Three common myths about zero trust explained.

Author: Johanna Jupke

Zero trust is one of the most important modern security strategies, yet it is often misunderstood. That’s hardly surprising, as the approach is multi-layered, spanning identities, devices, networks, data and applications—and it challenges long-established ways of thinking. All the more reason to take a closer look at some of the most common myths and set the record straight.

According to the Microsoft Defence Report 2025, Germany ranks fourth worldwide among the countries most affected by cyberattacks. In most cases, attackers are targeting identities and increasingly, they use valid credentials to gain access to networks. As a result, traditional security models such as perimeter-based authentication or VPN-only approaches are reaching their limits. This is why zero trust has become increasingly important, and why it has now emerged as the new standard for effective IT security. However, a number of myths and misconceptions continue to surround zero trust. To understand and apply this concept correctly, these need to be addressed and dispelled.

Understanding and implementing zero trust.

Your Microsoft 365 licence already includes a range of zero trust capabilities. Which ones are they and how can you use them effectively? Find out in our webinar with Microsoft.

Watch webinar

A person is typing a card number to make a payment

Myth 1 – Zero trust is something you can simply buy.

Zero trust is not a single product that can be installed or switched on at the click of a button. It is a strategic approach that defines how modern security should work regardless of any specific technology. The zero trust model assumes that nothing and no one is inherently trustworthy—not even within your own organisation. Every access request is evaluated in real time to determine whether it can be trusted at that moment, no matter whether the request originates from an internal network or a public one. Access is granted only once all required security conditions have been met—including authentication, authorisation and encryption.

How Zero Trust works.

Every access request is verified.

Identity and context are continuously assessed.

Least privilege access.

Users are granted only the permissions they actually need.

Segmentation.

Networks are divided into smaller, isolated segments to reduce the attack surface.

Monitoring and logging.

Activities are continuously analysed to detect anomalies at an early stage.

Many organisations already have the necessary tools in place, for example, as part of their Microsoft 365 licence. But without a clear concept for how these building blocks are meant to work together, much of that potential remains untapped. Zero trust, therefore, doesn’t come from buying a tool it emerges from the coordinated interplay of processes, technology and organisational structures.

Myth 2 – Zero trust requires premium licences.

It’s true that higher-tier licences such as Microsoft 365 E5 include additional security and compliance features that can make zero trust easier to implement or more comprehensive. But the core of the model cannot be reduced to a specific licence level.

In fact, Microsoft 365 E3, Business Premium, as well as the newly structured Purview and Defender suites already include essential zero trust capabilities, such as:

Multi-factor authentication, including phishing-resistant methods

Conditional access

Device management and device health checks

Basic data loss prevention (DLP)

Endpoint protection features

Foundational monitoring capabilities.

In many enterprises, these features are already in place, but they’re often not enabled or embedded within a clear strategy. The real question, therefore, isn’t “Do we have the right licence?” but “Are we using what we already have effectively and in a coordinated way?” Only once existing capabilities have been fully leveraged does it make sense to look at extended licence options. Because zero trust isn’t a licensing issue—it’s a matter of how you use what’s already there.

Myth 3 – Zero trust is too complex for SMEs.

At first glance, zero trust can seem like a large-scale transformation project. In practice, however, it’s more of a process that unfolds in clearly defined steps. SMEs, in particular, often benefit greatly from zero trust—responsibilities are clearer, decision-making paths are shorter, and modernisation initiatives can be implemented more quickly.

Many foundational measures can be introduced with relatively little effort, and they deliver an immediate improvement in security. The key thing to remember is zero trust does not mean changing everything at once. It’s about setting the right priorities and gradually guiding the organisation towards a new security mindset.

Zero trust is a process.

A helpful point of reference is the CISA Zero Trust Maturity Model, which outlines how organisations can mature across key domains—identity, devices, networks, data and applications. It defines four stages of development, ranging from traditional through advanced to optimised. What matters is not reaching the highest level immediately, but taking the first step and regularly reviewing where additional measures make sense. Each stage increases security and much of it can already be achieved using existing Microsoft 365 capabilities. So start building your zero trust approach step by step. We’re happy to support you along the way.

Zero trust with Microsoft 365 – On-demand webinar.

In our on-demand webinar with Microsoft, we explore how zero trust can be implemented in practice using Microsoft 365 capabilities. We discuss the role of the new licensing models and address the questions organisations typically have around these topics. Take advantage of this concise introduction to both the strategic and technical perspectives of zero trust.

Watch webinar