Zero Trust is simultaneously one of the most valuable security frameworks and one of the most misrepresented. The architecture — built on verify explicitly, use least-privilege access, and assume breach — is profoundly practical even without enterprise-scale tooling budgets.
What Zero Trust Actually Requires
Zero Trust is a design philosophy, not a product. It means eliminating implicit trust based on network location: a device inside your firewall perimeter is not inherently more trustworthy than one outside it. Every access request must be authenticated, authorised, and continuously validated.
Identity: The New Perimeter
Microsoft Entra ID or Okta provide enterprise-grade identity capabilities at accessible price points. The essentials: MFA enforced universally with no exceptions, Conditional Access policies evaluating device compliance before granting access, and privileged identity management with time-limited administrative elevation.
Device Trust Without an MDM Budget
Enterprise MDM solutions like Intune are within reach of most SMEs through Microsoft 365 Business Premium licensing. Device compliance policies feed directly into Conditional Access. For organisations that cannot afford MDM, browser isolation via Cloudflare Access provides a workable intermediate step.
Network Segmentation with Open-Source Tooling
VLANs with restrictive ACLs enforced through commodity managed switches provide meaningful lateral movement prevention for under £2,000 in hardware. Pair this with WireGuard for site-to-site and remote access VPN — its minimal codebase (~4,000 lines vs OpenVPN's ~600,000) dramatically reduces attack surface.
Continuous Validation: The SIEM Question
Microsoft Sentinel on pay-as-you-go pricing, or the free tier of Elastic SIEM with curated detection rules, provides sufficient capability for most SMEs. The key is not the tool — it is having defined detection use cases and an assigned owner for acting on alerts. A SIEM with no one watching it is security theatre.