Zero Trust

Zero Trust is a security model where no user, device, or service is implicitly trusted, even when inside the corporate network perimeter. Every access request is authenticated, authorized, and continuously verified before granting access to resources. The model replaces the traditional "trusted internal network, untrusted external network" mental model with identity-based access controls applied uniformly everywhere.

Why Zero Trust replaces perimeter security

The traditional security model assumed a hard outer perimeter (firewall, VPN, network segmentation) and a soft trusted interior. Once you were "on the network", you had broad access to internal systems. This model broke for three reasons:

1. Cloud workloads removed the perimeter. Production runs in AWS, Azure, GCP, and SaaS apps - none of which sit inside the corporate firewall.
2. Remote work made every employee external. Hybrid and remote work means users connect from cafes, homes, and airports - the "internal network" is no longer a meaningful boundary.
3. Lateral movement is the dominant attack pattern. Once an attacker gets one foothold (phished credentials, compromised laptop), perimeter security does nothing to stop them moving laterally inside the network. Most major breaches in the last decade involved this pattern.

The Zero Trust principles (NIST 800-207)

NIST publication 800-207 defines Zero Trust around seven tenets:

1. All data sources and computing services are resources - workstations, servers, IoT devices, and SaaS apps are all "resources" in the model.
2. All communication is secured regardless of network location - encryption (TLS, mTLS) is the default, not the exception.
3. Access is granted on a per-session basis - tokens have short lifetimes; access doesn't persist indefinitely.
4. Access is determined by dynamic policy - decisions consider user identity, device posture, time, location, and behavioral signals.
5. Continuous monitoring of asset integrity - device posture (patched, encrypted, EDR-installed) is checked at every access.
6. All authentication and authorization are dynamic and strictly enforced before access is granted.
7. Continuous improvement based on observed network and user behavior.

Zero Trust building blocks

Real-world Zero Trust implementations combine:

• Identity provider (IdP): Microsoft Entra ID, Okta, Auth0, AWS IAM Identity Center. Single source of truth for identity.
• Multi-factor authentication (MFA): required for every privileged action.
• Conditional access: policy engine that combines identity, device, location, and risk signals to allow, block, or step-up authenticate.
• Endpoint detection and response (EDR): ensures device posture is acceptable before granting access.
• Microsegmentation: network controls that limit lateral movement even within the cloud or data center.
• Privileged access management (PAM): time-bound, just-in-time elevation for administrative actions.

Zero Trust exam topics

• CompTIA Security+: Zero Trust principles, microsegmentation, identity-based perimeter, the difference from defense in depth.
• AZ-500 (Microsoft Azure Security Engineer): Conditional Access policies, Privileged Identity Management, Defender for Cloud, secure score, Zero Trust deployment with Microsoft Entra ID.
• CISSP: broader architectural placement, integration with risk management, the relationship between Zero Trust, defense in depth, and least privilege.
• CCNP Security: Cisco SecureX, Duo, Umbrella, ISE - the Cisco Zero Trust portfolio.

Common Zero Trust misconceptions

• "Zero Trust is a product." No. Zero Trust is an architecture. Vendors sell components that implement it.
• "Zero Trust replaces firewalls." No. Firewalls remain useful for network segmentation; Zero Trust adds identity-based control on top.
• "Zero Trust means VPN-less." Sometimes. ZTNA (Zero Trust Network Access) products replace VPN for application access, but VPN can also be operated within a Zero Trust model.
• "You implement Zero Trust once." Zero Trust is a journey, not a destination. Most enterprises spend 3-5 years migrating.