Zero Trust: never trust, always verify.
Born at Google, codified by NIST, mandated for US federal agencies. Zero Trust is the dominant security model of the late 2020s. Here is what it actually means — and how an SMB adopts it without rebuilding the network.
The phrase has been on every security vendor's slides since 2020. The actual NIST definition is more concrete than the marketing.
The core idea
Old-world security: a hard perimeter (firewall) with a soft interior. Once you are inside the network, you are trusted. The whole company runs on the assumption that being on the LAN means you should have access to file shares, printers, internal apps.
Zero Trust: there is no inside. Every request — from anyone, on any device, from any network — must be authenticated, authorised, and validated against current context. The perimeter still exists, but it is not the trust boundary.
What NIST actually prescribes
NIST Special Publication 800-207 (August 2020) defines Zero Trust through seven tenets:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access is granted on a per-session basis.
- Access is determined by dynamic policy — including identity, device state, and behavioural attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- Authentication and authorisation are dynamic and strictly enforced before access.
- The enterprise collects information about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
What this looks like for an SMB
For a 25–100-person Ottawa business on Microsoft 365, the practical translation:
- Identity first. MFA on every account. No exceptions. Phishing-resistant MFA (Authenticator app or hardware key) for admins.
- Conditional Access. Entra ID policies that require a compliant device, block legacy authentication protocols, and require MFA from outside trusted networks. Available in M365 Business Premium.
- Device management. Intune enrolls every laptop. Encryption enforced, screen lock enforced, security baselines applied.
- Application access. Every SaaS app federated through Entra so it inherits Conditional Access.
- ZTNA over VPN. Where remote access to internal services is needed, an identity-aware proxy that grants per-app access — not "you are now on the LAN."
- Continuous monitoring. EDR + MDR. Logs centralised. Anomalies flagged.
What you do not need
You do not need to rip out your network. You do not need a "Zero Trust platform" sold by a vendor for $50/user/month. You need to apply the principle through tools you mostly already own.
Microsoft has a published Zero Trust deployment guide mapped to M365 capabilities. The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a Zero Trust Maturity Model. Both are public, both are free, both are how we plan customer implementations.
Talk to us about a Zero Trust roadmap for your environment.
Sources: NIST SP 800-207 Zero Trust Architecture · CISA Zero Trust Maturity Model.
// Frequently asked questions
What is Zero Trust?
A security model that assumes no user, device, or network connection should be inherently trusted — every access request must be authenticated, authorised, and continuously validated. Defined formally in NIST Special Publication 800-207 (August 2020).
Is Zero Trust a product?
No. It is an architectural principle. No single product makes you "Zero Trust." Implementation typically involves identity (Entra ID with Conditional Access), device health checks (Intune), MFA, network segmentation, and continuous monitoring.
What is the difference between Zero Trust and a VPN?
A traditional VPN places the remote user inside the network perimeter — full access. Zero Trust Network Access (ZTNA) gives the user access only to specific applications they are entitled to, after verifying their identity, device posture, and context for each session.
Can a small business actually do Zero Trust?
Yes — and the M365 stack makes it straightforward. Entra ID Conditional Access + MFA + Intune-managed devices + sensible app permissions covers the first 80%. You do not need to buy a separate "Zero Trust platform."
Where do I start with Zero Trust?
Identity first. Enforce MFA on every account, then deploy Conditional Access policies (block legacy auth, require compliant devices, geo-restrict). Then move to device management. Network segmentation comes last.