TL;DR:
- Zero trust means “never trust, always verify” — no user or device is trusted by default, even inside your network
- Identity has become the new security perimeter — controlling who accesses what matters more than where they are
- Practical implementation for small businesses starts with SSO, MFA, and least-privilege access — not expensive enterprise tools
Zero trust security has become one of the most-used terms in cybersecurity. It sounds like jargon, but the idea is genuinely important — and increasingly relevant to small UK businesses. The traditional approach to security was built around a perimeter: if you were inside the office network, you were trusted. That model broke down when cloud apps moved your data outside the network, remote work moved your people outside the network, and attackers found ways to get inside the perimeter and then move freely.
Zero trust replaces the perimeter model with a simple principle: never trust, always verify. Every request for access is checked against identity, device health, and context — regardless of where the request comes from.
Why the old model no longer works
The classic office network was like a castle with a moat. Strong perimeter, trusted interior. The problem: most small business data now lives in cloud services that sit entirely outside that perimeter — Google Workspace, Microsoft 365, Xero, your CRM. Your “perimeter” no longer contains what you’re trying to protect.
Remote work made it worse. Employees access business applications from home networks, coffee shops, and hotel Wi-Fi. The VPN that was supposed to recreate the office network perimeter became a bottleneck, a management headache, and a single point of compromise. An attacker who obtains VPN credentials gets broad network access.
And attackers who breach the perimeter move laterally — from one compromised device, they probe and access other systems on the same network. Traditional perimeter security doesn’t stop this at all.
Zero trust addresses all three problems: it doesn’t assume any network is safe, it verifies every access request individually, and it limits what a compromised account can reach.
The core principles in plain English
Verify every user — authenticate identity every time access is requested, using strong MFA. Not just at login, but contextually: unfamiliar location? Unusual access time? Require re-authentication.
Verify every device — check that the device requesting access meets security requirements before granting it. Is it managed? Is the OS up to date? Does it have endpoint protection?
Least privilege access — give people access only to what they need for their specific job, not everything on the network. An accounts team member needs Xero, not access to your source code or your HR system. An attacker who compromises that account is then contained.
Assume breach — design your systems on the assumption that an attacker may already be inside. Segment access, log everything, and set alerts for unusual behaviour.
Identity as the new perimeter
In a zero-trust model, identity becomes your primary security boundary. If you can verify who’s trying to access something, and confirm they should have access to it, the location — office, home, coffee shop — matters much less.
This is where Single Sign-On (SSO) becomes central. SSO routes all application access through a single identity provider — Google Workspace or Microsoft 365 for most UK small businesses. Every app a user accesses goes through the same authentication check. MFA is enforced at the identity layer, which means it applies to every connected app simultaneously.
The practical result: you have a single place to manage access, a single place to revoke access when someone leaves, and a single place to detect unusual sign-in behaviour.
Practical zero-trust steps for small businesses
You don’t need to buy an enterprise zero-trust platform. The steps below implement the core principles using tools that are either free or low-cost.
Step 1: SSO through your existing platform. If you use Google Workspace or Microsoft 365, you already have an identity provider. The next step is to connect your other tools — your CRM, project management software, accounting software — to sign in through your Google or Microsoft identity. Most SaaS tools support “Sign in with Google” or SSO integration.
Step 2: Enforce MFA everywhere. In your Google or Microsoft admin console, require MFA for all users. This is the single most impactful zero-trust action you can take. It verifies identity, not just credentials.
Step 3: Audit access permissions (least privilege). List every application your business uses and review who has what level of access. Remove admin permissions from accounts that don’t need them. Remove access for departed employees. This takes an afternoon once and a quick review quarterly.
Step 4: Conditional access policies. Google Workspace and Microsoft 365 Business Premium both include conditional access — policies that can block or challenge access based on context: unrecognised device, unusual location, or a device that doesn’t meet security requirements. Enable these for your highest-risk applications (email, accounting, HR).
Step 5: Zero-trust network access for remote employees. Cloudflare Access (free for up to 50 users) sits in front of internal applications and requires authentication before any access is granted — no traditional VPN needed. Tailscale (free up to 20 devices) uses a similar model for network-level access, creating encrypted peer-to-peer connections only for authorised users.
Affordable tools that enable zero trust
| Tool | What It Does | Cost |
|---|---|---|
| Google Workspace or Microsoft 365 | Identity provider, SSO, conditional access | £4.50–18/user/month |
| Cloudflare Access | Zero-trust application access | Free up to 50 users |
| Tailscale | Zero-trust network access | Free up to 20 devices |
| Microsoft Intune | Device compliance checking | Included in M365 Business Premium |
For most UK small businesses, the combination of Google Workspace or Microsoft 365 (with SSO and conditional access enabled), MFA on all accounts, and Cloudflare Access for sensitive internal tools represents a genuinely zero-trust posture at minimal cost.
How to get started this week
Audit who has access to what: list your apps and who has admin versus standard access. Enable MFA enforcement across Google Workspace or Microsoft 365. Remove stale access from departed employees, contractors who finished projects, and unused admin accounts. Sign up for Cloudflare Zero Trust at dash.cloudflare.com — the free plan covers the basics.
Bottom line
Zero trust isn’t a product you buy — it’s an approach built from practices you already know: strong MFA, SSO, least-privilege permissions, and device hygiene. The shift is in the mindset: stop assuming your network is safe, and start verifying every access request individually. For most UK small businesses, the tools to do this are already in Google Workspace or Microsoft 365 — they just need to be turned on.