Zero trust is a security philosophy, not a product you can purchase. The phrase "never trust, always verify" captures it well: every request to access a system, application, or piece of data is treated as potentially hostile regardless of whether it originates inside or outside the corporate network perimeter. This is a fundamental departure from the traditional "castle and moat" security model, in which anything inside the network perimeter was implicitly trusted.
The traditional model made a reasonable assumption in 2005: corporate resources lived on corporate servers, employees worked in offices connected to corporate networks, and attackers sat outside the firewall trying to get in. That assumption collapsed over the following decade as cloud infrastructure, remote working, SaaS applications, and mobile devices destroyed the concept of a meaningful network perimeter. By the time the NCSC published its zero trust architecture guidance in 2021, the castle-and-moat model was already obsolete for most UK organisations.
Zero trust does not mean trusting nothing unconditionally. It means that trust is granted dynamically, per-session, based on verified signals rather than assumed from network location. A verified user on a compliant corporate device accessing a low-sensitivity application from a known location receives access quickly and with minimal friction. The same user accessing a high-sensitivity application from an unrecognised device in an unusual location triggers additional verification steps or is blocked entirely.
This dynamic trust model is what allows UK businesses to support remote work, personal devices, third-party contractors, and cloud applications securely - without relying on a VPN perimeter that sophisticated attackers routinely bypass. Our endpoint protection services help UK organisations design and implement zero trust architectures appropriate to their size and risk profile.
The NCSC's zero trust architecture guidance identifies eight principles, but three of them directly govern how zero trust works for endpoint security. Understanding these pillars is the foundation for planning a practical implementation.
Every access request must be authenticated and authorised using all available signals: the identity of the user (verified via multi-factor authentication), the health and compliance status of the device, the location of the request, the application being accessed, and the sensitivity of the data involved. No single signal is sufficient on its own. A valid username and password can be stolen; a compliant device with a stolen password is harder to abuse; a compliant device with a stolen password accessing from the user's normal location and normal time of day is harder still.
Explicitly, this means UK businesses implementing zero trust need strong identity verification (typically Microsoft Entra ID with MFA), device compliance enforcement (Microsoft Intune or equivalent MDM), and conditional access policies that evaluate the combination of signals before granting access. The NCSC recommends phishing-resistant MFA methods such as FIDO2 passkeys or certificate-based authentication for high-value access scenarios.
Users and devices should have the minimum level of access required to do their jobs. Nothing more. This principle sounds obvious, yet most UK SMEs give employees broad administrative rights "because it is easier", share credentials for shared accounts, and leave legacy permissions in place for years after a role changes. Least privilege is genuinely hard to implement in an organisation that has grown organically, but it is the single most impactful control for limiting the blast radius of a compromised account.
In practice, least privilege access means: no standard user has local administrator rights on their endpoint, privileged access (admin accounts) is used only via Privileged Access Workstations (PAW) or just-in-time elevation, role-based access control is applied to all applications and data stores, and access is reviewed quarterly. Microsoft Entra Privileged Identity Management (PIM) provides just-in-time privileged access for UK businesses running Microsoft 365.
The third pillar is the most psychologically difficult for UK business leaders to accept: assume that attackers have already breached your perimeter. Design your security architecture on the assumption that at least one endpoint in your estate is currently compromised. This assumption drives two critical architectural decisions: network micro-segmentation (compromised devices cannot move laterally across the network) and comprehensive logging (when the breach is confirmed, you can investigate it fully).
The "assume breach" mindset is why Endpoint Detection and Response (EDR) is a foundational component of zero trust endpoint security rather than an optional add-on. EDR provides the continuous monitoring and automated response capability that the assume-breach pillar demands. Without it, you cannot detect lateral movement or unusual data access by a compromised account. Combining zero trust with strong EDR is discussed in our endpoint protection services.
The most common mistake UK organisations make with zero trust is attempting a "big bang" transformation: designing a target architecture, procuring all the required tools, and trying to migrate everything simultaneously. This approach fails reliably because it is too complex, too disruptive, and too expensive to execute in a single project. The NCSC explicitly recommends an incremental approach, and the Microsoft Zero Trust adoption framework provides a practical four-stage migration path.
The single highest-impact starting point for zero trust is strong identity verification. Before anything else, every user in the organisation should be enrolled in multi-factor authentication. For UK businesses running Microsoft 365 (which covers the majority of the UK SME market), enabling MFA on all accounts takes a day to configure and a week to roll out to users. The Microsoft Authenticator app provides free MFA for all Microsoft 365 subscribers.
Beyond basic MFA, the identity foundation for zero trust requires: Microsoft Entra ID (formerly Azure Active Directory) as the identity provider, conditional access policies that block sign-in from untrusted locations or unregistered devices, and passwordless authentication deployed for at least privileged accounts. UK businesses that have not yet enforced MFA on all accounts should treat this as the immediate priority before any other zero trust work begins. The NCSC estimates that MFA blocks over 99% of automated credential-stuffing attacks.
