Zero trust is not a product you buy: it is a security model that assumes every device, user and connection is already compromised and verifies each one continuously before granting access. For UK business endpoints (laptops, phones, BYOD devices), the practical core is three pillars: verify explicitly with MFA and conditional access, enforce least privilege so users only reach what they need, and assume breach by monitoring every device. A small UK business can begin for roughly £6 to £15 per user per month using Microsoft Entra ID and Intune, scaling to £45 or more per user per month for a fully managed estate with EDR. A serious phased rollout across 50 to 250 endpoints, including migration, policy design and integration, typically costs from £50,000 upwards. Zero trust maps directly onto NCSC's eight design principles, Cyber Essentials, and UK GDPR Article 32. This guide gives you the device-trust checklist, tool matrix, costs, and a 90-day rollout plan.
Last updated: June 2026
Traditional perimeter security fails because there is no longer a perimeter to defend. The old model assumed a trusted internal network sat behind a firewall, and anything inside that wall was safe. That assumption collapsed the moment your staff started working from home, connecting from coffee shops, accessing Microsoft 365 from personal phones, and pulling company data onto laptops that never touch your office. The firewall still exists, but most of your real work now happens outside it.
The Government's annual Cyber Security Breaches Survey consistently finds that around 39% of UK businesses identified a cyber attack in the previous 12 months, and the vast majority of those attacks arrive through endpoints: a phished credential, a malicious attachment opened on a laptop, an unpatched browser. The average cost of a breach for a UK small or medium business sits around £15,300 once you account for lost productivity, recovery and customer churn, and a serious ransomware event with downtime and regulatory exposure can push well into six figures. Yet endpoint protection software is used by only about 61% of businesses, and full zero trust adoption among small firms remains stubbornly low at roughly 12%.
The classic counter-argument is the VPN. The thinking goes: if remote staff tunnel into the corporate network, they are effectively inside the perimeter again. The problem is that a VPN grants broad lateral access. Once an attacker steals a single VPN credential, or compromises a single laptop with a live VPN session, they are not contained to one application. They can move sideways across the whole network, escalating privileges and finding the file server. This is precisely how most ransomware operators work once they get a foothold.
Our honest view: if your remote-access strategy is still "VPN plus antivirus", you do not have a security model, you have a single point of failure with extra steps. Zero trust replaces the binary "inside or outside" question with a continuous one: "should this specific user, on this specific device, in this specific posture, reach this specific resource right now?" That question gets asked at every request, not once at login.
| Perimeter model assumption | Why it breaks in 2026 |
|---|---|
| The network edge is the boundary | Staff, SaaS apps and data live outside the office network |
| Internal traffic is trusted | One compromised laptop gives attackers lateral movement |
| A VPN session means a safe user | Stolen VPN credentials grant broad access, not scoped access |
| Antivirus on the device is enough | Modern attacks are fileless, identity-based or living-off-the-land |
| Authentication happens once at login | Session hijacking and token theft bypass the login event entirely |
Zero trust rests on three principles that you apply to every endpoint: verify explicitly, enforce least privilege, and assume breach. These are not Softomate's invention; they are the distilled core of the NIST SP 800-207 reference standard and the NCSC's design guidance, and they translate cleanly into practical endpoint controls. Get these three right and you have the substance of zero trust, regardless of which vendor logos you eventually buy.
Verify explicitly means every access decision is made using all available signals, not just a password. The signals include who the user is (confirmed with multi-factor authentication), what device they are on, whether that device is healthy and managed, where the request comes from, and how risky the behaviour looks. A correct password from an unmanaged device in an unusual country is not "verified", it is "suspicious", and the system should challenge or block it.
Enforce least privilege means a user or device gets exactly the access required for the task and no more, for no longer than necessary. In endpoint terms this is removing local administrator rights from everyday accounts, scoping application access per role, and using just-in-time elevation for the rare moments admin rights are genuinely needed. The vast majority of malware that lands on a laptop is far less damaging if the logged-in user cannot install software or change system settings.
