Zero Trust
No-trust architecture
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
Zero Trust (NIST SP 800-207) is a security model in which no component is trusted simply because it sits 'inside' the network. Every request is verified.
What is Zero Trust?
Zero Trust principles:
- Never trust, always verify
- Least privilege
- Microsegmentation
- Continuous verification
- Identity-first security
Microsoft Entra ID + Conditional Access is a Zero Trust implementation.
Practical example
SME with 100 employees: Zero Trust via Microsoft 365 E5. Conditional Access: compliant devices only, MFA, geographic block. Cost: included in M365 E5.
Frequently asked questions
Migration effort?
6-18 months for an SME. Start with Conditional Access + MFA + device compliance.
Is it mandatory?
NIS2 does not require it explicitly, but it is strongly recommended for Section 30(2) No. 8.