{"id":6251,"date":"2025-08-15T14:53:46","date_gmt":"2025-08-15T13:53:46","guid":{"rendered":"https:\/\/amtivo.com\/uk\/standards\/\/\/what-is-zero-trust-and-how-should-business-owners-implement-it\/"},"modified":"2025-12-15T16:16:00","modified_gmt":"2025-12-15T16:16:00","slug":"what-is-zero-trust-and-how-should-business-owners-implement-it","status":"publish","type":"standard-post-filter","link":"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/insights\/what-is-zero-trust-and-how-should-business-owners-implement-it\/","title":{"rendered":"What Is Zero Trust and How Should Business Owners Implement It?"},"content":{"rendered":"

Zero Trust is an increasingly popular concept within cyber security and it\u2019s one that business owners should be paying careful attention to. In this article, we explore what Zero Trust is and the factors that should be considered before implementing it.<\/em><\/p>\r\n

A defining characteristic of cyber security in the last quarter of a century has been its domination by discrete technologies such as anti-virus software, firewalling, intrusion detection, pen testing, sandboxing, threat intelligence, biometrics, and AI automation.<\/p>\r\n

The problem is that clever technology alone hasn\u2019t been enough to stop cyber attacks from getting steadily worse. Organisations implemented each generation in a best-fit manner, often quite chaotically, before a new one arrived to replace or supplement it. What was missing was a simple big idea to bind these components into a larger whole with greater rigour and conceptual depth.<\/p>\r\n

After searching for this game-changing idea for a long time it seems that the industry has finally found a good-looking candidate called zero trust (ZT). If you doubt the prominence of zero trust, run a Google search on the term and it\u2019ll return an extraordinary 645 million results, most from the last three years.<\/p>\r\n

It\u2019s become so important that none other than US President Joe Biden mentioned it in his now famous May 2021 White House<\/a> executive order to improve national cyber security within 60 days:<\/p>\r\n

\u201cThe Federal Government must adopt security best practices; advance toward Zero Trust Architecture\u2026\u201d<\/p>\r\n

It went on to mention other improvements needed such as centralising analytics and using cloud security services, but it was hard to miss that zero trust has been placed at the top of the list.<\/p>\r\n

\u00a0<\/h2>\r\n

First Principles of Zero Trust<\/h2>\r\n

But what is Zero Trust and why has it grabbed so much attention so quickly?<\/p>\r\n

Who coined the term is unclear, but it was popularised by then Forrester analyst, John Kindervag, during a presentation in 2009. Building on the earlier work of the British Jericho Forum on de-perimeterisation<\/a>, he observed that an important root of many security problems was the way organisations designed cyber security around increasingly obsolete notions of trust.<\/p>\r\n

If you were inside the network perimeter your identity was trusted, which meant that you could log on using nothing more robust than a username and password. Bad people like hackers, by contrast, were always outside the perimeter looking in and would be detected as they passed through security checkpoints such as firewalls.<\/p>\r\n

Except, of course, the perimeter was now everywhere, inside and outside the network, on many different devices in many places, including ones that were machines talking to one another and not even people. Simply trusting a digital identity was madness \u2013 identities could be stolen or hijacked by malware too easily.<\/p>\r\n

Kindervag\u2019s idea of Zero Trust was based on two simple observations: expecting the perimeter security model to keep people out was doomed because, like a building with draughty doors, modern networks had too many access points and weaknesses for that to work.<\/p>\r\n

Second, the logical solution to this was that no device, user, or connection should automatically be trusted without careful verification. Every entity connecting to a network, or within a network, was a potential threat no matter which identity is used, where it was connecting from, and what it was connecting to. Modern malware meant that even legitimate users posed a risk.<\/p>\r\n

\u00a0<\/h2>\r\n

What ZERO Trust Means for SMEs<\/h2>\r\n

If there\u2019s a hitch with Zero Trust it\u2019s that while it tells organisations what to do, it doesn\u2019t tell them how to do it.\u00a0 Making it work on the ground can be daunting because it leaves open the whole question of implementation.<\/p>\r\n

For example, should organisations ditch unreliable security protections such as passwords and impose tougher authentication?\u00a0 That sounds straightforward until the organisation discovers it still depends on a hard-to-replace legacy application that can\u2019t verify using anything else.<\/p>\r\n

Another issue is that once you abolish trust, that means nothing should trust anything. Networks no longer trust remote users while users should no longer trust networks in return. The need to authenticate things increases dramatically. In a sense, everything \u2013 users, devices, applications, and data – becomes its own perimeter, monitoring everything else with suspicion.<\/p>\r\n

But it gets worse. Should devices even trust themselves? After all, sophisticated malware can lurk hidden inside a single application or piece of low-level firmware anti-virus can\u2019t monitor. This suggests that PCs should have their own internal gateways that constantly check and verify each other.<\/p>\r\n

Networks this paranoid can\u2019t function easily, even if organisations knew how to build them. It\u2019s a world where far from disappearing, perimeters and firewalling are everywhere – inside networks, inside devices, and inside applications. It\u2019s an interesting vision but it\u2019s a potentially very complicated one.<\/p>\r\n

In fact, we\u2019re starting to see the first implementations of these principles in developments such as HP\u2019s Wolf Security<\/a>, a suite of verifications built into PCs from the firmware level up. Building on the Trusted Platform Modules (TPMs) already used in PCs to guard cryptographic keys, soon every business PC could have this sort of technology built in.<\/p>\r\n

\u00a0<\/h2>\r\n

Future Challenges Presented by Zero Trust Approaches<\/h2>\r\n

One phenomenon that has sharpened interest in zero trust ideas is the movement for more people to work from home, something which decreases how much security teams can see in ways that raise the chances of a compromise.<\/p>\r\n

An unintended short-term consequence could be that organisations take a shortcut to Zero Trust by locking down their remote users with strict policies, limited privileges, and contract penalties for anyone who tries to bypass this. This could easily start to exact a toll as users struggle with regular verification checks, killing productivity.<\/p>\r\n

Despite these uncertainties, there\u2019s little doubt Zero Trust is already a big influence and is here to stay. Most likely, the next generation of malware will respond to Zero Trust with new strategies to tunnel between trust zones. Zero Trust will make life harder for attackers, but it absolutely won\u2019t stop them from trying.<\/p>\r\n

\u00a0<\/h2>\r\n

NCSC Zero Trust<\/h2>\r\n

The National Cyber Security Centre<\/a> offers eight principles around which organisations should implement Zero Trust network architecture:<\/p>\r\n