Assume breach means you design as if an attacker is already on one of your devices, because statistically one day they will be. This drives investment in monitoring, endpoint detection and response (EDR), centralised logging, and segmentation that limits how far an intruder can spread. Assume-breach is the principle that separates real zero trust from marketing zero trust: anyone can sell you MFA, but assuming breach forces you to ask what happens after the MFA is bypassed.
The honest rule we give clients: do not let a vendor convince you that buying one product equals "doing zero trust". If a pitch covers verify explicitly but never mentions assume breach, it is selling identity management, not zero trust. All three pillars must be present, or the model has a hole in it.
Identity is the new perimeter because in a world without a network edge, the user account is the thing being attacked and the thing being defended. When your data lives in Microsoft 365, Google Workspace, Xero, Salesforce and a dozen other SaaS tools, the question of "are you in my network" becomes meaningless. The only meaningful question is "are you who you claim to be, and should this identity reach this resource". Secure the identity layer and you have secured the front door that 80% of attacks come through.
The single highest-return control is multi-factor authentication, and specifically phishing-resistant MFA. Standard SMS codes are better than nothing but are vulnerable to SIM-swapping and real-time phishing. Authenticator apps with number-matching are stronger. The gold standard is FIDO2 hardware keys or passkeys, which are cryptographically bound to the legitimate site and cannot be relayed to an attacker. For high-value accounts, finance staff and administrators, we push clients firmly towards passkeys.
The second control is conditional access. This is where identity meets the endpoint. Conditional access lets you write rules such as: allow access to email from any device, but only allow access to the finance system from a managed, encrypted, compliant device, and always require MFA when the sign-in risk is elevated. Microsoft Entra ID makes this achievable for a UK SME without enterprise budgets, and it is the policy engine that turns abstract zero trust principles into enforced reality.
| MFA method | Phishing resistance | Recommended use |
|---|---|---|
| SMS one-time code | Low | Last resort only; better than no MFA |
| Authenticator app (push) | Medium | Risk of fatigue attacks; avoid plain push |
| Authenticator with number matching | Medium-high | Good default for general staff |
| FIDO2 key or passkey | High | Admins, finance, directors, all high-value accounts |
Our stance here is blunt: if you have not yet enforced MFA across every account, stop reading and do that first. It is the cheapest, fastest reduction in risk available to any UK business, and the ICO has made clear in its guidance that weak access controls are a recurring factor in the breaches it investigates. Conditional access and device trust are the next layer, but MFA everywhere is the non-negotiable foundation. If you want help wiring identity into your wider systems, our business process automation team in London often builds identity and access workflows as part of larger transformation projects.
You evaluate endpoint trust by checking the device's health and posture at the moment of every access request, not by assuming a device is safe because it once enrolled. A trusted device in a zero trust model is one that is known, managed, patched, encrypted and actively protected. The mechanism that enforces this is a combination of mobile device management (MDM) such as Microsoft Intune and conditional access policies that read the device's compliance state as a live signal.
The practical heart of this section is the device-trust checklist. Before any endpoint is allowed to reach sensitive resources, it should pass every one of the following checks. We hand clients a version of this checklist and configure Intune to enforce it automatically, so that a device falling out of compliance loses access until it is remediated.
| Device-trust check | What it confirms | Enforced by |
|---|---|---|
| Enrolled in MDM | Device is known and centrally manageable | Intune / Jamf enrolment |
| Disk encryption on | Data unreadable if device is lost or stolen | BitLocker / FileVault policy |
| OS and apps patched | Known vulnerabilities are closed | Update compliance policy |
| EDR agent running | Active threat detection on the device | Defender / CrowdStrike / SentinelOne |
| No jailbreak or root | Device security model is intact | MDM compliance check |
| Screen lock and strong PIN | Physical access is protected | Compliance policy |
| Firewall enabled | Unwanted inbound connections blocked | Security baseline policy |
The crucial design decision is what happens when a device fails a check. In a mature zero trust setup, failure is not a quiet log entry that nobody reads. It triggers an enforcement action: block access, allow only limited access, or grant access while prompting the user to remediate. A laptop that is 60 days behind on patches should not be reaching your finance system, full stop. The policy makes that decision automatically and consistently, which is something humans never manage to do reliably.
