Is Zero Trust a product you can buy?

No. Zero Trust is a security architecture and set of design principles, not a product category. Many vendors market products as 'Zero Trust solutions' but implementing Zero Trust requires changes to how you manage identity, devices, network access, and application controls, not just installing a tool. Products that support Zero Trust include identity providers with Conditional Access (Entra ID, Okta), endpoint management platforms (Intune, Jamf), and ZTNA services that replace VPN. None of them are sufficient on their own.

Can a small business implement Zero Trust?

Yes, and the starting point is the same for organisations of any size: enforce multi-factor authentication, apply Conditional Access policies, and ensure only managed, compliant devices can reach sensitive resources. Microsoft 365 Business Premium includes Entra ID Conditional Access and Intune at a price point accessible to SMEs. The full five-pillar implementation is a multi-year programme for large enterprises, but the identity and device pillars deliver the majority of the risk reduction and are achievable for most organisations within a few months.

What is the difference between ZTNA and a VPN?

A traditional VPN grants network-level access: once connected, a user can typically reach anything on the internal network that is not explicitly blocked. Zero Trust Network Access (ZTNA) grants application-level access: the user connects to a specific application or service and can reach nothing else by default. ZTNA also enforces device compliance and identity verification on every session, not just at connection time. This limits the blast radius of a compromised account or device significantly.

How does Zero Trust relate to NIS2 and ISO 27001?

Neither NIS2 nor ISO 27001 mandates Zero Trust by name, but both require access control, least privilege, network segmentation, and identity management, all of which are core Zero Trust controls. A well-implemented Zero Trust programme will satisfy or substantially support compliance with NIS2 Article 21 requirements (including access control, authentication, and network security), ISO 27001 Annex A controls A.5.15–A.5.18 (identity and access management), and A.8.20–A.8.22 (network controls and segregation).

Zero Trust Architecture: The Identity-First Security Model for Remote and Hybrid Organisations

Key Takeaways

Zero Trust is a security architecture, not a product. The underlying principle: verify identity and device health on every request, enforce least privilege, and design as if breach has already occurred.
John Kindervag introduced the model at Forrester Research in 2010. NIST formalised it in Special Publication 800-207 in 2020, which remains the authoritative implementation reference.
Zero Trust has five pillars: Identity, Devices, Network, Applications, and Data. Starting with Identity gives the biggest risk reduction for the least infrastructure change.
Conditional Access policies in Microsoft Entra ID enforce the identity and device pillars. Microsoft 365 Business Premium includes them at a price most SMEs already pay.
Zero Trust works with infrastructure you already have. MFA, device management, and network segmentation all map to the framework. You extend them, not replace them.
Zero Trust satisfies most NIS2 Article 21 access control requirements and ISO 27001 Annex A identity and network controls without needing separate compliance projects.

Why the perimeter is gone

Traditional network security rested on a single assumption: traffic inside the corporate network is trusted, traffic outside is not. A firewall held the line. Remote workers tunnelled in through VPN. That worked when most users sat in the same building, most applications ran on kit you owned, and most data lived on servers you could physically touch.

Today, users work from home, cafes, and client offices. Applications run in Microsoft 365, Salesforce, AWS, and dozens of SaaS platforms you do not operate. Partners and contractors connect from networks you have never seen. All of that happens outside the perimeter, yet the firewall keeps treating internal traffic as inherently trustworthy.

An attacker who compromises one laptop, one phished account, or one VPN credential lands inside the trusted zone. Internal traffic goes largely uninspected. Internal systems grant access to anything that arrived through the right entry point. Lateral movement is a matter of minutes.

Zero Trust removes network location from the trust equation. Access decisions turn on your identity, your device's compliance state, and the specific resource you are trying to reach. The network you connect from is irrelevant.

82%

of breaches involved cloud assets, hybrid environments, or remote access in 2024 (Verizon DBIR)

$1.76M

Average reduction in breach cost for organisations with mature Zero Trust, versus those without (IBM)

76%

of security leaders cite Zero Trust as a strategic priority for their organisations

The five pillars

NIST SP 800-207 organises Zero Trust around five control planes. Most organisations start with Identity, since compromised credentials drive the majority of initial access, and build out from there.

🔐

1. Identity

Verify every user and service account before granting access. That means MFA on all accounts, Conditional Access policies that evaluate risk at each sign-in, and PIM that requires time-limited activation for administrative roles. Credentials drive the majority of initial access in enterprise breaches, which is why Identity returns the highest security gain per hour of implementation work.

💻

2. Devices

Sensitive resources should be reachable only from managed, compliant devices: OS patched, disk encrypted, EDR running, enrolled in MDM. Conditional Access enforces this at sign-in. A user who authenticates from a personal laptop gets blocked or redirected to a browser-only session.

