Zero Trust gets thrown around as a buzzword by every vendor in the security space, which makes it easy to dismiss as marketing. Underneath the jargon, the concept is straightforward and genuinely useful: stop trusting the network and start verifying every request explicitly, regardless of where it comes from.
Traditional security assumed that anything inside the corporate network could be trusted. Once you were on the VPN or the office LAN, you had broad access. Zero Trust assumes the opposite - that the network is already compromised, and every access request needs to be verified on its own merits.
The Core Idea
💡 ConceptThe name comes from the idea of having zero implicit trust - no device, user, or network segment is trusted by default just because of where it sits. Every access attempt is evaluated against a set of signals before being granted.
Those signals typically include:
- Identity - who is the user, and have they authenticated strongly?
- Device - is the device managed, compliant with security policies, and healthy?
- Location - is the sign-in coming from an expected location or an anomalous one?
- Application - which resource is being accessed, and is this request normal?
- Data - what data is being accessed, and does the user actually need it?
Access decisions are made continuously, not just at initial login. A session that starts clean can be challenged again if conditions change mid-session.
The Three Principles
📋 Principles1. Verify explicitly
Every access request should be authenticated and authorised using all available signals. Not just a password at sign-in, but continuous evaluation of identity, device health, and behaviour throughout the session. In Microsoft terms, this means Conditional Access policies that evaluate risk level, device compliance, and MFA before granting access to any resource.
2. Use least-privilege access
Users and systems should have the minimum access required to do their job - nothing more. Admin roles should be assigned just-in-time through PIM rather than permanently. Service accounts should have scoped permissions with no interactive login. Data should be classified and access restricted accordingly.
3. Assume breach
Design systems as if the network is already compromised. Segment environments so a breach in one area cannot spread freely. Monitor everything. Log sign-ins, access events, and data movement. Have an incident response plan that does not assume you will detect a breach immediately - because you probably will not.
What Zero Trust Is Not
❌ MisconceptionsZero Trust is not a product you can buy. Every vendor selling a "Zero Trust platform" is selling a component that contributes to a Zero Trust posture - not the whole thing. It is an architecture and a set of principles applied across identity, devices, network, applications, and data.
It is also not a project with an end date. Zero Trust is an ongoing programme. You can reach a high maturity level, but the work of maintaining and improving it never stops as your environment and threat landscape change.
Implementing Zero Trust in Microsoft 365
🛠️ Practical StepsIf you are running Microsoft 365, you already have most of the building blocks. The task is connecting them properly.
Identity layer
- Enable MFA for all users via Conditional Access
- Block legacy authentication protocols (they bypass MFA)
- Configure risk-based Conditional Access policies using Entra ID Identity Protection
- Implement Privileged Identity Management (PIM) for just-in-time admin access
- Review and remove excessive guest accounts and stale permissions
Device layer
- Enrol all managed devices in Microsoft Intune
- Create device compliance policies (BitLocker, AV, patch level, etc.)
- Require compliant device as a Conditional Access grant control
- Onboard devices to Microsoft Defender for Endpoint for continuous health monitoring
Application layer
- Require MFA for all cloud app access via Conditional Access
- Use Defender for Cloud Apps to monitor and control app access behaviour
- Apply app protection policies to control what users can do with data in managed apps
- Review third-party app OAuth permissions granted to your tenant
Data layer
- Enable Microsoft Purview sensitivity labels to classify and protect documents
- Configure Data Loss Prevention policies to block exfiltration of sensitive data
- Apply conditional access policies scoped to specific apps handling sensitive data
Zero Trust Maturity Levels
📈 MaturityCISA (the US Cybersecurity and Infrastructure Security Agency) publishes a Zero Trust Maturity Model with three levels: Traditional, Advanced, and Optimal. Most organisations starting out are at Traditional level - identity is verified at sign-in but not continuously, devices are minimally managed, and data has little classification.
A realistic target for a small to mid-size organisation over 12-18 months:
- MFA enforced for all users via Conditional Access
- Legacy authentication blocked
- All endpoints enrolled in Intune with compliance policies
- Compliant device required for corporate resource access
- High-risk sign-ins blocked via Identity Protection
- PIM in place for privileged roles
- Basic sensitivity labelling applied to critical data
That is not a complete Zero Trust implementation, but it covers the highest-impact controls and puts you firmly in the Advanced tier for identity and device maturity - which is where most of the protection comes from.