Zero Trust: What It Actually Means Beyond the Buzzword Artwork

Plaintext with Rich

Cybersecurity is an everyone problem. So why does it always sound like it’s only for IT people?

Each week, Rich takes one topic, from phishing to ransomware to how your phone actually tracks you, and explains it in plain language in under ten minutes or less. No buzzwords. No condescension. Just the stuff you need to know to stay safer online, explained like you’re a smart person who never had anyone break it down properly. Because you are!

All Episodes

Plaintext with Rich

Zero Trust: What It Actually Means Beyond the Buzzword

February 20, 2026 • Rich Greene • Season 1 • Episode 13

0:00 | 7:53

The breach didn't come through a broken firewall. It walked in through a valid login. Nothing exploded. Nothing looked suspicious at first. Someone just signed in and kept going.

This episode clears up what Zero Trust actually is and what it isn't. It's not a product, not a box you install, and not a technology you turn on. It's a design decision: don't automatically believe a request just because it comes from inside your network. The episode explains why the old perimeter model stopped working when work moved to laptops, apps moved to the cloud, and being "inside the network" stopped meaning anything useful about risk. It walks through the four core signals Zero Trust evaluates (identity, device health, access scope, and segmentation), explains how Zero Trust Network Access differs from traditional VPNs, and addresses common misconceptions including the idea that Zero Trust means trusting no one. The starter kit covers strong authentication, separating daily accounts from admin accounts, mapping access paths, setting device requirements, and reducing broad network access.

Whether you keep hearing "Zero Trust" in vendor pitches and want to know what it actually means or you're starting to rethink how your organization handles remote access, Plaintext with Rich cuts through the marketing.

Is there a topic/term you want me to discuss next? Text me!!

YouTube more your speed? → https://links.sith2.com/YouTube
Apple Podcasts your usual stop? → https://links.sith2.com/Apple
Neither of those? Spotify’s over here → https://links.sith2.com/Spotify
Prefer reading quietly at your own pace? → https://links.sith2.com/Blog
Join us in The Cyber Sanctuary (no robes required) → https://links.sith2.com/Discord
Follow the human behind the microphone → https://links.sith2.com/linkedin
Need another way to reach me? That’s here → https://linktr.ee/rich.greene

Breaches Begin With Logins

SPEAKER_00 0:00

At some point, organizations realized this uncomfortable truth. The breach didn't come through a broken firewall, it walked in through a valid login. Nothing exploded, nothing looked suspicious at first. Someone just signed in, and well, they kept going. Welcome to Plain Text with Rich. Today we're talking about zero trust and secure remote access. Now, let's start by clearing something up right away. Zero trust is not a product, it's not a box you install, and it's not a single technology you simply turn on. Zero trust is a design decision. In plain text, zero trust means this. You don't automatically believe a request just because it comes from inside your network. Every access attempt has to earn its way in every time. Not forever, not once per day, per action. That idea sounds obvious now, but for a long time, security worked very differently. The old model assumed the network was the safe place. If you were on the internal network, you were simply trusted. And that made sense when people worked in offices, applications lived in data centers, devices stayed in one place, the network edge was clear. Security at that time was built like a fence. Keep bad things out, trust what's inside. But the world moved. Work moved to laptops, applications moved to the cloud, vendors needed access, employees logged in from everywhere on this amazing globe, and the fence stopped meaning much. Today, being inside the network doesn't say anything useful about risk. A stolen password works just as well from a coffee shop as it does from a corporate office. That's why zero trust exists. It's a response to a simple reality. Access is the attack surface now. Most modern incidents don't start with breaking in, they start with signing in. Which means the question changes. Instead of asking how do we protect the network, zero trust asks, how do we decide who gets access to what right now? That decision usually depends on a few core signals. First up, identity. Who is making the request and how confident are we that it's really them? Passwords alone aren't enough anymore. They're copied too easily. We know this. That's why we have things like multi-factor authentication. That's why it matters so much in zero trust. Again, it's not about convenience, it's about confidence. Second, we look at the device. Again, zero trust doesn't just ask who you are, it asks what you're using. Is the device updated? Is it encrypted? Is it managed? Is it known? A valid user on a compromised device is still a risky situation. And third, we want to look at access scope. In zero trust, access is specific. You don't get a blanket pass to the network itself. You get access to exactly what you need right now. Nothing more. That's the principle of least privilege, and it's one of the biggest risk reducers available. Fourth, we look at segmentation. Zero trust assumes something will go wrong eventually. So instead of hoping it doesn't, right, it limits how far problems can spread. If one account is compromised, that compromise should hit walls quickly. That's not pessimism, that's containment. Now let's talk about the question that always comes up. Rich, what about VPNs? VPNs were designed for a different era. They extend the internal network to wherever the user is, right? Once connected, a lot becomes reachable. The model isn't broken, but at times it can be a little broad. Now, zero trust remote access flips that idea. Instead of connecting people to networks, it connects them to applications. You don't get a hallway past the entire building, you get access to a single room. And only if conditions are met. That approach is often what you might hear called zero trust network access or ZTNA. The name isn't important, the behavior really is. If credentials are stolen, the blast radius is smaller. If a device becomes risky, access can be reduced or cut. If behavior changes, verification increases. As always, when it comes to security, the goal here isn't perfection. The goal is limiting damage and detecting problems faster. So what does this look like in practice? Throw into that. Your plain text zero trust starter kit. For here, we're looking at high impact, reasonable effort, understanding a lot of these are going to apply towards small businesses and it could go even further to medium and large of the enterprises. Right? First, protect identity with strong authentication. As always, multi-factor authentication on email, remote access, admin accounts, absolutely foundational. Again, as we already know, hopefully by this point, if a password alone can unlock your environment, you don't have zero trust. Next, we want to look at separate daily accounts from admin accounts. No one should be browsing email and deleting servers from the same identity. Admin access should be deliberate, limited, and visible, right? So separate accounts for those individuals. We want to map access paths. Write down how people actually get in, right? Their email, their SSO, VPN, cloud consoles, remote management tools, vendor portals, right? You can't control access, you haven't acknowledged. So we need to have a visibility on all of those. For fourth, we want to set basic device requirements, right? We want to make sure that all systems, updated operating systems, disk encryption, screen locks, known devices, unhealthy devices shouldn't get sensitive access. Seems pretty easy here. Fifth, we want to reduce broad network access. Start with your most critical systems first. Think finance platforms, production environments, administrative consoles. Move from connect to everything to connect only to what's necessary. If you can go further, add these other things: segment flat networks, log access changes and privilege escalation, time limit vendor access, practice account compromise scenarios. All right. Ask one question during these exercises. If this account is abused today, how bad does it get? Your answer tells you how close you are to zero trust. If we could for a moment, let's clear up a few misconceptions. Zero trust does not mean trusting no one, it means trust is conditional. Zero trust is not a single purchase. Remember, this is an architecture. And zero trust just isn't for large companies. Smaller organizations can honestly benefit the most because a single compromise account can be devastating in smaller orgs. So here's our plain text takeaway. Zero trust isn't about stopping every breach, it's about assuming some will happen and designing systems that limit damage and speed recovery. Remember, trust isn't removed, it's measured, and in modern environments, measured trust is the only kind that scales. Now, if there's a security topic you want broken down in plain text, send it my way. Email, DM, comments, however you reach me, I will read it, I will respond. And if this episode helped, please share it with someone who'd actually benefit. This has been Plain Text with Rich. 10 minutes or less, one topic, no panic. I'll see you next time.