In plain English
Zero Trust replaces the old assumption that everything inside your network is safe. Instead, every access request is treated as potentially hostile and must be verified: is this really the right user? Is their device healthy and compliant? Are they in an expected location? Only after all signals check out is access granted — and only to the specific resource needed, not the whole network.
Full definition
The Zero Trust model is built on three principles: verify explicitly (always authenticate and authorise based on all available data points — identity, location, device, service, workload, and data classification); use least-privilege access (limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection); assume breach (minimise blast radius, encrypt everything, use analytics to detect and respond to threats).
's security stack — , device compliance, , and — is designed around the Zero Trust model. A properly configured Microsoft 365 environment is effectively a Zero Trust implementation, which is why IronSights uses it as the framework for all M365 hardening engagements.
The Australian Government's framework and the 's cyber security guidance are broadly consistent with Zero Trust principles — particularly the controls around restricting administrative privileges, , and application control.