01
Why Zero Trust Replaced Perimeter Security
The traditional security model assumed that threats came from outside and trusted everything inside the network perimeter. If you were connected to the office Wi-Fi or VPN, you were trusted. If you were outside, you weren't.
That model collapsed. Cloud services, remote work, and mobile devices mean there is no longer a meaningful perimeter. Your email lives in Microsoft's cloud. Your files are in SharePoint. Your users log in from home, from coffee shops, from multiple continents. The 'inside' no longer exists as a security boundary.
Zero Trust replaces 'trust but verify' with 'never trust, always verify.' Every access request โ regardless of where it comes from โ is authenticated, authorised, and continuously validated.
02
The Five Pillars of Zero Trust
| Pillar | What it means | Key controls |
|---|
| Identity | Verify who is accessing โ every time | MFA, Conditional Access, Identity Protection |
| Devices | Verify the device is compliant before granting access | Intune compliance policies, device health checks |
| Applications | Control access to specific apps based on risk | App-specific Conditional Access policies |
| Data | Protect data regardless of where it lives | DLP policies, sensitivity labels, encryption |
| Network | Segment networks, limit lateral movement | Microsegmentation, Zero Trust Network Access (ZTNA) |
03
Identity: The Foundation of Zero Trust
Identity is the most critical pillar for SMBs. Most attacks target credentials โ phishing, password spray, credential stuffing. If identity is compromised, everything else is accessible.
Identity hardening checklist
โMFA enforced via Conditional Access for all users and all apps
โEntra ID Identity Protection โ risk-based Conditional Access (block or step-up on risky sign-ins)
โAdmin accounts separate from daily-use accounts
โPrivileged Identity Management (PIM) โ Just-in-Time admin access, no standing admin roles
โPassword protection โ block common passwords, hybrid Azure AD password protection for on-premise
โPasswordless authentication โ Microsoft Authenticator passkey, FIDO2 security keys for privileged accounts
In a Zero Trust model, devices must prove they are compliant before being granted access to corporate resources. A device that is not enrolled in MDM, does not have up-to-date OS, or has disabled antivirus should be blocked โ regardless of who is logging in.
Device compliance requirements (Intune)
โDevice enrolled in Microsoft Intune
โOperating system at or above minimum version
โBitLocker/FileVault encryption enabled
โMicrosoft Defender enabled and reporting healthy
โScreen lock configured with PIN or biometric
โCompliant device required by Conditional Access before accessing Microsoft 365 and sensitive apps
A user whose laptop is non-compliant should be blocked from accessing corporate resources until compliance is restored. This is uncomfortable โ but it prevents a compromised personal device from being a gateway to everything.
05
Zero Trust for Cloud Applications
Most SMBs access dozens of SaaS applications โ Microsoft 365, Salesforce, Xero, HR systems. Zero Trust applies to all of them, not just the primary tenant.
Conditional Access for apps
โPer-app Conditional Access policies โ higher sensitivity apps require higher assurance (phishing-resistant MFA, compliant device)
โMicrosoft Defender for Cloud Apps โ visibility into which SaaS apps are in use (including shadow IT)
โApp-level access reviews โ quarterly review of who has access to what
โService account governance โ non-human accounts have scoped permissions and no interactive login
Shadow IT
Most organisations have far more SaaS apps in use than they are aware of. Microsoft Defender for Cloud Apps can discover and assess these. Unmanaged apps with corporate credentials represent significant risk.
06
Data Protection in a Zero Trust Model
Zero Trust data protection focuses on protecting the data itself โ not just the perimeter around it. Data should be encrypted, classified, and subject to policies that follow it wherever it goes.
Microsoft Purview implementation
โSensitivity labels โ classify documents as Public, Internal, Confidential, Highly Confidential
โLabel-based protection โ Confidential documents encrypted, access-controlled regardless of location
โDLP policies โ prevent sensitive data from being shared externally via email or Teams
โRetention policies โ define how long data is kept, automate deletion per compliance requirements
A Confidential document that is encrypted at the sensitivity label level remains protected even if it's downloaded to a personal device, shared via personal email, or accessed from an unmanaged device.
07
De4sec Zero Trust Implementation
De4sec implements Zero Trust architecture using the Microsoft security stack โ the most cost-effective path for businesses already using Microsoft 365.
Phase 1: Identity
MFA enforcement, Conditional Access policy deployment, admin separation, Identity Protection configuration. Timeline: 1โ2 weeks.
Phase 2: Devices
Intune deployment, device compliance policies, endpoint protection baseline, patch policy. Timeline: 2โ3 weeks.
Phase 3: Applications
App-specific Conditional Access, Defender for Cloud Apps integration, shadow IT assessment. Timeline: 1โ2 weeks.
Phase 4: Data
Sensitivity labels, DLP policies, retention configuration. Timeline: 2โ4 weeks.
Each phase can be implemented incrementally. Most businesses see the largest security improvement from Phase 1 and 2.
// NEXT STEP
Ready to implement this in your environment?
De4sec provides hands-on implementation, not just advice. Book a free discovery call โ we assess your environment at no cost, no obligation.
ยฉ 2026 DE4SEC TECHNOLOGY. ALL RIGHTS RESERVED.