"We want to move to zero-trust" is a sentence we hear today from clients who didn't know what it was a year ago. Drivers are typically NIS2, compliance required by a larger client, or a competitor hit by ransomware. All fine — except that most of the time zero-trust gets equated with "buying product X". It is not.
What zero-trust actually is
Zero-trust is not a product, it is a model. NIST's canonical definition (SP 800-207) boils down to three principles:
- Explicit verification: every request is authenticated and authorised before being served, regardless of source network.
- Least privilege: every user, service, device has only the permissions needed for the current task.
- Assume breach: the architecture is designed knowing something will be compromised, and damage must be contained.
In plain words: the internal network is no longer "trusted by default", the corporate VPN is no longer the solution, and identity becomes the main perimeter.
The six bricks of zero-trust for SMEs
1. Centralised identity provider
Microsoft Entra ID (former Azure AD), Google Workspace, Okta or self-hosted Keycloak. It is the point through which every authentication flows. No more "one password per app".
2. MFA everywhere, hardware where possible
Authenticator apps as a minimum. For critical accounts (network admin, finance), FIDO2 hardware keys. €30 a key, and they are the difference between "phished and in" and "phished and out".
3. Single Sign-On + Conditional Access
SSO across all cloud apps. Conditional Access (or equivalents) lets you say: "from an unmanaged device, read-only", "from a foreign country, require additional MFA", "from an unknown network, block finance".
4. EDR on clients
Traditional antivirus is not enough. Endpoint Detection & Response (CrowdStrike, SentinelOne, Microsoft Defender for Business) detects anomalous behaviour, not just signatures.
5. Network microsegmentation
VLANs by function (offices, IoT, servers, guests, cameras). Firewalls between VLANs, not just to the internet. On UniFi a few rules suffice; Fortinet, Sophos, pfSense each has its way. Same principle.
6. Centralised logging and monitoring
SIEM or managed service (for SMEs usually the latter). Without centralised logs you cannot detect an attack — and you cannot understand what happened afterwards either.
The 12-month plan we propose
Months 1-3: centralised IdP, mandatory MFA, decommission local passwords wherever possible.
Months 4-6: SSO on main apps, first Conditional Access policy, EDR on clients.
Months 7-9: network microsegmentation, file server permissions audit, decommission broad VPN access.
Months 10-12: centralised logging, incident response runbook, first tabletop exercise.
Real costs
For an SME of 30-50 employees, year-one licences plus setup: €15,000-25,000. Subsequent years for licences and maintenance: €8,000-15,000. Not cheap, but less than a single average ransomware incident.
The mistake to avoid
Buying a "zero-trust product". It does not exist. There are products that help implement the model. The difference is knowing what you are building before signing a contract. Often the right "yes" to a vendor comes in month six, not month one.