Once identity verification is in place, the next stage is device compliance enforcement. Microsoft Intune (included in Microsoft 365 Business Premium at approximately £18 per user per month) allows organisations to define compliance policies - minimum OS version, encryption enabled, antivirus active, PIN set - and block access from non-compliant devices via conditional access policies.
Enrolment of corporate-owned Windows devices into Intune takes a day per device in bulk via Autopilot or bulk enrolment. For personal BYOD devices, Intune's app protection policies can protect corporate data (email, SharePoint, Teams) within a managed container on the device without requiring full device management. This approach respects employee privacy while enforcing corporate security controls.
Device compliance enforcement alone - preventing unmanaged, unpatched, or non-compliant devices from accessing corporate resources - is one of the most significant security improvements a UK business can make. It eliminates the attack surface created by shadow IT devices, unpatched personal laptops, and unmanaged contractor endpoints.
The third stage moves beyond identity and device to application-level access control. Microsoft Entra Application Proxy publishes on-premises applications to the internet securely without a VPN, requiring verified identity and device compliance before granting access. Conditional access policies can enforce different requirements for different applications: accessing email from a compliant device requires MFA; accessing a financial reporting system from any device not joined to the domain is blocked entirely.
For UK businesses with significant SaaS application estates (Salesforce, Xero, HubSpot, and so on), Microsoft Entra ID supports single sign-on (SSO) and conditional access for thousands of third-party SaaS applications. Centralising authentication through Entra ID gives you visibility of all application access in one audit log, which is directly relevant to UK GDPR Article 30 processing records obligations.
The fourth and most complex stage is network micro-segmentation: dividing the internal network into isolated segments so that a compromised device in the accounts team cannot reach the engineering team's servers. This stage requires network infrastructure changes (or a Software-Defined Networking overlay) and is typically the most expensive and disruptive phase of a zero trust programme. It is also the stage where most UK SMEs stop, having achieved substantial security improvement from the first three stages at a fraction of the cost.
Microsoft's zero trust stack - Entra ID for identity, Intune for device management, Defender for Endpoint for EDR, and Purview for data governance - is the practical zero trust platform for the majority of UK SMEs, because most UK businesses are already paying for Microsoft 365 and the relevant components are included or available at incremental cost.
Microsoft 365 Business Premium (approximately £18 per user per month) includes Entra ID P1, Intune, and Microsoft Defender for Business, which provides EDR capability for up to 300 users. For a 50-person UK business already on Microsoft 365 Business Standard (approximately £10 per user per month), upgrading to Business Premium costs an additional £8 per user per month (£4,800 per year for 50 users) and enables the complete zero trust foundation: MFA with conditional access, device compliance enforcement, and EDR.
The honest caveat is that Microsoft's zero trust platform requires configuration expertise to deploy correctly. The tools are powerful but the defaults are not zero trust: a fresh Microsoft 365 tenant has conditional access disabled, legacy authentication protocols enabled, MFA not enforced, and Intune not deployed. A UK business that has simply purchased Microsoft 365 without configuring it for zero trust has paid for the capability but not achieved the security outcome.
Our cyber security consultancy service includes a Microsoft 365 secure configuration assessment that identifies gaps between your current configuration and the NCSC's secure configuration recommendations for Microsoft 365, and produces a prioritised remediation plan.
Zero trust architecture aligns closely with several UK GDPR obligations, and implementing zero trust contributes meaningfully to demonstrating compliance with the accountability principle (Article 5(2)) and the requirement for appropriate technical measures (Article 32).
The least privilege access pillar maps directly to the UK GDPR data minimisation principle (Article 5(1)(c)): users access only the personal data required for their specific role, and no more. When a member of staff in the HR team can access only HR system data, and a sales representative can access only CRM data, the risk of unauthorised access to personal data is substantially reduced. This is both a security outcome and a compliance outcome.
The assume-breach pillar and its associated comprehensive logging requirement align with UK GDPR Article 30 (records of processing activities) and the 72-hour breach notification requirement under Article 33. When every access event is logged - who accessed what application, from which device, at what time - you can reconstruct exactly what personal data may have been accessed in the event of a compromised account. That reconstruction capability is what makes it possible to produce an accurate ICO notification within the 72-hour window.
The explicit verification of device compliance also contributes to the UK GDPR requirement to implement appropriate technical measures. A conditional access policy that blocks access from unencrypted or unpatched devices reduces the risk of personal data being accessed from an insecure endpoint, which is a specific risk category the ICO's data security guidance addresses.
Having reviewed zero trust projects at UK businesses ranging from 30-person professional services firms to 2,000-person financial services organisations, the following mistakes appear reliably.
