Zero trust has become one of those terms that vendors love. Every product is “zero trust enabled.” Every strategy deck mentions it. Every conference has sessions about it.

But what does it actually mean? And is it relevant for a 30-person business in Adelaide?

Let me cut through the marketing.

What Zero Trust Actually Means

The core principle is simple: don’t automatically trust anything, even if it’s inside your network.

Traditional security worked like a castle. Strong walls (firewall) protected everything inside. Once you were inside the walls, you were trusted.

Zero trust assumes attackers are already inside. Every access request is verified, regardless of where it comes from.

The key principles:

1. Verify explicitly: Always authenticate and authorise based on available data points - identity, location, device, service.

2. Use least privilege access: Give the minimum access needed for the task, for the minimum time needed.

3. Assume breach: Design assuming attackers are present. Minimise blast radius. Log everything.

That’s it. Everything else is implementation detail.

Why Traditional Security Fails

The castle-and-moat approach made sense when:

• Everyone worked in the office
• Applications ran in your data centre
• The network perimeter was clear

None of that is true anymore.

The problems:

Remote work: Staff work from home, coffee shops, client sites. They’re outside the castle walls most of the time.

Cloud services: Your applications are in Microsoft 365, Google Workspace, Salesforce, Xero. There’s no moat around them.

BYOD and mobility: Personal devices access business data. You don’t control the endpoint.

Lateral movement: Once attackers get inside (often through phishing), they move laterally. The trust model helps them spread.

Zero trust addresses these realities. It’s not about new technology - it’s about rethinking assumptions.

Zero Trust for SMBs: Practical Steps

You don’t need a million-dollar project. You can adopt zero trust principles incrementally.

1. Strong identity verification

Identity is the new perimeter. If you can verify who someone is, you can make access decisions.

Actions:

• Enable MFA everywhere (you should already have this)
• Consider passwordless authentication
• Use conditional access (block access from risky locations/devices)
• Implement risk-based authentication

Microsoft Entra ID and Google Workspace both support conditional access. You probably have it - you just haven’t configured it.

2. Device trust

Not all devices should be treated equally. A managed, patched company device is more trustworthy than an unknown personal phone.

Actions:

• Enrol devices in management (Intune, Jamf, etc.)
• Require device compliance before granting access
• Block unmanaged devices from sensitive data
• Maintain visibility into what devices access your systems

3. Least privilege access

Give people access to what they need, not everything.

Actions:

• Review and reduce admin privileges
• Implement role-based access control
• Remove access when roles change
• Use just-in-time access for privileged operations

I’ve seen businesses where every employee has access to every file. That’s not security - that’s convenience that becomes a liability.

4. Micro-segmentation

Don’t let one compromised system lead to everything being compromised.

Actions:

• Segment networks (finance systems don’t need to talk to marketing systems)
• Limit service accounts to minimum necessary access
• Use application-level controls where possible

Full micro-segmentation is complex, but basic network segmentation is achievable.

5. Continuous verification

Don’t just verify once at login. Verify continuously.

Actions:

• Session timeouts for sensitive applications
• Re-authentication for high-risk actions
• Monitoring for anomalous behaviour during sessions
• Automatic response to detected risks

What This Looks Like in Practice

Scenario: Employee logs in from home

Traditional approach: VPN connects them to the network. Once connected, they access everything as if in the office.

Zero trust approach:

• Identity verified through MFA
• Device compliance checked (patched? managed? secure?)
• Conditional access policies applied
• Only allowed applications accessible
• Sensitive data requires additional verification
• Session monitored for anomalies

Scenario: Contractor needs file access

Traditional approach: Create a user account. Add to shared drives. Hope they don’t access things they shouldn’t.