For mobile, the same logic applies but with a BYOD nuance. On a personal phone you typically do not manage the whole device; instead you use app protection policies (MAM) that secure only the corporate data inside corporate apps, requiring a PIN to open Outlook and preventing copy-paste of company data into personal apps. This respects the employee's privacy on their own device while still protecting your data, a balance we cover in more detail in the legacy and BYOD section below.
For most UK SMEs the pragmatic answer is the Microsoft stack: Entra ID for identity, Intune for device management, and Defender for Endpoint for EDR, because if you already pay for Microsoft 365 you are part-way there and avoid stitching together multiple vendors. That said, no single vendor is automatically correct, and there are strong specialist tools worth knowing about, particularly for EDR and for replacing the VPN with proper zero trust network access (ZTNA).
The tool matrix below groups the realistic options by function. We have deliberately included indicative UK pricing, because almost every competing article on this topic omits cost entirely, which is precisely the information a business owner actually needs to plan a budget. Prices are 2026 list-style figures per user per month and will vary with volume, region and reseller agreements.
| Function | Microsoft option | Strong alternatives | Indicative cost |
|---|---|---|---|
| Identity and conditional access | Entra ID P1 / P2 | Okta, JumpCloud | £5 to £8 per user/month |
| Device management (MDM) | Intune | Jamf (Apple), Kandji | £6 to £10 per user/month |
| EDR / XDR | Defender for Endpoint P2 | CrowdStrike Falcon, SentinelOne | £4 to £12 per user/month |
| ZTNA (VPN replacement) | Entra Private Access | Cloudflare Access, Tailscale, Zscaler | £3 to £9 per user/month |
| Centralised logging / SIEM | Microsoft Sentinel | Elastic, Splunk, Sumo Logic | Usage-based, from ~£100/month |
EDR deserves a specific note because it is the endpoint enforcement layer that the assume-breach principle depends on. Traditional antivirus matches known signatures; EDR watches behaviour, detects fileless and living-off-the-land attacks, and lets you isolate a compromised device from the network with one click. Microsoft Defender for Endpoint is genuinely strong and well integrated. CrowdStrike and SentinelOne are the specialist leaders, often preferred where a managed detection and response service is wrapped around them, and adoption of AI-assisted EDR is rising fast, sitting around 13% in fintech where threat sophistication is highest.
On ZTNA, our stance is firm: plan to retire your VPN. Tools like Cloudflare Access and Tailscale let a user reach a specific internal application without ever being placed on the broad corporate network, which eliminates the lateral movement problem that VPNs create. You do not have to do it on day one, but a zero trust roadmap that leaves a wide-open VPN in place forever is incomplete. The packaged "managed security" bundles many UK MSPs sell, starting around £45 per user per month, typically combine several of these layers with monitoring, which is a sensible option for firms without internal security staff. If your endpoint estate connects to bespoke internal systems, our software development team in London can help expose those applications safely behind ZTNA rather than a flat VPN.
A realistic zero trust rollout is phased over roughly 90 days, starting with identity, then device trust, then monitoring, then segmentation and VPN replacement, because trying to do everything at once breaks workflows and triggers staff revolt. The sequence matters: each phase makes the next one safer and easier, and you get meaningful risk reduction from week one rather than waiting months for a big-bang cutover. Below is the timeline we use as a baseline and adapt per client.
