5 min read
A care organisation delivering residential, supported living, and domiciliary care services across multiple regions. Care workers accessed sensitive data from offices, care homes, clients' own homes, and while travelling between visits. The organisation relied on Microsoft 365 for email, care documentation, and operational systems, with staff connecting from a wide range of devices and locations throughout the day.
Service: Managed IT Care sub-sector: Residential, supported living, domiciliary care
The organisation's security model was built on a simple assumption: if you were inside the network, you were trusted. Once a user logged in, they had broad access to systems and data with minimal further checks. This perimeter-based approach had been the standard for years, but it was fundamentally unsuitable for a modern care provider.
Care staff don't sit behind a corporate firewall. They work in clients' homes, in community settings, in care homes with shared devices, and on personal phones while on the move. The traditional network perimeter had dissolved long before anyone acknowledged it. A carer logging in from a personal tablet in a service user's home was granted the same level of trust as someone sitting at a managed desktop in the head office.
If a single set of credentials was compromised - through phishing, a reused password, or a lost device - the attacker would inherit that same implicit trust. There was no second check, no verification that the device was compliant, no assessment of whether the sign-in behaviour was unusual. For an organisation holding care plans, medical records, safeguarding notes, and personal information for vulnerable adults, this represented a significant and growing risk.
The organisation knew it needed to change its approach but was concerned about the impact on frontline staff. Care workers are not IT professionals. Any security model that created friction, locked people out during home visits, or added steps to already demanding workflows would be resisted and ultimately worked around.
We designed and implemented a zero trust security model across the organisation's Microsoft 365 environment. The core principle was straightforward: never trust, always verify. Every access request would be evaluated based on who is requesting access, from what device, from where, and whether the request is consistent with normal behaviour.
Conditional Access policies were configured as the primary enforcement mechanism. Every sign-in is now evaluated against a set of conditions before access is granted:
Least-privilege access was applied across all user roles. Instead of broad access granted at onboarding and never reviewed, each role was mapped to the specific systems, SharePoint sites, and applications it genuinely needed. A care worker accessing visit schedules and care notes does not need access to financial reporting or HR records. Access was scoped to the minimum required for each role and reviewed quarterly.
Device compliance baselines were established through Intune. Every device accessing organisational data must meet a defined standard: BitLocker encryption, current antivirus definitions, supported operating system version, and screen lock enabled. Non-compliant devices are blocked from accessing sensitive data until they meet the baseline.
Session controls were implemented for sensitive applications. Even after a user is authenticated on a compliant device, sessions expire and require re-authentication after defined periods. Inactive sessions are terminated automatically. If a device is lost or a user account is compromised, active sessions can be revoked instantly.
The rollout was carefully phased. We started with the IT and administration teams, refined the policies based on real-world feedback, and then extended to care home managers, coordinators, and finally frontline care workers. Each phase included clear communication explaining what would change, why it mattered, and what staff needed to do (in most cases, very little beyond approving an MFA prompt they were already familiar with).
Every access request across the organisation is now verified before data is made available. There is no implicit trust based on network location, device ownership, or previous authentication. The security model reflects the reality of how care staff actually work: from multiple locations, on multiple devices, often outside any traditional network boundary.
Conditional Access policies evaluate every sign-in in real time. Staff who meet the verification requirements (correct identity, compliant device, normal behaviour) experience seamless access with minimal friction. Staff who don't - or attackers who have compromised a single factor - are blocked before they reach any data.
The least-privilege model means that even a fully compromised account has access only to what that specific role requires. A compromised care worker account cannot access financial systems. A compromised administrator account cannot access care records. The blast radius of any potential breach has been dramatically reduced.
Frontline staff adoption was smoother than expected. The MFA prompt was already familiar, device compliance checks happen in the background, and Conditional Access decisions are invisible when everything is in order. Care workers in clients' homes, on the road, or in care homes access their systems exactly as before - the verification happens silently behind every sign-in.
Zero trust architecture implemented · Conditional Access enforced on every sign-in · Device compliance required before data access · Least-privilege access model applied to all user roles · Continuous verification replacing implicit network trust
Related service: Managed IT
The people this organisation supports trust it with their most sensitive information. That trust is now backed by a security model that verifies every access, from every device, every time. Care workers notice no difference in their day. The data they handle has never been better protected.