Asgard Security
CASE STUDY

Zero Trust Without
Big Brother

We gave people back their agency — and proved you don't have to spy on your team to keep them secure.

For decentralized, remote-first organizations where culture is competitive advantage — here's how to achieve security without trading your values for surveillance.

No surveillance. Full transparency. User agency.

Industry
Web3 Platform
Team Size
~50 people, fully remote
Result
Security + culture preserved

The Decentralized Workforce Problem

This wasn't your typical enterprise.

A Web3 organization with 50 people scattered across continents. Fully remote, massively decentralized, and built on principles that made traditional IT security teams nervous: personal privacy, user agency, and challenging the status quo of how work gets done.

The company purchased laptops for employees, but these weren't "corporate machines" with locked-down configs and MDM agents. They were personal devices that happened to be company-owned. No restrictions on software installation. No policies about what you could do with Google Drive or Gmail. Want to use your work laptop for personal projects? Go ahead.

This was a feature, not a bug.

The organization's values were clear: Personal freedom. Transparency. Challenging enterprise orthodoxy. Retention of information, using machines as true personal computers, and treating employees as adults who didn't need IT babysitters — these were core primitives.

But here's the problem: Everyone talks about zero-trust BYOD for decentralized global workforces. Almost nobody actually does it well — because traditional enterprise security conflicts with everything that makes these organizations work.

The Big Brother Problem

When the organization first explored endpoint security, they looked at traditional MDM solutions. Every conversation went the same way:

What MDM Vendors Promised

  • Complete visibility into every device
  • Remote wipe capability
  • Screen recording and keystroke logging
  • Hidden agents that users can't disable
  • Full inventory of all installed software
  • Ability to remotely control and inspect any machine
  • Monitor all file access and network traffic

The security team listened. Then they looked at the engineers, designers, and researchers they worked with — people who'd chosen this organization specifically because it wasn't a surveillance state.

The question became:

"How do we implement strong security measures without becoming Big Brother?"

The Revelation: Transparency IS Security

The security team realized something fundamental: In a zero-trust environment, you don't need surveillance. You need validation of action and transparency.

Traditional MDM

"We'll monitor everything. You won't know what we see. Trust us."

  • • Hidden agents
  • • Remote access by IT
  • • Opaque data collection
  • • Top-down enforcement
  • • Users have no visibility

Transparent Security

"Here's what we check. Here's who can see it. Here's how to fix issues."

  • • Visible controls
  • • User-driven remediation
  • • Transparent data access
  • • Clear policies and expectations
  • • Users see what security sees

The Core Principles

  1. 1Controls must be completely visible to the user — no hidden agents, no surprise data collection
  2. 2Users remediate their own security posture — security sets the bar, users meet it
  3. 3Transparency about who has access — users know exactly who can see what within the organization
  4. 4Preserve user privacy and limit PII exposure — security doesn't need to see everything

The Solution: Security That Preserves Culture

We designed an approach built on a simple premise: you can validate security without violating privacy.

The tool we chose was Kolide — an endpoint agent built on osquery. But the tool isn't what matters. What matters is the philosophy: transparency, user agency, and treating people like adults.

How Transparent Security Works

Built on osquery

Open-source foundation. Users can see exactly what queries run and what data they collect. No black box.

Creates visibility FOR users, not just FOR security

The agent shows users their own security posture. Dashboard displays compliance status, open issues, and remediation steps.

User-driven remediation

Device doesn't meet security baseline? User gets notified directly on their machine with clear instructions on how to fix it. No tickets, no waiting for IT.

Access based on posture

Non-compliant device? User is blocked from accessing company resources — but only until THEY fix the issue themselves. Security sets the bar, users meet it.

Transparent access controls

Users can see exactly who within the organization has access to their device data and what specific information they can view. No hidden administrators.

Privacy-first design

Kolide checks security posture (disk encryption, OS updates, firewall status) without collecting browsing history, personal files, or keystroke data.

The User Experience

Here's what it looks like in practice:

1User's disk encryption is disabled (maybe after a macOS update)
2Kolide agent notifies them directly: 'Your disk isn't encrypted. Here's how to fix it.'
3User follows the steps, re-enables encryption
4Kolide verifies the fix automatically — user regains access

No help desk tickets. No waiting for IT. No surveillance. Just clear expectations and user agency.

What Security Checks (And What It Doesn't)

What We Check

  • • Disk encryption status
  • • OS version and patch level
  • • Firewall enabled
  • • Screen lock timeout
  • • Antivirus status
  • • Known vulnerable software
  • • Automatic updates enabled

What We DON'T Check

  • • Browsing history
  • • Personal files or documents
  • • Application usage patterns
  • • Keystrokes or screenshots
  • • Location data
  • • Personal communications
  • • Time tracking or activity monitoring

The philosophy: We validate that your device meets security standards. We don't surveil how you use it.

The Outcomes

100%

compliance with security baseline — disk encryption, firewalls, patching

Zero

escalations to IT for security issues — users fix their own posture

Full

transparency — every user knows exactly who sees what

Cultural Impact

What We Avoided

  • • "Security vs. freedom" battles
  • • User resentment and resistance
  • • Trust erosion from surveillance
  • • Loss of cultural identity
  • • Talent leaving due to monitoring

What We Achieved

  • • Security that aligns with values
  • • Users as security partners
  • • Trust through transparency
  • • Cultural integrity preserved
  • • Strong security posture

The Trust Factor

The most important outcome wasn't technical — it was cultural. We preserved what made this organization worth joining.

When new employees onboard, they're told: "We validate your device meets security standards. You can see everything we check. You'll get notified if something needs fixing. You're in control."

People who joined this organization specifically to avoid corporate surveillance don't feel surveilled.

Because they're not. They're participants in security, not subjects of it. That's not just a better security posture — it's a better company.

The Template: Zero Trust With User Agency

This isn't just about Kolide. It's about designing security that people want to participate in.

What We Did Right

  • Made controls visible — users see exactly what security sees
  • Empowered users to fix issues themselves — no dependency on IT
  • Preserved privacy by limiting scope — we check security posture, not personal activity
  • Built trust through transparency — clear policies, visible access controls
  • Aligned security with values — zero trust doesn't require surveillance

What We Didn't Do

  • Didn't deploy hidden agents or surveillance tools
  • Didn't compromise organizational values for compliance checkboxes
  • Didn't create dependency on security/IT teams for basic issues
  • Didn't collect data we didn't need 'just in case'
  • Didn't treat users as threats to be monitored

The Core Insight

Zero trust is about validating actions, not monitoring people. When you design security with transparency and user agency at the core, you don't have to choose between strong security and organizational culture — you get both.

Your Culture Is Your Competitive Advantage

Most security consultants will kill what makes your organization special. We won't.

You already know that checkbox security is theater. You know that surveillance doesn't equal safety. And you know your culture — the trust, the autonomy, the way your team actually works — is worth protecting.

If your culture is your competitive advantage, let's make sure security preserves it instead of destroying it.

Let's TalkTake the Assessment

Details have been generalized to protect confidentiality. The approach, outcomes, and lessons are real.