| Phase | Days | Focus | Key outcomes |
|---|---|---|---|
| 1. Identity foundation | 0 to 20 | MFA everywhere, baseline conditional access | Phishing-resistant MFA enforced, admin accounts hardened |
| 2. Device trust | 20 to 45 | MDM enrolment, compliance baseline, EDR deployment | All endpoints managed, encrypted, patched and monitored |
| 3. Least privilege | 45 to 60 | Remove local admin, scope access by role | No standing admin rights, access reviews running |
| 4. Monitoring | 60 to 75 | Centralised logging, SIEM, alerting | Visibility across endpoints, alerts triaged |
| 5. Segmentation and ZTNA | 75 to 90 | Replace VPN access app-by-app, segment | Lateral movement reduced, VPN dependency shrinking |
The most important practical advice for phase one is to roll MFA and conditional access out in "report-only" mode first. This lets you see exactly which sign-ins your new policies would block before they actually block anyone, so you catch the service account that logs in from an unexpected location or the director who travels constantly. Skipping report-only mode is the single most common way zero trust projects generate angry helpdesk tickets and lose executive support in week one.
Phase three, removing local administrator rights, is where you will meet the most cultural resistance, because people are used to installing whatever they like. Our honest guidance: do it anyway, but pair it with a smooth just-in-time elevation process and a well-stocked company app catalogue, so that removing admin rights does not mean removing the ability to get work done. The reduction in malware impact is dramatic and worth the short-term friction.
Throughout, communicate relentlessly. Zero trust changes how people log in and what their devices must do, and if staff do not understand why, they will look for workarounds that undermine the whole effort. A fifteen-minute all-hands explaining "we are doing this so a stolen password cannot sink the company" buys more compliance than any technical control. Be sceptical of any consultant who treats zero trust as purely a technical project; the human rollout is half the work.
You handle legacy systems and BYOD by isolating what you cannot modernise and by securing corporate data rather than seizing personal devices. Few UK businesses have a clean, uniform estate; most have a mix of modern Windows 11 laptops, ageing line-of-business servers, the odd Windows machine that cannot be patched because a critical application depends on it, and staff using their own phones for email. Zero trust does not require you to rip all of that out. It requires you to wrap it in compensating controls.
For legacy systems that cannot enforce modern authentication or run an EDR agent, the strategy is containment. Place them in their own tightly segmented network zone, restrict which identities and devices can reach them, sit them behind a ZTNA gateway or jump host, and monitor that zone intensely. NCSC's own "Zero Trust: building a mixed estate" guidance is explicit that mixed and legacy estates are normal and that the goal is incremental improvement, not perfection on day one. The honest rule: a legacy system you cannot harden is a system you must isolate and watch closely, never one you simply ignore.
For BYOD, the guiding principle is to protect the data, not police the device. Most employees will, rightly, resist their employer taking management control of a phone they paid for. The answer is mobile application management (MAM) rather than full device management. App protection policies in Intune secure the corporate apps and the data inside them: requiring a PIN to open Outlook, encrypting company data within the app, blocking copy-paste into personal apps, and allowing a selective wipe of only company data if the employee leaves or loses the phone, while leaving their photos and personal apps untouched.
The trap to avoid is treating BYOD as either fully trusted or fully banned. Banning personal devices outright pushes staff towards shadow workarounds (forwarding email to a personal account, for example), which is worse than a managed BYOD policy. A measured MAM approach gives you genuine control over the data that matters while keeping staff cooperative, which is exactly the balance a workable zero trust model needs. Where BYOD intersects with customer-facing apps, our mobile app development service in London builds in these protection patterns from the start.
Zero trust maps cleanly onto NCSC's eight zero trust design principles, satisfies most of the Cyber Essentials technical controls, and provides strong evidence for the "appropriate technical and organisational measures" that UK GDPR Article 32 demands. This is one of zero trust's underrated benefits: the same work that reduces your breach risk also strengthens your compliance position, so you are not paying twice. UK regulators and bodies are aligned on the direction of travel, and zero trust sits squarely within it.
