Most of what we read about zero trust is written by vendors trying to sell you a $40-per-seat-per-month platform that includes “zero trust” in the marketing. For a 5-to-20 person engineering team, that framing is useless. You do not need a zero trust platform. You need three or four real changes to how you handle identity, devices, and secrets. This is the starter guide we wish we had had when our team was eight people.
We will define the term, then walk through the three things to tackle first, with actual prices, the tools we picked, and what we still got wrong. At the end, a section on what to do with your VPN. Spoiler: probably get rid of it.
What zero trust actually means
The academic definition: never trust a request based on its network location. Every request gets authenticated and authorized based on identity and device posture, not on whether it came from “inside the VPN.” In practice it is simpler. Assume your corporate network is public internet. Assume any laptop might be compromised. Build your systems so that someone sitting in your office with an unpatched laptop cannot access your production database any more easily than a stranger in a coffee shop.
That mental shift matters because the old model (firewall the office, trust anything inside) stopped working years ago. Your engineers are on planes, in cafes, at their in-laws’ houses. The “inside” of your network is already public. Zero trust is just accepting that.
The network perimeter died when the first engineer opened a laptop at an airport. Most companies are just catching up to the funeral.
Thing 1: SSO plus MFA, everywhere
This is the single highest-leverage move and the one most small teams put off because it feels like an IT project. It is not. For a team of 10, it is a weekend of work and about $6-10 per user per month forever.
Pick an identity provider. If you are already on Google Workspace, use Google Workspace’s built-in SSO for most apps. If you need something more capable (SAML for everything, more granular group policies, SCIM provisioning into apps like Linear and Vercel), use Okta or Entra ID. Our team started on Google Workspace SSO and moved to Okta at around 25 people. If we were starting over at 10 people in 2026, we would probably go straight to Okta Workforce Identity.
For MFA, use hardware keys (YubiKey 5C NFC is the usual pick) as the primary and passkeys as the backup. Do not use SMS. Do not use TOTP apps as your only factor. SIM swaps are a real and boring threat. We bought two YubiKeys per engineer (one to carry, one in the safe) at $75 each. For a team of 10, that is $1,500 one-time and a genuinely better sleep at night.
Once SSO is live, make it enforced. Every new service you adopt has to support SAML or OIDC and be behind the IdP. This is where the infamous “SSO tax” comes in (some vendors charge 3-5x more for their SSO tier). Pay it. The alternative is a worse-case scenario with an ex-employee’s credentials that you forgot to revoke.
What this catches
- Phished credentials. A hardware key cannot be phished in the traditional sense. An attacker with a fake login page gets nothing.
- Reused passwords. Engineers reuse passwords. Deal with it by making the password irrelevant.
- Offboarding gaps. One deactivation in the IdP kills access everywhere. We found three services that were still logged in for an ex-employee three months after termination before we centralized. That is the normal state at small companies.
Thing 2: Device-level security (MDM)
The uncomfortable truth: a laptop without full-disk encryption, a lock screen timeout, and a running endpoint agent is a potential breach walking around. Engineers install weird stuff, they travel, and they leave laptops in cars. Mobile device management (MDM) is how you set a floor.
For small teams we like Kandji or Jamf Now for Mac fleets and Intune for mixed Windows/Mac. Kandji runs about $6 per device per month and gives you the policies that matter for zero trust: disk encryption on, firmware password set, lock screen at 5 minutes, OS updates within 14 days of release, antivirus installed.
Pair MDM with a device posture check in your IdP. Okta and Google Workspace can both check “is this login coming from a managed device?” and deny if not. This is the real zero trust moment. Even if an attacker has a valid username, password, and second factor, they cannot sign in from an unmanaged laptop.
The friction is real and worth naming. Contractors, new hires with their personal laptops, people using a family iPad to check email on vacation. Have an answer ready: a tight list of services that work from unmanaged devices (typically email and Slack with read only access), and a lockdown on everything else. Document it. Our team’s page is two paragraphs long.
Thing 3: Secrets management
Here is where most small teams are bleeding. Every engineer has a .envfile somewhere with production database credentials they committed once to a private repo and forgot about. AWS keys in Slack DMs. A Notion page titled “Infra credentials” last updated in 2023. These are the real breaches.
