Zero Trust is simultaneously one of the most valuable security frameworks available to SMEs and one of the most misrepresented. Vendor marketing has convinced many organisations that Zero Trust requires million-pound transformation programmes. It doesn't. The core architecture — built on verify explicitly, use least-privilege access, and assume breach — is profoundly practical even without enterprise-scale tooling budgets.
What Zero Trust Actually Requires
Zero Trust is a design philosophy, not a product. As defined in NIST SP 800-207, it means eliminating implicit trust based on network location: a device inside your firewall perimeter is not inherently more trustworthy than one outside it. Every access request must be:
- Authenticated — the identity of the user and device is verified
- Authorised — the request is permitted by explicit policy
- Continuously validated — the session is monitored and can be terminated if signals change
This is achievable at SME scale. The mistake most organisations make is trying to implement everything at once. Zero Trust is a journey — each step independently improves your security posture.
Identity: The New Perimeter
The most important Zero Trust investment for any SME is a robust identity foundation.
Microsoft Entra ID (formerly Azure AD) or Okta provide enterprise-grade identity capabilities at accessible price points. Microsoft 365 Business Premium at ~£18/user/month (or ~$22/user/month in the USA) includes Entra ID P1, Intune, Defender for Business, and Azure AD Conditional Access — a comprehensive Zero Trust stack at SME pricing.
The essentials to configure:
- MFA enforced universally — no exceptions, no legacy protocols, no app passwords. Use Microsoft Authenticator with number matching to prevent MFA fatigue attacks.
- Conditional Access policies evaluating device compliance, location, and risk signals before granting access
- Privileged Identity Management (or equivalent) providing time-limited administrative elevation — nobody should have permanent admin rights
At this stage, you've already eliminated the majority of credential-based attack paths. Most breaches we investigate in SME environments could have been prevented by MFA alone.
Device Trust: What's Actually Achievable
Microsoft Intune for device management is included in M365 Business Premium. Configure:
- Compliance policies requiring OS updates, encryption, and endpoint protection to be current
- Conditional Access blocking non-compliant devices from accessing business applications
- Automatic enrolment for Windows, iOS, and Android devices
For organisations that genuinely cannot afford MDM, Cloudflare Access (free tier available) provides application-level access control via browser-based isolation without requiring device agents. It's a meaningful intermediate step — users authenticate through Cloudflare to reach internal applications, providing identity verification without full device management.
Network Segmentation on a Budget
Enterprise network segmentation solutions cost tens of thousands of pounds. The SME equivalent costs a fraction of that and provides substantial protection.
VLANs with Managed Switches
A managed switch estate — available from vendors like Netgear, Ubiquiti, or TP-Link Pro — enables VLAN segmentation for under £2,000 / $2,500 including hardware. The key segments to implement:
| VLAN | Purpose | Communication Rules | |------|---------|---------------------| | Corporate | Staff devices | Can reach internal servers; restricted internet | | IoT / CCTV | Building systems | No access to corporate VLAN | | Guest WiFi | Visitors | Internet only; no internal access | | Servers | Shared services | Accessible only from Corporate VLAN on specific ports | | Management | Network infrastructure | Accessible only from dedicated admin workstation |
Restrictive ACLs between these VLANs contain lateral movement to a single segment. An attacker who compromises a guest laptop cannot pivot to corporate systems.
WireGuard for Remote Access
WireGuard is the correct choice for remote access VPN at SME scale. Its minimal codebase (~4,000 lines versus OpenVPN's ~600,000) dramatically reduces attack surface. It's faster, simpler to configure, and its cryptography is modern and conservative.
A WireGuard server on a £5/month VPS or on your existing firewall hardware provides secure remote access. Combined with Conditional Access policies that verify device compliance before granting VPN access, this eliminates the "trusted remote device" problem.
Continuous Validation: The SIEM Question
Zero Trust requires visibility to validate that nothing suspicious is happening within authorised sessions. For SMEs, the options are:
Microsoft Sentinel on pay-as-you-go pricing — typically £30–80/month for an SME — with the Microsoft 365 connector pre-built provides immediate visibility into Entra ID sign-in events, Defender alerts, and Exchange activity.
Elastic SIEM with the free tier is viable for organisations willing to invest operational time. The key is shipping logs from your identity provider, firewall, and endpoint tools to a central store with defined detection rules.
Critical caveat: a SIEM with no one watching it is security theatre. Before deploying any SIEM, define:
- Which alert types trigger immediate response
- Who is responsible for reviewing alerts daily
- What the escalation path is when something suspicious is detected
For organisations without dedicated security staff, a monthly review cadence with a set of high-fidelity, low-noise rules is more valuable than real-time alerting that nobody acts on.
