Zero trust is no longer an enterprise-only concept. Here's what it means in practice for Melbourne SMBs, and how to implement it without a large IT security budget.
“Zero trust” has become one of the most overused terms in cybersecurity marketing, which has made many business owners rightfully sceptical of it. Strip away the vendor hype, though, and the underlying principle is both simple and genuinely important: don’t automatically trust anything or anyone just because they’re inside your network. Verify everything, every time.
This matters more now than it ever has. The traditional security perimeter - the idea that everything inside your office network is safe and everything outside is dangerous - collapsed when businesses moved to cloud applications and hybrid work. Your staff are accessing Microsoft 365, your CRM, and your accounting software from home networks, coffee shops, and mobile devices. There is no perimeter. Zero trust is the security model that acknowledges this reality and works with it.
Here’s what zero trust actually means in practice for a Melbourne SMB, without the enterprise jargon.
The Core Principles
Zero trust rests on three foundational ideas:
Verify explicitly. Every access request - whether from an employee, a device, or an application - should be authenticated and authorised based on all available signals: identity, device health, location, and behaviour. Not just a username and password.
Use least privilege. Users and systems should have access only to what they need for their specific role - nothing more. A finance officer doesn’t need access to engineering files. An accounting system doesn’t need to connect to your HR database. Minimising access scope minimises the blast radius if an account or system is compromised.
Assume breach. Design your environment as if attackers may already be inside. This means segmenting your systems so that a compromise in one area can’t spread freely to others, and maintaining logging and monitoring so you can detect unusual behaviour quickly.
None of these principles require a $100,000 security investment. They require deliberate architecture and configuration of tools many businesses already have.
Starting Point: Identity Is the New Perimeter
If you’ve moved to Microsoft 365 or Google Workspace, you already have the foundation of a zero trust identity platform. The question is whether you’re using it properly.
Multi-factor authentication (MFA) on every account. This is non-negotiable and should have been done yesterday. MFA blocks the vast majority of password-based attacks - Microsoft’s own data suggests it prevents more than 99% of account compromise attacks. Enable it for every user, on every application. No exceptions for “it’s inconvenient for the CEO.”
Microsoft Authenticator, Google Authenticator, or hardware keys (YubiKey) are all appropriate options. SMS-based MFA is better than nothing but is the weakest option and should be avoided for high-privilege accounts.
Conditional Access policies. Microsoft Entra ID (formerly Azure AD) and Google Workspace both support conditional access - policies that define the conditions under which access is allowed. Example policies:
- Block sign-ins from countries your business has no legitimate reason to access from
- Require MFA when signing in from outside Australia
- Block access from devices that aren’t enrolled in your management platform
- Require compliant device status before accessing email
These policies are available in Microsoft 365 Business Premium (and equivalent Google Workspace tiers). Setting them up takes a few hours and dramatically raises your security baseline.
Privileged Identity Management. Your domain admin accounts, global admin accounts, and other highly privileged identities should be subject to even stricter controls. These accounts should:
- Not be used for day-to-day tasks (a separate, standard account for normal work)
- Have just-in-time access elevation rather than persistent admin rights
- Be monitored for any activity
Device Trust: Know What’s Connecting
In a zero trust model, a known, managed device is treated differently from an unknown device. If an employee’s laptop is enrolled in Microsoft Intune or a similar management platform, you know it’s patched, encrypted, and has endpoint protection running. An unknown device - a personal phone, a contractor’s laptop - should face higher scrutiny before it can access business resources.
Microsoft Intune (included in Microsoft 365 Business Premium) allows you to:
- Enrol all company devices
- Enforce encryption (BitLocker)
- Enforce a screen lock and PIN
- Push required applications
- Wipe a device remotely if it’s lost or stolen
- Block access to corporate email if a device becomes non-compliant
Implementing Intune across your fleet is one of the most effective zero trust steps you can take. It brings every managed device into a known, verifiable state.
For BYOD (personal devices used for work), Microsoft’s Mobile Application Management (MAM) allows corporate data within Office apps to be isolated and protected without requiring full device enrolment - a sensible balance between security and employee privacy.
Microsegmentation: Containing the Blast Radius
Traditional flat networks allow compromised devices to communicate freely with everything else on the same subnet. Microsegmentation limits this by dividing your network into isolated segments with controlled traffic flows between them.
For a Melbourne SMB, practical microsegmentation looks like:
Network segmentation via VLANs. Separate your servers, workstations, printers/IoT devices, and guest wireless into different network segments. Firewall rules between segments control what can talk to what. A compromised printer on the IoT VLAN can’t scan or attack your accounting server on the servers VLAN.
Cloud-based application segmentation. If your business uses cloud applications rather than on-premises servers, segmentation happens through access control policies rather than network topology. Conditional access policies, application-level permissions, and the principle of least privilege achieve similar outcomes.
DNS filtering. Tools like Cisco Umbrella or Cloudflare Gateway intercept DNS queries and block connections to known malicious domains. This provides a layer of protection even if a device is compromised - it can’t easily communicate with attacker-controlled infrastructure.
The Essential Eight Connection
The Australian Signals Directorate’s Essential Eight mitigation strategies align closely with zero trust principles. Businesses implementing zero trust are, in most cases, also progressing their Essential Eight maturity:
- Multi-factor authentication is Essential Eight control #6
- Restricting administrative privileges maps directly to least-privilege principles
- Patching operating systems and applications supports the “assume breach” posture by reducing exploitable vulnerabilities
- Application control prevents unauthorised software from running, limiting attack surface
If your business needs to demonstrate Essential Eight compliance - either to a client, an insurer, or a regulator - framing your zero trust implementation in Essential Eight terms is a practical approach.
A Prioritised Implementation Roadmap
You don’t implement zero trust in a week. Here’s a sensible sequence for a Melbourne SMB:
Month 1: Identity foundation
- Enable MFA for all users (Microsoft Authenticator)
- Review and remove unnecessary admin accounts
- Set up basic Conditional Access policies (block high-risk sign-ins, enforce MFA)
Month 2–3: Device management
- Enrol all company devices in Intune
- Enforce encryption and basic compliance policies
- Block access from non-compliant devices to email and core applications
Month 3–4: Network segmentation
- Audit current network topology
- Implement VLAN segmentation (guest, workstations, servers, IoT)
- Configure firewall rules between segments
Month 4–6: Monitoring and response
- Enable Microsoft Defender XDR (included in Business Premium)
- Configure alerts for suspicious activity
- Document your incident response procedure
Ongoing: Least privilege review
- Quarterly review of who has access to what
- Remove access that’s no longer needed
- Review and refine Conditional Access policies as your environment changes
Zero trust is a journey, not a destination. The goal is to continuously reduce your attack surface and improve your ability to detect and respond to threats - not to reach a single endpoint and declare victory.
CX IT Services helps Melbourne businesses implement zero trust security frameworks, including Microsoft 365 security configuration, Intune deployment, network segmentation, and Essential Eight assessments.
