Skip to content
BastionSec
Contact us
Managed · Cross-cutting architecture

Zero Trust: no more implicit trust in the network. We verify identity, device and context at every access.

We apply the NIST SP 800-207 model to your reality: strong identity, device posture, network microsegmentation and least privilege. An architecture that ties all the other services together, not a product to buy.

  • Reference framework: NIST SP 800-207. No perimeter, trust never implicit.
  • Identity + device + network: the three pillars verified on every request.
  • Least privilege and continuous verification: access is a decision, not a permanent state.
Contact usSee the method

What Zero Trust really is

Zero Trust is an architectural model, not a product: the principle is 'never trust, always verify'. You drop the idea that whoever is 'inside the network' is trustworthy: every request to access a resource is authenticated, authorised and encrypted based on identity, device posture and context, regardless of where it originates.

The reference is NIST SP 800-207: a Policy Decision Point evaluates every request and a Policy Enforcement Point enforces it. In practice that means MFA everywhere, per-application access instead of network access, verified devices and privileges cut to the minimum needed.

When you need it

Zero Trust isn't 'for big companies': it's the correct way to grant access when the perimeter no longer exists.

Remote or hybrid teams

People connect from home, on the road, from untrusted networks. A VPN that 'opens the whole network' is the problem, not the solution.

Scattered SaaS and cloud

Data and apps live across dozens of cloud services. Identity becomes the real perimeter to control.

Workspace & identity

Heading toward certification

MFA, least privilege and segmentation are direct evidence for the access controls of ISO 27001's Annex A.

See ISO 27001

The three pillars we put in place

Zero Trust rests on identity, device and network, governed by explicit policies and a verification that doesn't stop at login.

Identity

Centralised IAM, SSO (SAML/OIDC), phishing-resistant MFA where possible, account lifecycle and privilege management.

Device

Posture verified before access: managed (MDM), encrypted, up-to-date device with active EDR. No access from unknown endpoints.

Network

Microsegmentation, per-application access via ZTNA instead of a flat VPN, explicit rules and logging of every access.

What we implement

  • Identity as the perimeter: SSO and MFA on all critical apps, fewer local accounts and admin privileges.
  • Least privilege and just-in-time access: minimal privileges, periodic review, elevated access only when needed and for as long as needed.
  • Device posture: MDM/EDR integration to allow access only from compliant endpoints.
  • ZTNA instead of VPN: granular application access without exposing the entire internal network.
  • Microsegmentation: separation of segments (users, servers, IoT, video) with explicit policies between zones.
  • Continuous verification and logging: context re-evaluation, centralised logs and visibility into who accesses what.
  • Policy as code where possible: versioned, repeatable rules, not fragile manual configurations.

How we get there

Zero Trust is a path of increasing maturity, not a switch. We start with high-impact, low-friction wins, then raise the bar.

  1. 1

    Assessment & mapping

    Identities, devices, applications and flows: what accesses what, today.

  2. 2

    Identity first

    SSO, MFA and privilege hygiene: the foundation for everything else.

  3. 3

    Device posture

    MDM/EDR integration to tie access to the endpoint's state.

  4. 4

    Segmentation & ZTNA

    Microsegmentation and per-application access instead of a flat VPN.

  5. 5

    Policy & continuous verification

    Explicit rules, logging and context re-evaluation.

  6. 6

    Continuous maturation

    Iterative refinement on retainer as the environment grows.

Zero Trust is cross-cutting: it touches workspace and identity, devices, network and WiFi, infrastructure and even video surveillance. It rarely starts from scratch: it orchestrates the services you already use and ties them into a coherent model.

Stack & references

Reference framework: NIST SP 800-207 (Zero Trust Architecture). On the concrete building blocks we work at the category level, integrating what you have: identity providers with SSO/MFA (SAML/OIDC), MDM/EDR solutions for posture, ZTNA solutions for application access, NGFW firewalls and segmentation for the network.

It all ties back to the access and network controls of ISO/IEC 27001:2022 Annex A and to CIS Controls principles, so the architecture also produces evidence useful at certification time.

Model and pricing

A design and initial implementation project ('from' price, pinned down after the assessment) plus ongoing management on a retainer, typically per-user or per-device.

For complex or multi-site environments the model is on request. See the pricing page for the ranges.

Frequently asked

Is Zero Trust a product you buy for me?

No. It's an architecture and a set of principles (NIST SP 800-207). We deliver it by integrating and configuring the right tools, many of which you probably already have, not by reselling you a box.

Do I have to throw out my VPN?

Not necessarily right away. But the flat VPN that opens the whole network is the opposite of Zero Trust: the goal is to migrate toward per-application access (ZTNA), gradually, starting from the most sensitive resources.

Is it only for large companies?

No. For an SMB with no clear perimeter and a distributed team, Zero Trust is often simpler and cheaper to adopt than maintaining a castle-and-moat that no longer exists. You start from identity.

How long does it take?

It's a path of increasing maturity, not a project with an end date. The first wins (SSO, MFA, privilege hygiene) come quickly; segmentation and ZTNA follow. We size it after the assessment.

Does it make me 100% safe?

No, and be wary of anyone who promises that. Zero Trust drastically reduces the attack surface and blast radius, but absolute security doesn't exist. That's why we pair it with monitoring and response.

How does it tie into certification?

MFA, least privilege, segmentation and logging are direct evidence for the access and network controls of ISO 27001's Annex A. Implementing Zero Trust brings you closer to certification, not further.

Related services

Workspace & identity

Identity is Zero Trust's first pillar: SSO, MFA and account lifecycle management.

Learn more

Device management

Device posture decides access: MDM, CIS hardening, encryption and managed EDR.

Learn more

Detection & response

Continuous verification produces logs and signals: we monitor them, with incident response on retainer.

Learn more

Where are you on Zero Trust?

Tell us your need: we map identity, devices and access and tell you where to start, no fluff.

Contact us