one building. It falls apart when staff work from home, data lives in the cloud, and attackers only need one valid password to walk straight through the gate.

Zero trust security throws out the assumption that being inside the network means you are safe. Instead, it verifies every request: this user, on this device, trying to reach this specific app, right now. Nothing is trusted by default, and trust is re-checked continuously rather than granted once at login. The phrase people use to sum it up is “never trust, always verify.” Microsoft's own zero trust overview lays out the full model if you want the deeper version.

The three core ideas

Strip away the jargon and zero trust comes down to three habits:

  • Verify explicitly. Check identity and device health every time, not just once. A correct password alone is not enough; the system also wants to know the device is known and healthy.
  • Use least privilege. Give each person access only to what they actually need, and nothing more. If an account is compromised, the attacker inherits a small box, not the keys to everything.
  • Assume breach. Design as if an attacker is already inside. Segment the network into compartments so a problem in one area cannot quietly spread to the rest.

You do not have to adopt all of this at once. Most organizations build toward zero trust in stages, and the early steps stop the most common attacks. We cover the broader picture on our cybersecurity page.

How Fortinet, Cisco Meraki, and Cloudflare deliver zero trust

No vendor sells “zero trust” as a single box. What they sell are the pieces that make it real. Three platforms come up most often, and they take noticeably different paths. The right one usually depends on what you already run.

Fortinet

If you already have a FortiGate firewall, you may own more zero trust than you realize. Fortinet builds zero trust network access, or ZTNA, directly into the operating system the firewall already runs. Before letting a user reach an application, the FortiGate and the FortiClient agent on the device check both who the user is and whether their device is healthy, and they do it for every session rather than once a day. Fortinet calls this Universal ZTNA, and because it is part of the firewall license, it often does not cost extra to turn on. Add multi-factor login and network segmentation, and a FortiGate-centered network can reach a strong zero trust posture with tools that are already on site. This is the stack Desert Lakes leans on most, and Fortinet's Universal ZTNA overview spells out the details.

Cisco Meraki

Meraki's strength is simple, cloud-managed networking across many locations, and zero trust comes from pairing it with the wider Cisco toolset. The Meraki dashboard handles network segmentation and group policies, so different types of users and devices are walled off from each other. Cisco Duo adds the verify-first layer: it checks for multi-factor login and confirms a device is healthy before granting access. Meraki Systems Manager watches device posture, and Cisco Umbrella filters threats at the DNS level, before a bad connection is ever made. For an organization with multiple sites that wants one clean dashboard, the Meraki-plus-Duo combination is a well-trodden path to zero trust.

Cloudflare

Cloudflare takes a cloud-first route that does not depend on your hardware. Its zero trust platform, Cloudflare One, sits in front of your applications from Cloudflare's global network. Cloudflare Access verifies identity and device for every request to an app, which lets it replace a traditional VPN. Cloudflare Gateway filters web and DNS traffic to keep staff away from malicious sites. And Cloudflare Tunnel makes internal apps reachable for remote staff without opening any inbound ports on your firewall, which removes a common point of attack. This approach, where security is delivered as a cloud service rather than a box, is what the industry calls SSE. It is a strong fit for cloud-heavy or remote-first teams, and Cloudflare publishes its plans, including a free tier for small teams, on its Zero Trust plans page.

What zero trust security costs

The honest answer to “how much does zero trust cost” is that there is no single price tag, because much of it builds on tools you may already own. It helps to see the spend in three buckets:

  • What you already have. This is the pleasant surprise. Fortinet includes ZTNA in the FortiGate license, Microsoft 365 Business Premium and the E3 and E5 plans include identity controls like Conditional Access (rules that decide who gets in based on user, device, and risk), and Cloudflare offers a free zero trust tier for small teams. Many organizations already own a solid foundation and simply have not switched it on.
  • Add-on platforms. If you want a full cloud-delivered service, ZTNA and web-filtering platforms are commonly priced per user, per month, often with a free or low-cost tier for small teams that scales up as you grow.
  • The rollout and management. This is usually the real cost, and the one worth planning for. Designing the access rules, segmenting the network, deploying the agents, and keeping it all tuned takes expertise and time. It is also where a partner saves you the most.

Because so much of zero trust is configuration rather than new purchases, the smart move is to inventory what you already pay for before buying anything. If you would like help sizing that, our managed IT service builds these controls in, and you can see how we price ongoing support on our pricing page.

