Plaintext with Rich
Cybersecurity is an everyone problem. So why does it always sound like it’s only for IT people?
Each week, Rich takes one topic, from phishing to ransomware to how your phone actually tracks you, and explains it in plain language in under ten minutes or less. No buzzwords. No condescension. Just the stuff you need to know to stay safer online, explained like you’re a smart person who never had anyone break it down properly. Because you are!
Plaintext with Rich
Zero Trust, Explained In Plain Text
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
A breach that looks like a normal login can slip past the loudest alarms. That simple truth reshaped how we think about defense and led us to a clearer model: access is the attack surface, and trust must be earned every time. We unpack zero trust in plain language, showing how to move from implied safety behind a perimeter to conditional, per-request decisions that scale across cloud, remote work, and vendor ecosystems.
We start with the core signals that drive better decisions: identity that’s verified beyond passwords using strong multi-factor authentication; device posture that proves a system is updated, encrypted, and managed; and least privilege that connects people only to what they need right now. From there, we add segmentation to contain failures and reduce lateral movement. Along the way, we contrast traditional VPNs with zero trust network access, highlighting why connecting users to applications not entire networks shrinks blast radius and adapts access as risk changes.
Then we get tactical with a zero trust starter kit you can apply without a full rebuild. Separate daily and admin accounts, map your real access paths across SSO, cloud consoles, remote management, and vendor portals, enforce baseline device standards, and narrow connectivity around crown jewels like finance platforms, production, and admin consoles. We close by clearing common myths: zero trust isn’t “trust no one,” it isn’t a product you buy once, and it’s not just for large enterprises. Smaller teams often gain the most because a single compromised account can be devastating.
If this breakdown helps you see your environment more clearly, follow the show, share it with someone who’s on the hook for security outcomes, and leave a quick review to tell us what to tackle next.
Is there a topic/term you want me to discuss next? Text me!!
YouTube more your speed? → https://links.sith2.com/YouTube
Apple Podcasts your usual stop? → https://links.sith2.com/Apple
Neither of those? Spotify’s over here → https://links.sith2.com/Spotify
Prefer reading quietly at your own pace? → https://links.sith2.com/Blog
Join us in The Cyber Sanctuary (no robes required) → https://links.sith2.com/Discord
Follow the human behind the microphone → https://links.sith2.com/linkedin
Need another way to reach me? That’s here → https://linktr.ee/rich.greene
At some point, organizations realized this uncomfortable truth. The breach didn't come through a broken firewall, it walked in through a valid login. Nothing exploded, nothing looked suspicious at first. Someone just signed in, and well, they kept going. Welcome to Plain Text with Rich. Today we're talking about zero trust and secure remote access. Now, let's start by clearing something up right away. Zero trust is not a product, it's not a box you install, and it's not a single technology you simply turn on. Zero trust is a design decision. In plain text, zero trust means this. You don't automatically believe a request just because it comes from inside your network. Every access attempt has to earn its way in every time. Not forever, not once per day, per action. That idea sounds obvious now, but for a long time, security worked very differently. The old model assumed the network was the safe place. If you were on the internal network, you were simply trusted. And that made sense when people worked in offices, applications lived in data centers, devices stayed in one place, the network edge was clear. Security at that time was built like a fence. Keep bad things out, trust what's inside. But the world moved. Work moved to laptops, applications moved to the cloud, vendors needed access, employees logged in from everywhere on this amazing globe, and the fence stopped meaning much. Today, being inside the network doesn't say anything useful about risk. A stolen password works just as well from a coffee shop as it does from a corporate office. That's why zero trust exists. It's a response to a simple reality. Access is the attack surface now. Most modern incidents don't start with breaking in, they start with signing in. Which means the question changes. Instead of asking how do we protect the network, zero trust asks, how do we decide who gets access to what right now? That decision usually depends on a few core signals. First up, identity. Who is making the request and how confident are we that it's really them? Passwords alone aren't enough anymore. They're copied too easily. We know this. That's why we have things like multi-factor authentication. That's why it matters so much in zero trust. Again, it's not about convenience, it's about confidence. Second, we look at the device. Again, zero trust doesn't just ask who you are, it asks what you're using. Is the device updated? Is it encrypted? Is it managed? Is it known? A valid user on a compromised device is still a risky situation. And third, we want to look at access scope. In zero trust, access is specific. You don't get a blanket pass to the network itself. You get access to exactly what you need right now. Nothing more. That's the principle of least privilege, and it's one of the biggest risk reducers available. Fourth, we look at segmentation. Zero trust assumes something will go wrong eventually. So instead of hoping it doesn't, right, it limits how far problems can spread. If one account is compromised, that compromise should hit walls quickly. That's not pessimism, that's containment. Now let's talk about the question that always comes up. Rich, what about VPNs? VPNs were designed for a different era. They extend the internal network to wherever the user is, right? Once connected, a lot becomes reachable. The model isn't broken, but at times it can be a little broad. Now, zero trust remote access flips that idea. Instead of connecting people to networks, it connects them to applications. You don't get a hallway past the entire building, you get access to a single room. And only if conditions are met. That approach is often what you might hear called zero trust network access or ZTNA. The name isn't important, the behavior really is. If credentials are stolen, the blast radius is smaller. If a device becomes risky, access can be reduced or cut. If behavior changes, verification increases. As always, when it comes to security, the goal here isn't perfection. The goal is limiting damage and detecting problems faster. So what does this look like in practice? Throw into that. Your plain text zero trust starter kit. For here, we're looking at high impact, reasonable effort, understanding a lot of these are going to apply towards small businesses and it could go even further to medium and large of the enterprises. Right? First, protect identity with strong authentication. As always, multi-factor authentication on email, remote access, admin accounts, absolutely foundational. Again, as we already know, hopefully by this point, if a password alone can unlock your environment, you don't have zero trust. Next, we want to look at separate daily accounts from admin accounts. No one should be browsing email and deleting servers from the same identity. Admin access should be deliberate, limited, and visible, right? So separate accounts for those individuals. We want to map access paths. Write down how people actually get in, right? Their email, their SSO, VPN, cloud consoles, remote management tools, vendor portals, right? You can't control access, you haven't acknowledged. So we need to have a visibility on all of those. For fourth, we want to set basic device requirements, right? We want to make sure that all systems, updated operating systems, disk encryption, screen locks, known devices, unhealthy devices shouldn't get sensitive access. Seems pretty easy here. Fifth, we want to reduce broad network access. Start with your most critical systems first. Think finance platforms, production environments, administrative consoles. Move from connect to everything to connect only to what's necessary. If you can go further, add these other things: segment flat networks, log access changes and privilege escalation, time limit vendor access, practice account compromise scenarios. All right. Ask one question during these exercises. If this account is abused today, how bad does it get? Your answer tells you how close you are to zero trust. If we could for a moment, let's clear up a few misconceptions. Zero trust does not mean trusting no one, it means trust is conditional. Zero trust is not a single purchase. Remember, this is an architecture. And zero trust just isn't for large companies. Smaller organizations can honestly benefit the most because a single compromise account can be devastating in smaller orgs. So here's our plain text takeaway. Zero trust isn't about stopping every breach, it's about assuming some will happen and designing systems that limit damage and speed recovery. Remember, trust isn't removed, it's measured, and in modern environments, measured trust is the only kind that scales. Now, if there's a security topic you want broken down in plain text, send it my way. Email, DM, comments, however you reach me, I will read it, I will respond. And if this episode helped, please share it with someone who'd actually benefit. This has been Plain Text with Rich. 10 minutes or less, one topic, no panic. I'll see you next time.