← All posts

Zero-trust file sharing: a maturity model for professional services firms

James Liu · 2025-06-15

"Zero trust" started as an architecture pattern at Forrester and ended up as a marketing word. The marketing dilution doesn't change the underlying principle: verify every access, every time, regardless of network position. For document sharing, that principle translates into a maturity model with five levels.

Level 0: perimeter only

Files live behind a VPN. SFTP server inside the network. Authentication once, trusted forever. Most legacy firms still operate here for at least some workflows. The implicit assumption is that "inside the network" equals "trustworthy" — an assumption that hasn't held up since at least 2010.

Level 1: per-user authentication

SSO across services. Conditional access policies in Entra ID or Okta. Multi-factor authentication enforced. The user is authenticated at the application boundary. But once authenticated, file access is unfettered. Most professional services firms are here today.

Level 2: per-recipient policy

Outbound files use time-boxed links. Recipients are identity-verified at open time (email code, SMS, SSO). Each access is logged individually. Forwarding a link doesn't grant access to the new recipient — the new recipient is challenged independently. This is where most firms should be.

Concrete capabilities at this level:

• Expiring share links (minutes, hours, or days)
• Identity challenge per recipient
• Per-link audit trail
• Revocation without document modification

Level 3: per-document policy

Policies attach to the document itself, not the link. Watermarks render server-side per recipient. Forwarding is detected and either prevented or attributed. Documents can be revoked even after they've been downloaded (DRM-style). View tracking is page-level.

This level requires viewer integration — the recipient must use a controlled viewer rather than downloading raw PDFs. The tradeoff is friction. Worth it for highly sensitive content; overkill for routine sharing.

Level 4: continuous adaptive

Access decisions reflect ongoing risk signals: device posture, geolocation, behavioral baseline, threat intelligence. A user who normally accesses from Boston suddenly accessing from a new country triggers re-authentication. A bulk download pattern triggers an MFA challenge. This level requires meaningful security data engineering and is rare in professional services today.

Where to start

Most firms can move from Level 0 to Level 2 in one quarter:

1. Adopt SSO across all client-touching applications (eliminates per-app credentials)
2. Deploy a portal with per-recipient identity verification
3. Sunset SFTP and shared-folder workflows
4. Train users on the new patterns; measure adoption

Maturity is incremental. The biggest jumps in real-world security come from Level 0 to Level 2 — beyond that, returns diminish unless you have a specific threat model that justifies them. Pick the next level, not the destination.

Written by James Liu. Have feedback? Reach out at hello@verifypg.com.