Zero Trust for Fully-Remote Companies: A Real-World Playbook

# Zero Trust for fully-remote companies: a real-world playbook

When we onboard a fully-remote client, the first Zero Trust vendor pitch they always show us has a diagram. Corporate network on the left. Employees on the right. A magic cylinder in the middle labeled "Zero Trust Gateway." The vendor proposes putting everything behind the cylinder.

The client has no corporate network. Never had one. Engineering is in Austin. Sales is in Boston. Ops is in Seattle. The CEO works from a spare bedroom in Miami. The "corporate network" in the vendor's diagram does not exist and will never exist. The entire framing of the product doesn't apply.

This is the gap. Every Zero Trust guide assumes you have a perimeter to eliminate. Fully-remote companies don't. The Zero Trust ideology is still right. The implementation has to be different.

This post is the playbook we actually run when advising remote-first 50-500 person companies. What to build, what to skip, and what to buy versus configure yourself.

#What "Zero Trust" means here

Here's the part consultants don't put in the glossy PDF.

For a remote-first org, Zero Trust means:

• Identity is the primary control. Every authenticated session, every API call, every privileged action
• Device posture is the secondary control. Compromised devices can't reach sensitive resources
• Network location is irrelevant. A laptop in a Starbucks has the same trust level as one in the founder's home
• Every resource is accessed through an authenticated, authorized channel with continuous verification
• Segmentation happens at the workload level, not the network level

In practice this means:

• No VPN. Not even for remote access.
• No flat network anywhere. Every service lives behind identity and policy.
• Every workstation is enrolled in MDM and EDR, with posture feeding into access decisions.
• Every SaaS and every internal service is accessed through SSO with phishing-resistant MFA.
• Every production service enforces workload identity (service mesh, VPC Lattice, or equivalent).

#The stack

For a 50-500 person remote-first company, the stack that works:

#Identity

• Okta Workforce Identity or Microsoft Entra ID as IdP
• FIDO2 / WebAuthn primary, passkey secondary, SMS nowhere
• SCIM-provisioned to every SaaS in use
• Adaptive authentication based on device posture, geolocation anomaly, behavior
• Conditional access policies for sensitive actions (finance, HR, production deploys)

Budget: IdP licensing $4-10 per user per month (Okta or Entra). Add device trust add-ons if needed.

#Device management

• Kandji or Jamf for macOS (Kandji is faster to stand up, Jamf is more customizable)
• Intune for Windows
• Google Workspace Endpoint Management for ChromeOS devices
• Scalefusion or Mosyle for mobile fleet if significant BYOD

Every device enrolled. Posture reported to IdP. Non-compliant devices can't reach production resources.

Budget: $5-10 per device per month. Expect 1.2-1.5 devices per employee.

#Endpoint detection

• CrowdStrike Falcon or SentinelOne or Microsoft Defender for Endpoint
• EDR agent on every device, posture feeds into IdP device-trust decisions
• 24x7 managed detection or in-house SOC for alerting

Budget: $40-100 per device per year for EDR. MDR service adds $20-60 per device per month depending on provider.

#ZTNA for internal resources

• Cloudflare Access (for cost-effective teams) or Tailscale or Twingate
• Zscaler or Netskope if you've grown past the simpler options and need the full SSE stack
• Access policies per application, not per network
• Every internal tool (staging, admin panels, monitoring) behind ZTNA

Budget: $3-15 per user per month depending on vendor and feature depth.

#Production / cloud access

• AWS SSO / IAM Identity Center wired to Okta (or equivalent for GCP / Azure)
• Temporary credentials via AWS SSO, not long-lived IAM users
• Just-in-time access for privileged production roles via Okta Workflows or Opal or Lumos
• All SaaS admin access via SSO only. No local passwords on production SaaS accounts

Budget: AWS SSO is free. Opal / Lumos / Teleport for JIT is $10-30 per user per month.

#Secrets management

• 1Password Business or Bitwarden Enterprise for team password sharing
• HashiCorp Vault or AWS Secrets Manager or Doppler for application secrets
• No secrets in Slack, email, wiki, or plain text anywhere
• Secret access logged and auditable

Budget: $8 per user per month for 1Password. Vault / Secrets Manager at compute cost.

#Monitoring and logging

• Datadog or New Relic or Grafana Cloud for observability
• Splunk or Sumo Logic or Elastic / ELK for security logging
• Tines or Torq for SOAR if budget allows
• Centralized logging from IdP, EDR, ZTNA, cloud. All feeding one place

Budget: highly variable. $20-100 per employee per month for observability, $30-100 per employee per month for logging at scale.