🖧

3. Network

Microsegmentation divides the internal network into zones with explicit access controls between them, so a compromised device in one segment cannot reach systems in another. ZTNA replaces VPN with application-level tunnels: the user connects to one specific service, nothing else. East-west traffic inspection monitors for lateral movement inside the boundary.

📦

4. Applications

Treat every application as internet-facing. Enforce authentication at the application layer whether the user is on the corporate network or at home. CASB tools extend visibility to SaaS platforms you do not operate. Remove any application that grants unauthenticated access from inside the network.

📂

5. Data

Classify data by sensitivity and enforce access controls that follow the data, not the network perimeter. DLP policies block exfiltration to personal cloud storage. Rights management encryption prevents a document opened on an unmanaged device from being printed or forwarded. Most organisations tackle this pillar last, it requires the most effort and depends on the other four being in place.

Starting with identity

The identity pillar is the standard starting point. It addresses the most common attack path, works with tools you likely already licence, and requires no network infrastructure changes.

Conditional Access policies

Conditional Access is the enforcement engine. Each sign-in is assessed against a set of signals: user identity, device state, sign-in location, target application, and risk signals from the identity protection engine. The policy then allows, blocks, or demands step-up verification.

A baseline policy set should: require MFA on all cloud applications; block sign-ins from countries where you have no presence; block legacy authentication protocols that cannot complete MFA challenges; require device compliance for sensitive applications; and trigger step-up authentication when the risk engine flags an anomalous sign-in.

Privileged Identity Management

Admin accounts are the highest-value target in any environment. PIM removes persistent privilege: an administrator requests, justifies, and activates a role for a time-limited session. Between sessions the account holds no administrative permissions. A credential stolen outside an active session gives an attacker nothing to work with.

Microsoft 365 and Zero Trust

Microsoft 365 Business Premium includes Entra ID Conditional Access, Intune for device management, Defender for Business as the EDR, and Defender for Cloud Apps as a CASB. One licence covers the identity, device, and application pillars for most SMEs. The hard part is configuration, not cost.

Device trust and compliance

Confirming the user's identity is only half the check. A valid MFA login from a laptop running unpatched software or carrying an active infection still represents a real access risk.

Compliance policies in Intune or Jamf define the minimum bar: OS version, encryption, EDR agent, screen lock, and jailbreak detection for mobile. Conditional Access checks compliance at sign-in and blocks access for devices that fall short.

If you allow personal devices, split the access model: managed devices get full resource access; unmanaged devices get browser-only sessions through a reverse proxy, with DLP enforced at the session layer to block downloads.

Network segmentation in practice

Start with your highest-value assets: finance systems, Active Directory domain controllers, backup infrastructure, and any OT if present. Isolate them with deny-by-default inbound rules, permitting only the specific flows each service legitimately needs. You do not need to segment the entire network to get most of the value.

Cloudflare Access, Zscaler Private Access, and similar ZTNA platforms sit in front of internal applications and run identity and device checks before opening a connection. The user's device never joins the corporate network. It reaches one service through an application-level tunnel. A compromised VPN credential no longer opens the whole network.

Zero Trust and regulatory compliance

Zero Trust controls satisfy requirements across the major frameworks European organisations face.

NIS2 (Article 21) requires access control policies, multi-factor authentication, and network security measures for entities in scope. The identity and network pillars address each of those directly. Device compliance policies cover the endpoint security requirement. Logging all access attempts satisfies the audit obligations.

ISO 27001 Annex A controls A.5.15 (access control), A.5.16 (identity management), A.5.17 (authentication information), A.8.20 (network security), and A.8.22 (network segregation) are all addressed by a Zero Trust implementation. The controls required by ISO 27001 and those required by Zero Trust overlap to the point where implementing one builds most of the other.

DORA requires logical network segmentation and multi-factor authentication for financial entities. Zero Trust gives you a single architecture that covers those obligations rather than treating each requirement as a separate project.

Zero Trust is built on a single premise: you will be breached. The question it answers is how much an attacker can reach from their first foothold.

Five steps to start

Audit identity

List every user account, service account, and privileged role. Remove or disable anything no longer in use. Enable MFA on all accounts and block legacy authentication protocols. This is where most credential-based attacks enter.

Deploy Conditional Access

Define and enforce a baseline set of Conditional Access policies. Start with requiring MFA for all cloud applications, blocking risky sign-ins, and blocking legacy authentication. Add device compliance requirements once device management is in place.

Enrol devices

Enrol all corporate devices in your MDM platform and set compliance policies. Require compliance in Conditional Access for sensitive applications. For unmanaged devices, build a browser-only path with DLP at the session layer.

Segment your network

Isolate your highest-value assets behind explicit network controls. Restrict inbound access to identity infrastructure, backup systems, and financial platforms. Evaluate ZTNA as a replacement for legacy VPN for remote access.

Extend visibility

Log all identity and access events and route them to a SIEM or monitoring service. Set alerts on impossible travel, first-seen device sign-ins, and admin role activations outside business hours.