Two flavors of secrets, two solutions. Human-used secrets (shared logins, Stripe dashboard, that one admin panel that does not support SSO yet) go in 1Password Business at $8 per user per month. It is the cheapest Zero Trust investment you will ever make, and the shared-vault model is genuinely good.
Machine-used secrets (env vars for your services, API keys, DB credentials) go in a proper secrets manager. Options:
- Doppler: easy to adopt, good UX, integrates with Vercel and CI in minutes. Around $7 per seat per month. Our pick for teams without dedicated infra.
- Infisical: open-source, self-hostable, cheaper at scale. Good if you already self-host other things.
- AWS Secrets Manager or Parameter Store: fine if you are already deep in AWS and have someone comfortable with IAM. Free-ish, but you pay in configuration time.
- HashiCorp Vault: overkill for a 10-person team. Revisit at 50.
The rule we enforce: if a secret is in a file in a repo, that is a bug. If a secret is in a Slack message, that is a bug. A weeklytrufflehog scan on the org catches most of these, and a pre-commit hook catches the rest.
Bonus: replace the VPN with identity-aware access
The VPN is a zero-trust anti-pattern. Once you are on the VPN, you’re “inside” and trusted. That is exactly what zero trust is trying to kill. The modern answer is identity-aware proxies or mesh VPNs where every connection is authenticated per request.
Two tools we have real experience with:
Tailscale is a mesh VPN that uses your IdP for authentication. It is beautiful for engineers who need to SSH to staging boxes and hit internal APIs. Access is per-user and per-device. You can define ACLs as code. At around $6 per user per month for the Business tier, it is almost free compared to any legacy VPN appliance.
Cloudflare Access is what you want for putting internal web apps behind SSO without running your own reverse proxy. Grafana, internal dashboards, that one admin panel: stick Cloudflare Access in front, require IdP login, done. We have used both for different workloads. Tailscale for developer access, Cloudflare Access for web apps and vendor-facing dashboards.
Here is what a Tailscale ACL looks like in practice:
{
"groups": {
"group:eng": ["alice@acme.dev", "bob@acme.dev"],
"group:sre": ["alice@acme.dev"]
},
"acls": [
{
"action": "accept",
"src": ["group:eng"],
"dst": ["tag:staging:22,3306"]
},
{
"action": "accept",
"src": ["group:sre"],
"dst": ["tag:prod:22"]
}
],
"ssh": [
{
"action": "check",
"src": ["group:sre"],
"dst": ["tag:prod"],
"users": ["root", "ubuntu"]
}
]
}The check action forces a re-authentication every hour, so a stolen device token is useful for a bounded window, not forever. That is zero trust working.
What this costs, roughly, for a team of 10
- Okta Workforce Identity: ~$8/user/month = $80/month
- YubiKeys: $1,500 one-time (2 per person)
- Kandji MDM: ~$6/device/month = $60/month
- 1Password Business: $8/user/month = $80/month
- Doppler: $7/user/month = $70/month
- Tailscale Business: $6/user/month = $60/month
Total: about $350/month plus $1,500 upfront. Less than a single engineer-day a month. The question is not whether you can afford it. The question is why you are not doing it.
What you’ll still get wrong
We run all of the above and we still mess up. Three honest failure modes we have lived through:
Shadow IT. An engineer adopts a new tool, pays with a corporate card, skips SSO because it’s “just a trial.” Three months later it holds production data and there are six accounts on it. The fix is process, not tools. A five-minute review for any new vendor. Yes, really.
Service accounts. Humans get SSO. The CI user that deploys your app does not. Service accounts tend to have long-lived credentials that outlive the people who set them up. Rotate them on a schedule and document who owns each one.
Third-party breaches. Zero trust protects your stuff. It does not protect you from your CRM vendor getting breached. Minimize what you send to third parties. Use data processing agreements. Assume every vendor you share data with will eventually have a bad week.
What we’d actually do
If a ten-person company asked us to spend one week on security, the answer is unambiguous: SSO with hardware keys, MDM with device posture checks in your IdP, and 1Password Business plus Doppler for secrets. That is the 80% of zero trust that matters for small teams. Tailscale as a bonus if you have any shared infrastructure engineers need to reach.
Do not buy a “zero trust platform.” Do not hire a CISO yet. Do not build a custom audit pipeline. Get the three things above in place, write one page of docs explaining how to add a new app to SSO, and revisit in six months. You will have caught up to companies ten times your size.