A Practical Roadmap
Month 1 (Cost: ~£0 / $0 beyond existing Microsoft licensing)
- Enforce MFA on all accounts, no exceptions
- Configure at least one Conditional Access policy blocking legacy authentication protocols
- Disable unused accounts, review admin role assignments
Month 2 (Cost: ~£1,500–2,000 / $1,900–2,500)
- Deploy VLAN segmentation on managed switch hardware
- Configure guest WiFi isolation
- Deploy WireGuard for remote access
Month 3 (Cost: ~£50 / $65 per month ongoing)
- Enrol all company devices in Intune
- Configure device compliance policies
- Enable Microsoft Sentinel with M365 connector
After three months and roughly £3,000 / $3,800 in one-time investment plus modest ongoing costs, you have a Zero Trust architecture that would withstand the majority of attacks we conduct against SME environments. Not because each control is unbeatable — but because the combination makes reliable exploitation difficult enough to deter opportunistic attackers and buy time against targeted ones.
How to Implement Zero Trust for an SME in 90 Days
Month 1: Identity foundation (cost ~£0 with existing M365)
Enforce MFA on all accounts without exceptions. Configure Conditional Access blocking legacy authentication. Disable unused accounts. Review and minimise admin role assignments. Enable Privileged Identity Management for time-limited admin elevation.
Month 2: Network segmentation (cost ~£1,500–2,000)
Deploy VLAN segmentation on managed switch hardware (Netgear, Ubiquiti, TP-Link Pro). Configure guest WiFi isolation. Deploy WireGuard for remote access VPN. Document allowed inter-VLAN traffic explicitly.
Month 3: Device trust and visibility (cost ~£50/month ongoing)
Enrol all company devices in Intune. Configure device compliance policies requiring OS updates, encryption, and endpoint protection. Enable Conditional Access blocking non-compliant devices. Deploy Microsoft Sentinel or Elastic SIEM with high-fidelity detection rules.
References
Frequently Asked Questions
What does Zero Trust actually mean in practice for an SME?
Zero Trust means eliminating implicit trust based on network location. A device inside your firewall is not inherently more trustworthy than one outside it. Every access request must be authenticated, authorised, and continuously validated — regardless of where the request originates.
Can an SME implement Zero Trust without Microsoft or Okta?
Partially. Identity providers like Entra ID are available at accessible price points through Microsoft 365 Business Premium. For organisations that cannot afford MDM, Cloudflare Access provides browser-based isolation as a workable intermediate step. Full Zero Trust without any commercial identity tooling is difficult to achieve robustly.
What is the cheapest way to add network segmentation?
VLANs with restrictive ACLs enforced through commodity managed switches provide meaningful lateral movement prevention for under £2,000 / $2,500 in hardware. Pair with WireGuard for site-to-site and remote access VPN — its minimal codebase (approximately 4,000 lines) dramatically reduces attack surface compared to OpenVPN.
How long does it take an SME to reach a Zero Trust baseline?
With focused effort, 90 days is achievable for the foundational layer: universal MFA, Conditional Access, device compliance enforcement, network segmentation, and centralised logging. Mature Zero Trust — including microsegmentation at the application layer, continuous risk-based authentication, and full Zero Trust Network Access (ZTNA) replacement of VPN — typically takes 12–18 months.
Does Zero Trust replace traditional firewalls?
No. Firewalls remain a useful perimeter and segmentation control within a Zero Trust architecture. What changes is that you no longer trust traffic simply because it originated inside the firewall. Network controls become one layer among several — alongside identity, device, and continuous validation.
What is the difference between Zero Trust and ZTNA?
Zero Trust is the architectural philosophy. Zero Trust Network Access (ZTNA) is a specific product category — typically replacing traditional VPNs with identity-based, application-specific access. Solutions like Cloudflare Access, Tailscale, Zscaler ZPA, and Microsoft Entra Private Access are ZTNA products implementing Zero Trust principles for remote access.
Is Zero Trust appropriate for organisations with regulatory requirements?
Yes — and increasingly required. The NIST SP 800-207 Zero Trust Architecture publication is a US federal standard. The UK NCSC publishes Zero Trust design principles. NIS2 Article 21 controls map closely to Zero Trust patterns. For PCI-DSS, HIPAA, ISO 27001, and SOC 2, Zero Trust patterns make demonstrating compliance substantially easier than perimeter-based architectures.