Zero trust is a security model based on one principle: never trust, always verify. Under the traditional perimeter security model, users and devices inside the office network were trusted by default. Zero trust eliminates the concept of a trusted perimeter, every access request is verified based on identity, device health, and context, regardless of where the request originates.
The perimeter model assumed that threats came from outside and that anything inside the office network was safe. That assumption no longer holds:
Zero trust addresses all of these by requiring continuous verification for every access attempt, from every location.
1. Verify identity explicitly Use strong MFA (preferably phishing-resistant) for every user, every sign-in, every time. Do not rely on network location as an indicator of trustworthiness.
2. Use least-privilege access Grant the minimum access required to do the job. Do not give all staff access to every file share. Limit admin rights strictly. Review and revoke access regularly.
3. Assume breach Design your network and systems as if an attacker already has access somewhere. Segment networks. Log everything. Monitor for lateral movement. Have an incident response plan ready.
For most Canadian SMBs, zero trust implementation starts with Microsoft 365 and Entra ID (Azure AD):
No. MFA is one component of zero trust, specifically the "verify identity" pillar. Zero trust also requires:
MFA without the other layers is better than nothing. Zero trust requires all the layers.
The practical starting sequence for a Northern BC SMB:
Step 1: MFA on every account, Microsoft 365, Google Workspace, VPN, and every business application. Start here. It is the single highest-impact control.
Step 2: Block legacy authentication, Disable basic auth protocols in Microsoft 365 (SMTP AUTH for non-applications, POP3, IMAP where not needed). These protocols bypass MFA and are a common attack vector.
Step 3: Device compliance policies, Require enrolled, compliant devices to access business applications. Users on personal unmanaged devices get prompted to enrol before accessing sensitive data.
Step 4: Conditional access rules, Block sign-ins from high-risk countries, from anonymising proxies, and from devices that fail compliance checks.
Step 5: Network segmentation, Implement VLANs to limit lateral movement.
Step 6: Privileged access controls, Separate admin accounts from daily-use accounts. Enable just-in-time admin access where possible.
The most impactful zero trust controls are already included in Microsoft 365 Business Premium:
The cost of Business Premium over Business Standard is approximately $13 CAD/user/month more. For a 25-user business, that is $325/month, which includes zero trust controls that would cost several times that if purchased separately.
The real cost of zero trust is configuration time and user training, not software.
What is zero trust architecture? Zero trust architecture (ZTA) is the broader design framework for implementing zero trust across identity, devices, networks, applications, and data. For SMBs, starting with identity and devices is the practical approach.
Does zero trust require replacing all your infrastructure? No. Most zero trust controls can be layered onto existing Microsoft 365 and network environments with configuration changes, not replacements.
Is zero trust required for cyber insurance? Not by name, but the controls cyber insurers require (MFA, EDR, conditional access) are zero trust controls. Implementing zero trust satisfies the technical requirements of most cyber insurance questionnaires.
Does zero trust work for remote workers? Yes, in fact, zero trust is specifically designed for environments where remote work is the norm. It provides equivalent security whether a user is in the office or working from a remote site in Northern BC.
Can North Star IT implement zero trust for our business? Yes. North Star designs and implements zero trust architectures for businesses across Northern BC, BC, Alberta, and Yukon, starting with the controls that deliver the most security value for your specific environment.
Ready to implement zero trust for your business? Call 672-983-1174 or book a free security assessment at northstarit.ca.
# Section 4, Blog Pages (32)
<!-- North Star IT Blog Copy, all 32 pages, improved SEO + conversion copy --> <!-- Output format: Title / Meta / H1 / Full body copy per page -->
Quick answers.
What is zero trust?
Zero trust is a security model where no user or device is trusted by default, even inside your network. Every access request is verified using identity, device health, and policy before access is granted.
Is zero trust just MFA?
MFA is part of zero trust, but not the whole thing. Zero trust also includes device compliance checks, conditional access policies, network segmentation, and ongoing risk monitoring.
How do I start with zero trust?
Start with three things: MFA on every account, device compliance enforcement in Microsoft 365 or Google Workspace, and conditional access policies that block legacy authentication.
Is zero trust expensive?
The licenses to enable basic zero trust are usually already included in Microsoft 365 Business Premium. The cost is configuration time and user training, not the software.
Does my business need zero trust?
Yes. Any business with remote workers, cloud apps, or sensitive data benefits from zero trust. It is now the baseline, not a luxury.
Have a specific situation in mind?
Book a free 30-minute scoping call with a Northstar IT engineer. We will walk through your environment, your questions, and what good looks like for your team.
Get a Free Assessment More guides