+44 345 1255400
Security Controls

Zero Trust

Also known as: Zero Trust Architecture, ZTA, Zero Trust Network Access, ZTNA

Zero Trust is a security model built on one principle: never trust, always verify. Every request to access any resource, from inside or outside your network, is authenticated, authorised, and checked against a policy, every time. There’s no “trusted internal network” where a user or device is assumed safe because they’re behind the office firewall.

It’s a big shift from the old model of building a strong perimeter and treating everything inside it as safe. Modern working, cloud services, remote work, contractors, personal devices, has made the old perimeter essentially meaningless.

The core principles

  1. Verify explicitly. Authenticate every user, every device, every request, based on all available signals including identity, location, device health, and data sensitivity.
  2. Use least-privilege access. Give users the minimum permissions they need, for the shortest time they need them.
  3. Assume breach. Design controls on the assumption that an attacker is already inside somewhere. Limit the blast radius.

What Zero Trust looks like in practice for an SMB

Zero Trust isn’t a product you buy, it’s an approach you work towards. For a typical UK SMB, practical first steps include:

  • Strong identity, Multi-Factor Authentication on every account, especially admin accounts
  • Device compliance, only allowing managed, patched, encrypted devices to access company data
  • Conditional access, policies that require extra verification for risky sign-ins (unknown location, suspicious behaviour)
  • Network segmentation, dividing the network so an attacker in one area can’t easily reach another
  • Just-in-time admin, admins only get elevated access when they need it, not all the time

Is Zero Trust worth pursuing for a small business?

Yes, but in stages. Full Zero Trust is an enterprise-scale programme; SMBs should adopt the principles proportionately. The biggest wins for most UK SMBs come from:

  1. MFA everywhere
  2. Microsoft 365 Conditional Access (or Google equivalent)
  3. Managed devices only for company data
  4. Removing standing admin rights

These four together take most SMBs from “perimeter” to “meaningfully Zero Trust” without a massive project.

How we help

Our cyber security service and managed IT service are built around these principles. We implement Zero Trust pragmatically, the controls that move the needle for a specific business, not a checklist from a whitepaper.