Zero Trust
Zero Trust is a security model built on the principle 'never trust, always verify': no user, device, or network location is trusted by default, even inside a traditional network perimeter. Every access request is continuously…
Definition
Zero Trust is a security model built on the principle 'never trust, always verify': no user, device, or network location is trusted by default, even inside a traditional network perimeter. Every access request is continuously authenticated, authorized, and encrypted based on identity and context, rather than relying on a hardened perimeter with implicit trust inside it.
Overview
Zero Trust emerged as a response to the failure of the traditional 'castle-and-moat' security model, in which anything inside the corporate network perimeter (VPN-connected, on-prem) was implicitly trusted. That model breaks down with cloud services, remote work, and mobile devices, since a single compromised credential or device can grant broad lateral access once inside the perimeter. The term was popularized by Forrester analyst John Kindervag around 2010, and later formalized by frameworks like NIST SP 800-207. In practice, Zero Trust architecture is built on several pillars: strong identity verification for every request (often via multi-factor authentication and short-lived tokens), device posture checks (is the device patched, managed, compliant), least-privilege access (granting only the minimum permissions needed, scoped per-resource rather than network-wide), micro-segmentation (breaking networks into small zones so lateral movement is restricted), and continuous monitoring/analytics that can revoke access dynamically if behavior looks anomalous. Rather than a single product, Zero Trust is an architectural philosophy implemented through a combination of tools: identity providers (IdPs), device management (MDM/EDR), software-defined perimeters or Zero Trust Network Access (ZTNA) solutions replacing traditional VPNs, and policy engines that evaluate every request against context (user, device, location, time, resource sensitivity) before granting access. Major cloud providers and vendors (Google's BeyondCorp, Microsoft Entra, Cloudflare Access) have all built commercial Zero Trust offerings, and it has become a common compliance and procurement requirement, particularly in government (e.g. US federal mandates following Executive Order 14028) and regulated industries.
Key Concepts
- No implicit trust based on network location — every request is verified
- Strong identity verification, often via MFA and short-lived credentials
- Least-privilege, resource-scoped access rather than broad network access
- Micro-segmentation to limit lateral movement after a breach
- Continuous monitoring and adaptive, risk-based access decisions
- Device posture and compliance checks as part of access evaluation
- Often implemented via Zero Trust Network Access (ZTNA) replacing VPNs