Let’s be honest — you really can’t trust anything on the network anymore.

With remote work and everything moving to SaaS, we just can’t assume anything is safe – and to be fair, many times, we are the biggest threats to our systems.

That’s when the world started turning to Zero Trust.
You’ve probably heard the phrase:

“Never trust, always verify.”

Sounds great, right? But actually implementing it isn’t easy – and can be a real pain in the neck.

So, what is Zero Trust really?

It’s not a piece of software or a configuration setting. It’s more of a mindset – a different way of thinking about access and security. Something like:

• Identity is everything. Doesn’t matter where you are – it matters who you are.
• Access is earned, not assumed. Being “inside” doesn’t mean you’re in.
• You only get what you need. No more blanket admin rights.
• Logs are your best friend. Because if you’re not watching… someone else might be.

What tools did we use?

Here’s the stack we work with (and personally, it works pretty well for us so far):

• Okta for SSO, MFA, and everything related to identity
• Google Workspace for team productivity and collaboration
• Jamf + Intune to manage all our devices
• Slack and Zoom for everything communication-related
• Confluence to share knowledge and keep everyone in the loop

All these tools are great – but the real challenge is knowing how to use them properly, and that, my friends, is not as easy as it sounds.

Mistakes we’ve made (okay… mostly me)

1. Thinking it was “just an IT project”
   I didn’t involve other teams that were going to be affected. And of course, nobody likes sudden login issues. Better security doesn’t mean people will automatically love the changes.
2. Being too generous with roles
   Giving people more access makes onboarding easier, sure. But later, figuring out who had access to what turned into a nightmare.
3. Believing the official guides would save me
   Not every Okta integration works as described. I had to contact our CSM, open support tickets, and sometimes just rely on good old trial and error.

What I’d do differently now that I know all this

• Talk to the team first. Explain the “why” before changing how they log in. Make sure everyone’s informed.
• Plan roles properly. No improvisation – even if it takes more time, it’s worth it in the long run.
• Document, document, and document. You never know who else will need it. That person might be you at 2 AM.
• Accept this is a journey. It’s not a one-and-done. It needs care and maintenance, always.

Was it worth it?

Absolutely!

We now have better visibility, a more serious onboarding/offboarding process, less reliance on VPNs or “internal trust”, and way more confidence when rolling out new tools.

Thinking of starting this journey yourself?

My advice? Start small. Focus on identity first. Pick one or two tools – and get them right.

Zero Trust sounds big and complicated, but it’s okay to take small steps. And more importantly, it’s okay to make mistakes. If you’re going in the right direction, those small wins will guide you forward.

And seriously… talk to people.
That might just be the most underrated part of doing IT right.