Zero Trust Architecture for UK SMEs: The Complete Guide

The Problem with the Traditional Security Model

Traditional network security operated on a castle-and-moat model: everything inside the network perimeter was trusted, everything outside was untrusted. The firewall was the perimeter. If you were inside — on the corporate network, connected via VPN — you were treated as trusted and granted access to internal resources.

This model has collapsed for most businesses. Cloud services (Microsoft 365, SaaS applications, AWS, Azure) exist entirely outside the traditional perimeter. Remote and hybrid workers connect from home networks, coffee shops and managed devices alongside personal devices. Supply chain connections extend trust to partners, suppliers and contractors. The 'inside' no longer exists in the same meaningful sense it did when everyone worked in an office and all data lived on premises.

When a user's credentials are compromised — through phishing, credential stuffing or a data breach — the perimeter-based model grants the attacker the same access the legitimate user had. They are 'inside'. Zero trust addresses this by eliminating the assumption that being inside grants trust.

The Zero Trust Principles

Zero trust is built on three core principles:

1. Verify Explicitly

Every authentication and authorisation request must be verified on its merits, every time. Identity is verified through strong authentication (MFA), device health is checked against a compliance baseline, and access is evaluated in context: is this user authenticating from an unusual location? At an unusual time? From a device that has not been seen before? Each signal contributes to a risk score that determines whether access is granted.

2. Use Least Privilege Access

Users should have access to exactly what they need for their role, nothing more. Just-in-time and just-enough-access (JIT/JEA) principles mean that elevated access is granted for specific tasks and time periods, then revoked — rather than persistent privileged access that creates risk if credentials are compromised.

3. Assume Breach

Design security controls on the assumption that attackers are already present in the environment, or will be. This means segmenting networks so that a compromised device cannot reach all other devices, monitoring all traffic for anomalous behaviour, and designing response playbooks for when a breach is confirmed rather than only when it is suspected.

Zero Trust in Practice: The Microsoft Approach

For UK SMEs using Microsoft 365, the path to zero trust runs largely through Microsoft's identity and device management stack:

Microsoft Entra ID (Conditional Access)

Conditional Access is the policy engine of zero trust for Microsoft 365 environments. It evaluates each sign-in against configured policies and decides whether to grant access, require additional verification or block. Policies can require:

• MFA for all users, or for specific risk levels
• Device compliance — the device must be enrolled in Intune and meet minimum security requirements (patched, encrypted, EDR active)
• Compliant location — access from specific countries can be blocked or challenged
• Session conditions — unmanaged devices may be granted read-only browser access rather than full sync access

Microsoft Intune (Device Compliance)

Intune defines and enforces device compliance policies. A device is compliant when it meets your defined criteria — minimum OS version, encryption enabled, antivirus active, screen lock configured. Conditional Access then uses compliance status as an input to access decisions: non-compliant devices are blocked from accessing Microsoft 365 applications.

Microsoft Defender for Endpoint

Defender for Endpoint provides the endpoint detection and response capability within a zero trust architecture. It feeds device risk signals into Conditional Access: if a device becomes compromised, its risk score rises, and Conditional Access can automatically reduce or block that device's access to sensitive applications until the threat is resolved.

Network Segmentation: The Infrastructure Layer

Zero trust is not only about identity. Network segmentation prevents lateral movement if a device is compromised. Rather than a flat network where all devices can communicate with all others, segmented networks place devices in VLANs appropriate to their function and trust level:

• Workstations on one VLAN, with no direct access to servers
• Servers on a separate VLAN, with access controlled by firewall rules
• Guest and visitor WiFi completely isolated from internal networks
• IoT devices (printers, security cameras, smart devices) on their own VLAN

This limits blast radius: if one device is compromised, the attacker cannot automatically reach everything else on the network.

A Practical Zero Trust Roadmap for UK SMEs

Zero trust is a journey, not a single project. A practical maturity-based approach:

Foundation (0–3 months)

• Enforce MFA for all Microsoft 365 accounts via Conditional Access
• Enrol all endpoints in Microsoft Intune and create basic compliance policies
• Block legacy authentication protocols in Exchange Online
• Implement DMARC/DKIM/SPF for all domains

Intermediate (3–9 months)

• Deploy Conditional Access policies requiring device compliance
• Implement Privileged Identity Management (PIM) for admin accounts
• Segment the network — VLANs for workstations, servers, IoT, guests
• Deploy Microsoft Defender for Endpoint (or third-party EDR) with managed monitoring

Advanced (9–18 months)

• Deploy FIDO2 / phishing-resistant MFA for high-value accounts
• Implement Data Loss Prevention (DLP) policies for sensitive data categories
• Assess and address supply chain access — third parties accessing your systems should follow the same identity and device requirements as employees
• Continuous access evaluation — session tokens are revoked when risk signals change mid-session

AMVIA implements zero trust architectures for UK SMEs as part of its managed IT and cybersecurity service, providing both the technical implementation and the ongoing management required to maintain a zero trust posture as the environment changes.