What Is Zero Trust Security?
Zero trust is a security model based on the principle that no user, device, or network connection should be trusted by default — even inside your organisation. Access is granted only after continuous verification of identity, device health, and context.
Direct Answer
Zero trust is a security framework that replaces the traditional 'trusted inside the network' assumption with continuous verification. Rather than assuming that traffic inside your network perimeter is safe, zero trust requires every access request — from any user, device, or location — to be authenticated, authorised, and validated against policy before being granted. For UK SMEs using Microsoft 365 and cloud services, a practical zero trust posture typically involves Conditional Access policies, MFA, device compliance enforcement via Intune, and least-privilege access controls. It is an ongoing programme, not a single product.
The Core Principles of Zero Trust
Zero trust is built on three foundational principles, each implemented through specific controls.
Verify Explicitly
Every access request is authenticated and authorised using all available data points: user identity, device health, location, and application sensitivity.
Least Privilege Access
Users and systems receive only the permissions required for their current task. Privileged access is time-limited and requires additional verification.
Assume Breach
The architecture assumes an attacker is already present and is designed to minimise lateral movement, reduce blast radius, and support rapid detection and response.
Device Health Verification
Devices must meet defined compliance standards — encryption enabled, OS up to date, antivirus active — before they are permitted to access corporate resources.
Network Micro-Segmentation
Rather than one flat network, resources are segmented so that a compromised device or account cannot easily reach other systems.
Continuous Monitoring
Access and activity are monitored throughout a session, not just at login. Anomalous behaviour can trigger step-up authentication or session termination.
Traditional Perimeter Security vs Zero Trust
How the two models differ in their assumptions about trust and how access is granted.
| Feature | Perimeter SecurityTrust the network | Zero TrustVerify everythingRecommended |
|---|---|---|
| Trust based on network location | ||
| Continuous identity verification | ||
| Device compliance enforced | ||
| Conditional Access policies | ||
| Lateral movement constrained | ||
| Effective for remote workers | Limited | |
| Works with cloud services (M365, etc.) | Partially |
Microsoft Entra ID (formerly Azure AD) with Conditional Access is the primary vehicle for implementing zero trust in a Microsoft 365 environment.
Frequently Asked Questions
Only 14% of UK businesses formally review cyber risks from their immediate suppliers. 35.5% of all global data breaches in 2024 originated from third-party compromises. Supply chain attacks add an average of £241,620 to the total cost of a breach and take 267 days to detect and contain.
The first hour after detection is considered the golden hour that determines outcome severity. Organisations that detect breaches internally save an average of $900,000 in costs. Only 22% of UK businesses have a formal cybersecurity incident management plan in place.
MFA requires two or more verification methods to access an account. Microsoft reports that over 99.9% of compromised accounts did not have MFA enabled. Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025). MFA can prevent more than 99.9% of account compromise attempts.
Phishing is the most common attack type, identified by 85% of businesses that experienced a breach (DSIT 2025). Phishing accounts for 93% of cyber crimes against businesses. AI-powered phishing has driven a 204% increase in phishing emails delivering malware in 2025.
The top threats are phishing (85% of breaches), ransomware (doubled year-on-year), business email compromise (increased 33% in 2025), and supply chain attacks (35.5% of all breaches now originate from third parties). AI-powered attacks are accelerating all of these threat categories.
Build a Zero Trust Security Posture for Your Business
AMVIA helps UK SMEs implement zero trust principles using Microsoft 365 Business Premium, Intune, and Conditional Access. Start with a security assessment.
Related Guides
What Is MDR?
Managed detection and response: the monitoring layer that supports a zero trust programme.
Microsoft 365 Security Audit
Find and fix misconfigurations in your M365 tenant — the foundation for zero trust in most SMEs.
The Complete Guide to Cybersecurity
A structured overview of cybersecurity controls and how they apply to UK SMEs.