#Total cost of this stack

For a 100-person remote-first company:

• Identity (Okta): $600-1000/month
• MDM (Kandji + Intune): $1200-1500/month
• EDR (CrowdStrike): $40-80K/year ($3300-6700/month)
• ZTNA (Cloudflare One): $500-1500/month
• JIT access (Opal): $1000-3000/month
• Password management: $800/month
• Observability: $2000-10000/month
• Security logging: $3000-10000/month

Roughly $150-400K/year for a 100-person org to run this fully. Compares favorably to building a SOC from scratch.

#The rollout sequence

#Month 1-2: Identity foundation

1. Deploy IdP (if not already)
2. Enforce MFA on all users. Start with strong-but-not-ideal (TOTP), move to FIDO2 rollout plan
3. SCIM-provision top 20 SaaS apps (email, Slack, Google Workspace, Notion, Figma, GitHub, etc.)
4. Enable conditional access for sensitive apps (finance, HR, admin)

#Month 2-4: Device trust

1. Deploy MDM across all devices
2. Deploy EDR across all devices
3. Enroll existing devices (this is the painful part. User-by-user coordination)
4. Integrate MDM + EDR posture into IdP access decisions
5. Test: non-compliant device can't access production resources

#Month 4-6: ZTNA deployment

1. Pick vendor (Cloudflare, Tailscale, Twingate)
2. Identify all internal tools behind current VPN or on flat network
3. Wrap each in ZTNA access policy
4. Deprecate VPN entirely

#Month 6-9: Production / cloud access hardening

1. Migrate to IAM Identity Center / AWS SSO
2. Eliminate long-lived IAM users
3. Deploy JIT access for privileged roles
4. Audit and tighten service account permissions

#Month 9-12: Monitoring, response, continuous improvement

1. Centralize logging
2. Deploy SOAR playbooks for common incidents
3. Run tabletop exercises
4. Penetration test the whole stack

#The common failure modes

#"We deployed ZTNA for remote, corporate office is still flat"

Not a problem for remote-first companies. Note for hybrid companies: this defeats the purpose.

#"EDR deployed but posture not wired to IdP"

Most common failure. EDR runs, logs alerts, but compromised device can still access corporate resources because IdP doesn't know.

Fix: Okta Device Trust + CrowdStrike integration, or Entra ID device risk integration. Test it.

#"MFA everywhere except [legacy thing]"

Every exception becomes the attack path. Either ditch the legacy thing or put it behind ZTNA so the ZTNA handles MFA.

#"ZTNA is the new VPN"

If your ZTNA policy is "all employees can access the dev cluster" that's a VPN. Real ZTNA has per-application policies with least-privilege.

#"Break glass accounts everywhere"

Emergency accounts that bypass the controls. Fine to have. One or two, tightly controlled, credentials in a physical safe, every use reviewed. Ten break-glass accounts that nobody can account for = your real attack path.

#"Personal devices are out of scope"

You probably have a BYOD problem you haven't fully acknowledged. Either officially support it with enrollment requirements or block BYOD access to corporate resources. Pretending doesn't work.

#"VPN for vendors / contractors"

Vendors get the full blast radius of a VPN. Should use ZTNA scoped to specific resources they need, with time-bounded access.

#Compliance mapping

For remote-first companies pursuing:

• SOC 2 Type II: this stack covers CC6 (Logical Access) and CC7 (System Operations) comprehensively. Auditors love the centralized identity + device story.
• ISO 27001:2022: covers A.5.15 (Access Control), A.8.2 (Privileged Access), A.8.16 (Monitoring).
• NYDFS 23 NYCRR 500 (for NY-licensed financial services firms): MFA enforcement, access controls, continuous monitoring all aligned.
• HIPAA Security Rule: 45 CFR 164.312 technical safeguards all satisfied.
• CMMC 2.0 Level 2: most NIST 800-171 AC and IA controls satisfied. Still need SSP, CUI scope, and additional work beyond Zero Trust.

#What we do in a Zero Trust engagement for remote-first

Our engagements:

1. Current-state assessment of identity, device, network, application, data posture
2. Gap analysis against the target stack described above
3. Vendor selection advisory (tuned to budget and team capacity)
4. Implementation roadmap with month-by-month milestones
5. Security engineering support during rollout (not day-to-day operations)
6. Validation pentest after deployment. Specifically targeting the Zero Trust controls to verify they work

Typical engagement: 3-6 months for 100-person org, $60-120K for the full program support.

#Resources

• NIST SP 800-207 Zero Trust Architecture (still foundational)
• CISA Zero Trust Maturity Model v2 (2025 update)
• Cloudflare's Zero Trust reference architecture
• Google BeyondCorp papers (the original)
• OMB M-22-09 for federal reference
• DoD Zero Trust Strategy

#Hire Valtik Studios

Zero Trust for remote-first companies is different from Zero Trust for enterprises with corporate offices. We run implementations specifically tuned to distributed teams. Less focus on network segmentation, more on identity + device + workload. If you're scaling a remote-first company past 50 employees and the ad-hoc security is showing cracks, we can help.

Reach us at valtikstudios.com.