The NCSC publishes eight zero trust design principles, and each one has a direct endpoint implication. The table below maps them so you can see that "doing zero trust" and "following NCSC guidance" are largely the same activity, expressed in different language.
| NCSC principle (paraphrased) | Endpoint implementation |
|---|---|
| Know your architecture, including users and devices | Full device inventory and identity directory |
| Create a single strong user identity | Entra ID with enforced MFA |
| Create strong device identity | MDM enrolment and device certificates |
| Authenticate and authorise everywhere | Conditional access on every request |
| Use policy to authorise requests | Risk and compliance-based access policies |
| Focus monitoring on devices and services | EDR plus centralised logging and SIEM |
| Do not trust any network, including your own | ZTNA replacing flat VPN access |
| Choose services designed for zero trust | Cloud-native, modern-auth tooling |
On Cyber Essentials, the five technical control areas (firewalls, secure configuration, user access control, malware protection, and security update management) are all directly advanced by a zero trust endpoint programme. Enforcing device compliance covers secure configuration and update management; least privilege covers user access control; EDR covers malware protection. Many businesses find that pursuing zero trust pulls them through Cyber Essentials and even Cyber Essentials Plus almost as a by-product, which matters because the certification is increasingly required to win public sector and enterprise contracts.
On UK GDPR, Article 32 requires controllers and processors to implement appropriate technical and organisational measures to keep personal data secure. The ICO's guidance repeatedly highlights access control, encryption and the ability to detect and respond to incidents. Zero trust delivers exactly those: scoped access, enforced encryption, and continuous monitoring. If you ever face an ICO inquiry after an incident, being able to demonstrate a documented zero trust architecture is powerful evidence that you took security seriously, which can materially affect the regulator's view. Our stance: treat compliance as the floor, not the ceiling. Cyber Essentials is a useful badge, but a determined attacker does not care about your certificate, so build for genuine resilience and let the compliance follow.
Softomate implements zero trust endpoint security as a structured, five-stage engagement that takes a typical UK SME from assessment to a monitored, segmented estate over roughly 90 days, on a fixed-quote basis so you know the cost before we start. We are a London-based software and automation agency in Stanmore (HA7), and we deliver this as a hands-on programme, not a slide deck. The goal is a working, documented zero trust architecture that your team can run, with knowledge transfer built in.
| Stage | What happens | Typical timeline |
|---|---|---|
| 1. Discovery and assessment | Inventory devices, identities and apps; map current risk; agree scope | Week 1 to 2 |
| 2. Design and fixed quote | Architecture design, tool selection, policy plan, fixed price agreed | Week 2 to 3 |
| 3. Identity and device build | MFA, conditional access, MDM, EDR rolled out in report-only then enforced | Week 3 to 7 |
| 4. Least privilege and monitoring | Remove standing admin, deploy logging and SIEM, tune alerts | Week 7 to 11 |
| 5. ZTNA, handover and review | Replace VPN app-by-app, document, train your team, 30-day review | Week 11 to 13 |
We work to a fixed quote rather than open-ended day rates, because security projects that bill by the hour have every incentive to run long. After the discovery stage we give you a single agreed price for the defined scope, and we hold to it. For a focused identity-and-device-trust foundation on a smaller estate, engagements start from around £18,000. A full phased programme across a 50 to 250 endpoint estate, including ZTNA, SIEM integration and bespoke application work, typically starts from £50,000 upwards, with ongoing managed monitoring available separately from around £45 per user per month.
Because we are a software house as well as a security practice, we are unusually good at the awkward part: the legacy and bespoke systems that off-the-shelf MSPs struggle to fit into a zero trust model. If a critical line-of-business application needs to sit behind a ZTNA gateway, or needs an API built so it can honour conditional access, we can do that work in-house rather than telling you it is impossible. That blend of process automation and security engineering is what differentiates a Softomate engagement from a pure reseller. To scope your estate, start with a conversation through our contact page.
No. Zero trust is a model, not a product, and the core controls scale down well. A UK SME can enforce MFA, conditional access, device compliance and EDR using Microsoft Entra ID, Intune and Defender for roughly £6 to £15 per user per month, often using licences you already pay for. The principles apply to a ten-person firm as readily as a multinational.
Licensing typically runs £6 to £15 per user per month for the Microsoft stack, or around £45 per user per month for a fully managed bundle with monitoring. A guided implementation project for a small estate starts from around £18,000, while a full phased programme across 50 to 250 endpoints usually starts from £50,000 upwards depending on legacy complexity.