Attempting to implement zero trust comprehensively in a single project is the most common failure mode. Zero trust touches identity, devices, applications, networks, and data governance simultaneously. A project that scopes all five workstreams runs for 18 months, costs substantially more than budgeted, and often fails to complete because the organisation changes faster than the project can track. Start with identity verification and MFA enforcement, deliver that in four weeks, then plan the next stage.
Most UK businesses have at least one legacy application that cannot support modern authentication: an on-premises ERP system running on Windows Server 2012, a manufacturing control system that predates the internet, or a line-of-business application built by a contractor who is no longer available. Zero trust conditional access policies that block legacy authentication protocols (NTLM, basic authentication) will break these systems.
The answer is not to exclude legacy systems from zero trust indefinitely - that creates a permanent gap attackers will exploit. The answer is to put legacy systems behind an Application Proxy with modern authentication in front, isolate them on a dedicated network segment, and plan for replacement. A cyber security consultancy assessment should identify all legacy authentication dependencies before conditional access policies are enforced.
Zero trust frequently increases friction for users: MFA prompts, device compliance checks, and access denials for non-compliant devices. Without clear communication and training, users experience these controls as random obstruction rather than deliberate security measures. The result is Shadow IT: employees find ways to work around the controls, undermining the architecture. Invest in user communication and training before deploying conditional access policies that change the authentication experience.
A full zero trust implementation for a UK business with 50 to 500 employees typically spans 12 to 24 months and costs between £50,000 and £200,000 in professional services, depending on the complexity of the existing environment, the number of legacy systems, and the depth of network micro-segmentation required.
The breakdown for a 100-person UK professional services firm implementing Microsoft's zero trust stack typically looks as follows. Identity and MFA foundation (Stage 1): six to eight weeks, approximately £8,000 to £15,000 in professional services, plus any uplift in Microsoft 365 licensing. Device compliance and Intune deployment (Stage 2): eight to twelve weeks, approximately £12,000 to £20,000 in professional services. Application access controls and conditional access policies (Stage 3): eight to twelve weeks, approximately £10,000 to £18,000 in professional services. Network segmentation (Stage 4): this stage varies enormously by network complexity; budget £20,000 to £80,000 for a 100-person organisation with mixed on-premises and cloud infrastructure.
Ongoing management, quarterly access reviews, and conditional access policy maintenance add approximately £8,000 to £15,000 per year for a UK business at this scale. The total three-year cost of ownership for a zero trust programme at a 100-person UK firm is typically £70,000 to £150,000, depending on scope.
Against that cost, consider the average cost of a significant data breach for a UK SME. The IBM Cost of a Data Breach Report 2023 put the average UK cost at £3.4 million for organisations with fewer than 500 employees. Even the upper end of a zero trust implementation budget represents less than 5% of average breach cost.
Zero trust is a security philosophy built on the principle of never trusting any user, device, or connection by default, and always verifying access based on real-time signals including identity, device compliance, location, and application sensitivity. It matters for UK businesses because the traditional perimeter-based model is ineffective against modern attacks: cloud applications, remote working, and BYOD devices have dissolved the network perimeter that the castle-and-moat model relied upon. Zero trust provides security controls appropriate to how UK businesses actually work in 2024.
A meaningful zero trust foundation - MFA on all accounts, device compliance enforcement, and conditional access policies - can be deployed in eight to twelve weeks for a UK SME running Microsoft 365. Full zero trust, including application-level access controls and network micro-segmentation, typically takes 12 to 24 months for a 50 to 500-person organisation. The NCSC and Microsoft both recommend an incremental approach rather than attempting a comprehensive implementation in a single project.
Zero trust contributes directly to several UK GDPR obligations. The least privilege access pillar aligns with the data minimisation principle, ensuring users access only the personal data required for their role. The comprehensive logging required by the assume-breach pillar supports the 72-hour breach notification requirement under Article 33 by providing a complete audit trail of what data was accessed. Device compliance enforcement contributes to the appropriate technical measures requirement under Article 32.
Microsoft 365 Business Premium (approximately £18 per user per month in the UK) includes the core components for a zero trust foundation: Entra ID P1 for conditional access, Intune for device compliance, and Microsoft Defender for Business for endpoint detection and response. For most UK SMEs with up to 300 users, Business Premium provides the technology foundation required. Correct configuration is the differentiating factor - the defaults are not zero trust and require deliberate setup to deliver the security outcome.
The NCSC published its zero trust architecture guidance in 2021 and updated it in 2023. The guidance recommends zero trust principles for all UK organisations and provides eight specific design principles covering user identity, device health, network access, services and applications, and security telemetry. The NCSC does not mandate zero trust for Cyber Essentials compliance, but zero trust architecture significantly exceeds the Cyber Essentials technical controls and provides stronger assurance against the threat types the NCSC identifies as highest priority for UK businesses.
More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