Zero trust approach:

• Guest access with limited scope
• Time-limited permissions
• Only specific folders accessible
• Downloads blocked or watermarked
• Access logged and reviewed
• Automatic expiry after project ends

Microsoft’s Zero Trust Journey

If you’re on Microsoft 365, you have significant zero trust capability available:

Already included:

• Microsoft Entra ID (identity management)
• Conditional access policies
• Microsoft Intune (device management)
• Microsoft Defender for Business (endpoint protection)

Configuration required:

• Enable and configure conditional access
• Set up device compliance policies
• Configure DLP policies
• Review and tighten access permissions

Microsoft publishes a zero trust assessment tool. It’s worth running through even if you don’t implement everything.

The Google Equivalent

Google Workspace has similar capabilities:

• Context-aware access (their conditional access)
• BeyondCorp Enterprise (their zero trust product)
• Device management through Workspace
• Data loss prevention

The approach is similar: identity, device, and context-aware access controls.

Common Objections

“This sounds complicated.”

It can be. But you can start simple. Enable MFA and conditional access. That’s zero trust in action. Add device compliance. Add more controls over time.

You don’t need to do everything at once.

“This will frustrate users.”

Done poorly, yes. Done well, the friction is minimal. Conditional access can require MFA only when something looks risky. Managed devices can have smoother access. The goal is appropriate security, not maximum security.

“We’re too small for this.”

The principles apply at any size. A 20-person business with strong identity verification and device compliance is practising zero trust. You don’t need enterprise software to adopt the mindset.

“We don’t have the budget.”

Much of this is configuration of tools you already pay for. Microsoft 365 Business Premium includes conditional access, Intune, and Defender. If you’re paying for it, use it.

What Not to Do

Don’t buy “zero trust products” without strategy.

Vendors will happily sell you zero trust solutions. But zero trust is a strategy, not a product. Buying tools without a plan for using them is waste.

Don’t try to implement everything at once.

This is a journey, not a destination. Prioritise based on risk and build over time.

Don’t forget the basics.

Zero trust isn’t a substitute for patching, backups, and user training. It’s an addition to fundamentals, not a replacement.

Working with Specialists

Zero trust implementation benefits from expertise. AI consultants Melbourne and similar firms can help:

• Assess your current state against zero trust principles
• Design a practical roadmap
• Configure the tools you already have
• Implement additional controls where needed

For SMBs, the value is often in configuration and strategy rather than new tool purchases.

Priority Order for SMBs

If I were advising a 30-person business starting from scratch:

Phase 1 (Immediate):

• MFA everywhere
• Conditional access (block obviously risky sign-ins)
• Basic device management

Phase 2 (Next quarter):

• Device compliance policies
• Access reviews for sensitive data
• Network segmentation (if applicable)

Phase 3 (Ongoing):

• Just-in-time access for admin accounts
• Application-level access controls
• Continuous monitoring and response

Phase 4 (Advanced):

• Micro-segmentation
• Data classification and protection
• Full zero trust architecture

Most SMBs should be in phases 1-2. Phases 3-4 come as you grow and mature.

The ROI Question

Is zero trust worth the effort?

Consider what you’re protecting against:

• Compromised credentials: MFA and conditional access block most credential-based attacks
• Lateral movement: Segmentation and least privilege limit damage from breaches
• Insider threats: Monitoring and access controls provide visibility
• Supply chain attacks: Third-party access controls reduce exposure

The businesses that implement these controls have significantly lower breach rates.

Is that worth configuration effort and modest additional friction? For most businesses, yes.

Measuring Progress

How do you know if you’re making progress?

Metrics to track:

• Percentage of access protected by MFA
• Percentage of devices managed/compliant
• Number of accounts with standing admin privileges
• Mean time to revoke access when people leave
• Percentage of applications with conditional access

Improvement in these metrics indicates zero trust progress, regardless of what you call it.

Final Thought

Zero trust isn’t magic. It’s not a product you buy. It’s a principle you apply.

“Never trust, always verify” is a mindset shift. Applied consistently, it dramatically improves security posture.

Start with identity. Add device trust. Build from there.

Working with specialists like AI consultants Brisbane can accelerate implementation, but the principles are straightforward enough that any business can start applying them today.

The question isn’t whether zero trust is worth the hype. The question is whether you’re still trusting things you shouldn’t.