Not exactly. Firewalls still have a role, and antivirus evolves into EDR. Zero trust changes the assumption behind them: you no longer trust traffic just because it is inside the firewall, and EDR replaces signature-only antivirus with behaviour-based detection. Think of it as repurposing existing tools within a smarter model rather than throwing them away.
Yes. VPN replacement with zero trust network access is usually the final phase, around days 75 to 90. You can deliver strong risk reduction with identity, device trust and monitoring while the VPN remains, then migrate applications behind ZTNA one at a time. A roadmap that never retires the flat VPN, however, is incomplete.
A focused rollout for a typical UK SME takes around 90 days, phased through identity, device trust, least privilege, monitoring and segmentation. You gain meaningful protection from week one because MFA and conditional access come first. Larger or more complex estates with significant legacy systems can extend to four or six months.
A VPN places a user onto the broad corporate network, so a stolen credential grants wide lateral access. Zero trust network access connects a verified user to one specific application without ever joining the network, and re-checks identity and device health continuously. The result is far less lateral movement if an account is compromised.
Yes. UK GDPR Article 32 requires appropriate technical and organisational measures, and the ICO highlights access control, encryption and incident detection. Zero trust delivers scoped access, enforced encryption and continuous monitoring, giving you strong evidence of compliance. After any incident, a documented zero trust architecture demonstrates you took security seriously.
Yes, and zero trust handles BYOD well through mobile application management. Rather than taking control of an employee's personal phone, you secure only the corporate apps and data with a PIN, encryption, restricted copy-paste and selective wipe. This protects company data while respecting personal privacy, which keeps staff cooperative.
Both are strong. Defender for Endpoint is excellent value and tightly integrated if you already run Microsoft 365, making it the pragmatic default for most UK SMEs. CrowdStrike and SentinelOne are specialist leaders often chosen where a managed detection and response service is wrapped around them, or where the threat profile is unusually high.
Enforce multi-factor authentication on every account today, prioritising admins, finance and directors with phishing-resistant methods such as passkeys. It is the cheapest, fastest risk reduction available, and the ICO repeatedly cites weak access control in the breaches it investigates. Conditional access and device trust come next, but MFA everywhere is the foundation.
Zero trust is not a purchase, it is a posture: verify explicitly, enforce least privilege, and assume breach, applied to every endpoint that touches your data. For a UK SME the path is clear and incremental. Start with MFA everywhere and conditional access, then enrol devices in Intune with a seven-point compliance baseline and EDR, strip out standing admin rights, add centralised logging, and finally replace your flat VPN with zero trust network access, all achievable in around 90 days. Budget roughly £6 to £15 per user per month for licensing, or £45 upwards for a managed bundle, with a full guided programme across 50 to 250 endpoints starting from £50,000. The same work satisfies NCSC's eight principles, pulls you through Cyber Essentials, and evidences UK GDPR Article 32. The honest takeaway: perfection is not the goal, momentum is. Begin with identity this month, and let each phase make the next one easier and safer.
Ready to map zero trust onto your own endpoint estate without enterprise budgets? Talk to our team through the Softomate London automation and security agency for a fixed-quote assessment.
Written by Deen Dayal Yadav, Founder of Softomate Solutions, a London-based software development and AI automation agency in Stanmore (HA7). With over 12 years building software, security and automation systems for UK businesses, Deen specialises in turning enterprise-grade architectures like zero trust into pragmatic, affordable programmes for SMEs. Softomate Solutions is registered at Companies House and works with firms across London and the UK. Learn more about our team and approach.
We protect the real names of all clients featured in examples and case studies. Every testimonial is from a real client.
More from the blog
Work with us
Book a free 30-minute discovery call with DD and get a personalised automation roadmap.
Softomate Solutions Limited
Deen Dayal Yadav
Online
We use essential cookies to keep the site running. With your permission, we also use analytics cookies to understand how visitors use our site so we can improve it. No data is sold. Privacy Policy
