Zero trust has become one of the most over-marketed phrases in IT security. Vendors apply it to firewalls, VPNs, and identity products regardless of whether those products actually deliver on the principle. Here's what zero trust actually means, and a practical implementation path for BC small businesses who want the security benefits without an enterprise-sized budget or consulting engagement.
The Core Principle: Never Trust, Always Verify
Traditional network security was built on a perimeter model: things inside the network were trusted; things outside were not. This model assumed that if you got past the firewall, you were legitimate.
Zero trust rejects that assumption. Every user, every device, and every application must prove its identity and compliance before accessing any resource, regardless of where the request originates. A user sitting in your Prince George office on your internal network is not automatically trusted. Neither is a user in Fort Nelson on a remote connection. Both are verified continuously.
This matters because the perimeter no longer exists. Your staff work from home, hotels, client sites, and evacuation centres. Your applications live in Microsoft 365, Azure, Salesforce, QuickBooks Online, and a dozen other SaaS platforms. There is no meaningful "inside" to trust anymore.
The Three Pillars for BC SMBs
Zero trust for a small business doesn't require a six-figure consulting engagement. It breaks into three practical areas:
Pillar 1: Identity
Strong identity is the foundation. This means:
- MFA on every account, without exception. See our MFA rollout guide for the step-by-step.
- Conditional Access policies, access decisions based on who is signing in, from what device, and from what location.
- SSO for SaaS tools, users authenticate once to Entra ID, and that identity token is validated by every connected SaaS application. No separate passwords that can be compromised.
- Privileged Identity Management, admin access is time-limited, requires explicit activation, and is logged.
In Microsoft 365 Business Premium, all of these are available without additional licensing.
Pillar 2: Device Health
Zero trust models check device compliance before granting access. The device must prove it meets your security baseline:
- Disk encryption enabled
- Current OS version
- EDR running and reporting healthy
- Screen lock configured
Microsoft Intune enforces device compliance. Conditional Access ties device compliance to access decisions: a non-compliant device cannot access company data, even with valid credentials.
This is the control that stops attacker persistence via compromised endpoints. Even if an attacker has valid credentials, they cannot authenticate from a device that isn't enrolled and compliant.
Pillar 3: Least-Privilege Access
Users should have access to exactly what their role requires, and nothing more. This means:
- Group-based access control: access determined by group membership, not individual assignments
- Regular access reviews: quarterly confirmation that each user's access matches their current role
- No standing admin access: privileged roles activated on demand via PIM, not permanently assigned
- Service accounts with minimal permissions: automation accounts accessing only the specific resources they need
The practical test: if a user account is compromised, what can the attacker access? Least-privilege limits the blast radius.
What Zero Trust Does Not Require
To correct vendor marketing:
- Zero trust does not require ripping out your firewall. Firewalls still have a role in network segmentation. Zero trust is an access philosophy, not a firewall replacement.
- Zero trust does not require buying a new SASE platform. The core zero trust controls for most SMBs are in Microsoft 365 Business Premium, which you may already have.
- Zero trust is not an all-or-nothing project. Every control you add moves you in the right direction. Start with identity (the highest-return control), then device compliance, then access segmentation.
- Zero trust does not require a consultant to get started. The Conditional Access baseline and Intune enrollment described above can be implemented by a capable MSP in a standard onboarding engagement.
A Practical Implementation Path for BC SMBs
Month 1: MFA for all users via Conditional Access. Block legacy authentication. This is the single most impactful security improvement available.
Month 2 - 3: Intune enrollment for all devices. Device compliance policy. Tie compliance to Conditional Access.
Month 3 - 6: PIM for admin roles. Regular access reviews. SSO for top-5 most-used SaaS tools.
Ongoing: Quarterly access review. Annual policy review. Add SSO for additional tools as they're adopted.
This is achievable for a 20-person BC business with a managed IT provider in a 6-month window. It doesn't require specialist zero trust consultants or new security products beyond what M365 Business Premium provides.
Frequently Asked Questions
Is zero trust the same as ZTNA (Zero Trust Network Access)? ZTNA is a specific implementation of zero trust principles for network access, replacing VPN with per-application access policies. Zero trust is a broader philosophy that includes identity, device, and access. ZTNA is one component. Microsoft Entra Private Access provides ZTNA functionality for M365 customers.
Do we need zero trust if we're a 10-person business? The "zero trust" label aside, the underlying controls, MFA, device management, least-privilege access, are appropriate for a 10-person business. The label doesn't matter; the controls do. A 10-person business is not too small to be attacked, and is not too small to implement these controls.
Talk to a Prince George-based IT team about implementing zero trust controls for your business, call 672-983-1174 or book a free assessment at northstarit.ca.
Ready to start your zero trust journey?
North Star builds zero trust roadmaps for BC SMBs using tools you may already own. Book a free assessment to see where you stand today.
Get a Free Assessment Read more InsightsServices mentioned in this post.
Frequently asked questions
Is zero trust for small business too expensive to implement?
Many small business owners worry about costs, but zero trust is often more about changing your security posture than buying expensive hardware. By leveraging tools you may already have, such as Microsoft 365 security features, Northstar IT helps you organise a staged rollout. This approach allows you to improve your defence against ransomware and data leaks without a massive upfront investment, making modern security accessible for Prince George and Calgary firms.
How does zero trust infrastructure differ from a standard VPN?
A traditional VPN often gives a user full access to the network once they are connected. In contrast, zero trust infrastructure operates on the principle that no user or device is trusted by default, even if they are inside the network. Every access request is verified based on identity, location, and device health. This prevents attackers from moving laterally through your systems if one password is compromised.
Can my existing legacy applications work with a zero trust model?
Yes, most legacy applications can be integrated into a zero trust framework using identity aware proxies or secure access service edge (SASE) solutions. Northstar IT specialises in bridging the gap between older software and modern security requirements. We assess your current environment in BC or Alberta to ensure your critical business tools remain functional while significantly enhancing the overall security of your digital infrastructure.
What is the first step for an SMB to start a zero trust journey?
The first step is identity verification. We recommend implementing strong multi factor authentication (MFA) across all platforms. Once identity is secured, we then focus on device management and data classification. Northstar IT provides a clear roadmap for businesses in the Yukon and Western Canada to gradually adopt these practices, ensuring your team remains productive while your most sensitive information stays protected from external threats.