Microsoft 365 Security: How to Protect M365
Microsoft 365 security in practice: MFA, Conditional Access, hardening, DLP, backup and monitoring. Learn how to protect M365 and reduce ris
Read
Zero Trust is a security approach built on a simple principle: never trust, always verify. Instead of assuming that everything inside the company network is safe, Zero Trust treats every request, every user and every device as potentially compromised until proven otherwise. This means access to data and systems is not granted simply because someone is "inside" the network; instead, identity and context are verified at every step.
Our solution
Cyber protection for businesses - protection for cloud and IT environments. You don't have to handle it alone; we take care of it for your company. Request a free assessment.
For companies across the region, from Mostar and Sarajevo to Zagreb and Belgrade, this is not an academic topic. Remote work, cloud services, mobile devices and external contractors have shattered the picture of a "safe inside and a dangerous outside" that IT relied on for years. An attacker who needs only one stolen password to get into the network and then move around freely is a reality we see in practice, and Zero Trust is the answer to exactly that problem.
Why the classic perimeter is no longer enough
The traditional security model worked like a medieval town: high walls facing outward (firewall, VPN), while everyone inside trusts one another. The problem is that this logic now breaks down in several places at once.
- The network boundary no longer exists - employees connect from home, from their phones, over public Wi-Fi networks. Data lives in Microsoft 365, Google Workspace and other cloud services, outside your "wall".
- A single stolen password brings everything down - once an attacker gets in through phishing or credentials bought on the dark web, a classic network lets them move laterally and freely toward servers, databases and backups.
- Insider threats and compromised devices - trusting everything "by default" means that an infected employee computer or a disgruntled staff member has the same access as a legitimate user.
- Ransomware spreads across the network - most of the serious incidents we analyze do not stop at a single computer; because of a flat, unsegmented network, they spread across the entire infrastructure.
Zero Trust does not eliminate the firewall or the VPN; it changes the assumption: no connection, internal or external, is granted trust in advance.
Core principles of the Zero Trust approach
Behind the name there are several concrete principles that can be applied step by step, regardless of company size.
1. Explicit verification
Every access decision is made based on multiple factors: who the user is, which device they are connecting from, whether that device is up to date and protected, where they are connecting from, at what time and which resource they are accessing. "Having a password" is no longer enough.
2. Least privilege
A user is given access to exactly what they need to do their job, no more and no less. An accountant does not need access to server logs, and marketing does not need access to the financial database. This dramatically reduces the damage if a single account is compromised.
3. Assume breach
The system is built as if the attacker is already inside. This means segmentation, continuous monitoring and rapid detection of unusual behavior, instead of hoping that a breach will never happen.
Identity as the new perimeter
In the Zero Trust model, identity takes over the role once played by the network boundary. If the boundary can no longer be drawn around the building, it is drawn around each user and device instead. That is why identity management and strong authentication are at the heart of the whole story.
The single biggest step a company can take is multi-factor authentication (MFA). A password, no matter how long, can today be stolen, guessed or bought. A second factor, an app on a phone or a hardware key, stops the vast majority of account attacks. Alongside MFA come:
- Single Sign-On (SSO) - one central identity for all services, easier to monitor and faster to revoke access when someone leaves the company.
- Conditional access - rules such as "block sign-in from abroad" or "require MFA from an unknown device".
- Privileged Access Management (PAM) - special control over administrator access, which is the most valuable target for attackers.
Microsegmentation: stopping the spread of an attack
The second pillar of Zero Trust is microsegmentation. Instead of one large, flat network in which every device can talk to every other, the network is divided into small zones with clear communication rules. A server running the ERP system does not need to, and must not, be reachable by every computer in the office.
The effect is very tangible: when ransomware or an attacker compromises one computer, microsegmentation keeps them confined to that zone instead of opening a path to the entire infrastructure. That is the difference between an incident on a single computer and a company brought to a standstill for several days.
The old approach versus the Zero Trust approach
| Aspect | Classic perimeter | Zero Trust |
|---|---|---|
| Trust | The internal network is "safe" | No one is trusted in advance |
| Identity verification | Once, at sign-in | Continuously, at every access |
| Access to resources | Broad, based on network membership | Least privilege |
| Attacker lateral movement | Easy, the network is flat | Limited by microsegmentation |
| Authentication | Password | MFA, conditional access, context |
| Monitoring | Mostly at the boundary | Continuous monitoring of all flows (SOC, SIEM) |
How a company realistically starts its Zero Trust journey
Zero Trust is not a product you buy and switch on overnight; it is a journey you take in phases. The good news is that the first steps deliver the most benefit with the least effort. Here is the order we recommend to our clients.
- 1. Take inventory - list your users, devices, applications and data. You cannot protect what you don't know exists.
- 2. Roll out MFA everywhere - first on email, VPN and administrator accounts, then on everything else. This is the step with the best ratio of effort invested to value gained.
- 3. Apply the principle of least privilege - review who has access to what and remove anything that is not essential for the job.
- 4. Segment the network - separate critical systems (ERP, databases, backup) from user computers and guests.
- 5. Introduce monitoring and detection - EDR on devices and SIEM for centralized monitoring, ideally connected to a SOC team that responds 24/7.
- 6. Measure and improve - Zero Trust is a continuous process of adjustment, not a one-off project.
Most companies in the region already have some of these elements in place; they simply have not connected them into a coherent whole. That is exactly where opportunities and money are most often lost: the tools exist, but no one assembles them into a strategy.
Where NeoBit comes into the picture
At NeoBit we help companies translate Zero Trust from a concept into concrete, measurable steps. Through penetration testing we show where an attacker can realistically get through, through EDR and SIEM solutions we set up monitoring, and through our SOC team we make sure someone is actually watching and responding when something happens. We don't sell fear or a pile of tools that no one uses; instead, we offer an approach tailored to the size and real risks of your company.
If you are not sure where you stand, the best first step is a security posture assessment. Through it we determine how close you are to the Zero Trust model and which steps deliver the greatest benefit for you. Get in touch with the NeoBit team for a free consultation and assessment, and together we will put together a plan that makes sense both for your budget and for your risk.
Frequently asked questions
Is Zero Trust intended only for large corporations?
No. Zero Trust principles apply to companies of all sizes, and small and medium-sized businesses often benefit the most because they are a frequent target of automated attacks. Small businesses can start with low-cost steps such as MFA and an access review, without major investment in infrastructure.
Do we need to throw out our existing firewall and VPN if we adopt Zero Trust?
No. Zero Trust does not eliminate the firewall or the VPN; it changes the assumption that everything behind them is automatically safe. Existing equipment still has a role, but it is reinforced with identity verification, segmentation and monitoring so that internal traffic is no longer trusted in advance.
How long does it take to implement a Zero Trust approach?
Zero Trust is a journey, not a one-off project. The first and most valuable steps, such as rolling out MFA and reviewing privileges, can be done in a few weeks. Full microsegmentation and continuous monitoring are introduced gradually, according to the company's priorities and resources.
What is the first step a company should take?
An inventory of users, devices and data, plus rolling out multi-factor authentication on key systems. After that comes a security posture assessment, which NeoBit can carry out and use as the basis for proposing a realistic plan for moving to Zero Trust.
Related guides: Cyber security in BiH - the complete guide ยท Microsoft 365 security: how to protect M365
