← Back to Insights

Zero Trust for Local Government: Where to Actually Start

Zero trust sounds great in conference presentations. Here's how to implement it when you have three IT staff and a decade of technical debt.

Every cybersecurity presentation at government conferences now mentions "zero trust." Vendors love the term. It sounds modern, thorough, and appropriately paranoid.

But if you're running IT for a county of 50,000 people with a team of three, "implement zero trust architecture" isn't actionable advice. It's a bumper sticker.

Here's how to actually get started.

Forget the Framework, Start with Identity

Zero trust boils down to one idea: verify everything, trust nothing by default. The most impactful place to start isn't your network perimeter—it's identity.

Week one priorities:

- Audit who has access to what. You'll find former employees, contractors from 2019, and service accounts no one remembers creating.
- Enable MFA everywhere. Start with email and VPN. No exceptions for executives.
- Kill shared accounts. "Finance department" shouldn't be a username.

This isn't glamorous. It's also where most breaches actually happen.

Network Segmentation Without a Forklift Upgrade

The zero trust ideal is microsegmentation—every device in its own bubble, all traffic inspected. That requires infrastructure most local governments don't have.

The pragmatic version:

- Segment by criticality. Your voter registration database doesn't need to be on the same network as the parks department's PCs.
- Isolate IoT devices. HVAC systems, security cameras, and building automation are notorious entry points.
- Create a guest network that's actually separate. "Separate SSID, same network" isn't separation.

Modern firewalls can do this without ripping out your switching infrastructure.

Endpoint Visibility Beats Endpoint Perfection

You can't protect what you can't see. Before buying new security tools, answer these questions:

- How many devices are on your network right now?
- Which ones are running unsupported operating systems?
- When did each device last check in with your management tools?

If you can't answer these confidently, that's your starting point. Asset inventory isn't exciting, but it's the foundation everything else builds on.

The Vendor Pitch vs. Reality

Vendors will sell you "zero trust solutions"—a firewall, an identity product, an endpoint agent. These tools can help, but zero trust isn't a product. It's an operational model.

Questions to ask vendors:

- How does this integrate with what we already have?
- What's the staffing requirement to operate this effectively?
- Can we implement this incrementally, or is it all-or-nothing?

If they can't answer clearly, they're selling you a logo for your next audit presentation, not a capability.

A Realistic 90-Day Plan

Days 1-30: Identity cleanup
- Complete access audit
- Enable MFA on critical systems
- Document service accounts and their purposes

Days 31-60: Visibility
- Deploy or fix asset inventory
- Identify unmanaged devices
- Map critical data flows

Days 61-90: Segmentation
- Isolate highest-risk systems
- Implement network monitoring at segment boundaries
- Create incident response procedures for each segment

This won't get you a zero trust certification (those don't exist anyway). It will meaningfully reduce your attack surface and give you the foundation for whatever comes next.

The Point

Zero trust isn't about buying the right products or achieving some end state. It's about shifting from "protect the perimeter" to "verify continuously."

For local governments, that shift happens incrementally, within budget constraints, alongside everything else you're responsible for.

Start with identity. Get visibility. Segment what you can. That's zero trust in practice—not theory.

---

Need help assessing where your organization stands or building a practical implementation roadmap? [Get in touch](/contact).