How to start with zero trust

You reach zero trust in steps, not in one leap, and the order matters because the first moves block the most attacks for the least effort. A sensible sequence:

  • Turn on multi-factor login everywhere. The single highest-impact step. A stolen password alone stops being enough to get in.
  • Check device health. Only let known, updated, protected devices reach your data.
  • Replace the VPN with ZTNA. Grant access to one app at a time after verifying the user and device, instead of opening the whole network.
  • Apply least privilege. Review who can reach what, and trim access down to what each role actually needs.
  • Segment the network. Wall off systems so a problem in one area cannot spread freely to the rest.

Done in this order, each step pays off on its own, so you are more secure from the very first change. Zero trust also overlaps heavily with what cyber insurers now expect, which we cover in our guide to cyber insurance requirements, and with the controls that support frameworks like HIPAA and SOC 2 on our compliance page.

Frequently asked questions

What is zero trust security in simple terms?

Zero trust security is the idea that no user or device is automatically trusted just because it is inside your network. Every request to reach an app or file is verified first, checking who the user is and whether their device is healthy, every time. The short version is never trust, always verify.

Is zero trust a product I can buy?

No. Zero trust is an approach, not a single product. You reach it by combining tools you likely already have, such as multi-factor login, device checks, and network segmentation, into a consistent verify-first model. Vendors like Fortinet, Cisco Meraki, and Cloudflare sell pieces that help, but none of them is zero trust in a box.

Does zero trust replace VPN?

Increasingly, yes. The modern piece called zero trust network access, or ZTNA, grants access to one specific app at a time after verifying the user and device, rather than dropping someone onto the whole network the way a traditional VPN does. Many businesses are phasing out VPNs in favor of ZTNA for remote access.

How much does zero trust security cost?

There is no single price, because much of it builds on tools you may already own. Fortinet includes ZTNA in the FortiGate license, Microsoft 365 Business Premium includes identity controls, and Cloudflare offers a free tier for small teams. The real cost is usually the rollout and ongoing management, not big new license fees.

Do small businesses need zero trust?

The principles apply at any size. Smaller organizations may not need full microsegmentation, but multi-factor login, device checks, and least-privilege access stop the most common attacks and are increasingly expected by cyber insurers and larger clients. You can adopt zero trust gradually, starting with the highest-impact pieces.

Is zero trust the same as SASE or SSE?

They are related but not identical. Zero trust is the security principle. SASE and SSE are cloud-delivered platforms that bundle zero trust network access with web filtering and other protections into one service. Cloudflare One is an example of an SSE platform built around zero trust.

The bottom line on zero trust security

Zero trust security is less a product you buy than a discipline you adopt: verify every user and device, give out only the access each role needs, and design as if an attacker is already inside. Fortinet, Cisco Meraki, and Cloudflare each give you real ways to get there, and the right choice usually follows the tools you already run. Best of all, much of the foundation is probably sitting in licenses you already pay for, waiting to be turned on.

If you would like to see what zero trust would look like for your business, Desert Lakes Solutions offers a no-pressure discovery call to review what you already have, where the gaps are, and the highest-impact place to start. Book a discovery call and we will map it out with you.

Keep reading

A Beginner’s Guide to Multi-Factor Authentication: Enhancing Your Cyber Security

Cybersecurity

A Beginner’s Guide to Multi-Factor Authentication: Enhancing Your Cyber Security

Introduction In the realm of cyber security, protecting your online accounts is more crucial than ever. As cyber threats evolve, so too must our defenses.

Mar 11, 2024
Best Practices to Protect your Business from IT Security Risks

Cybersecurity

Best Practices to Protect your Business from IT Security Risks

More and more organizations are moving to implement virtual private networks (VPNs) to give their workforce secure access to servers. VPNs can help prevent

Aug 14, 2021
Businesses today face numerous security risks. These risks can create costly losses.

Cybersecurity

Businesses today face numerous security risks. These risks can create costly losses.

Today, there are numerous security risks that businesses face. They can include data breaches that result in costly losses. Recently, the Equifax hack, Sol

Feb 3, 2022

Find out where you stand

Tell us a little about your business and what is prompting this. We will come back with a clear scope and a fair, written quote, usually within one business day.

Call (855) 737-9500 / (480) 573-3349

Email [email protected]

15-minute response on critical issues, 24/7. Onboarding in two to three weeks.

We reply within one business day. No spam, no pressure.