Foundations 101: What is it and Why it matters
Zero Trust (ZT) is a security model based on the principle: “Never trust, always verify.” There are other security models but ZT is considered the fittest in today cybersecurity landscape. ZT treats every access attempt as a potential threat until the system can prove that the particular request is legitimate. This will occur whether the access request uniformly comes from inside or outside a corporate perimeter.
This model is a necessity because the traditional “castle-and-moat” security model (e.g., relying on a strong firewall perimeter) has turned obsolete. Today workforces are remote and mobile. Users and customers data reside in multiple clouds, not just in a central data center anymore and the corporate network perimeter has effectively dissolved. ZT comes to support this modern reality.
How It Works
In a traditional model scenario (e.g., trusted network), when an employee wants to access the company’s applications from home, he will connect to the corporate VPN. Once on the VPN, his laptop is “trusted” and he can now access not only the applications but also many other internal network resources. This makes him a potential target for lateral movement if his device is compromised.
In a zero trust scenario, even when a user is connected to a corporate network via VPN, they are not granted implicit access to the corporate SaaS services. Instead, they have to authenticate once to obtain an access token (e.g., via SSO). Then the request is evaluated against a ZT context-aware policy engine. The verification process includes the access token validity, user permissions, device posture and contextual risk. This process applies equally to users on‑premise, remotely or on any network.
This mechanism captures the whole ZT essence which is built on three core principles:
- ZT never assumes trust based on network location but always explicitly verify the access request by authenticating and authorizing every access request based on dynamic data points like identity, device health and location.
- ZT enforces the principle of least privilege access ensuring that any granted permissions are strictly limited to the minimum required for a specific task.
- ZT operates under the permanent assumption of a breach. Thus the model performs continuous checks even after initial login to minimize the attack surface and contain the potential “blast radius” of any compromise.
In analogy, ZT does not check the employee at the door and give him a master key to access the whole building. Rather it gives the employee a highly guarded and temporary key that only works to open one specific room. Moreover a security guard watches the employee the entire time and is ready to escort him out if he tries to open the wrong drawer.
Other Security Models
ZT is the most suitable foundational security model for today’s IT environment. However it works best when combined with other models such as:
- Defence‑in‑Depth (DiD): A layered security strategy that places multiple protective barriers from the network perimeter to the host, application and data layers. If one layer is breached, the remaining layers will continue to protect the system. The usual controls mainly include firewalls, IDS/IPS, antivirus, network segmentation, encryption and backups. This approach fits well for traditional on‑premises environments (e.g., corporate datacenters, university campus/healthcare hospital networks, financial‑institution and government agencies) and heavily regulated industries (e.g., banking & financial services, energy & utilities or defence sectors) that require extensive audit trails.
- Least‑Privilege / Need‑to‑Know: This model is one component of ZT (it actually combines least‑privilege with continuous verification etc.). Every identity, process or service gets only the necessary rights it needs to access resources. Common implementations are Privileged‑Access Management (PAM) for admin accounts (e.g., just‑in‑time elevation with session recording) or Just‑In‑Time (JIT) access that grants temporary rights for a limited window.
- Risk‑Based / Governance‑Centric: This model security decisions are led by a systematic assessment of business‑impact risk rather than by a checklist of controls. It treats security as a continuous risk‑management process aligned with business goals. Actually security is a component of business and must allows a business to operate, to continue to exist, to growth and to be profitable. Critical asset are identified, threats are quantified, mitigations are prioritized and governance is embedded in the structure (e.g., risk owners, steering committees, policies, metrics etc.). By doing so, organizations can adapt to evolving threats while ensuring that security investments directly protect what matters most.
- Secure‑by‑Design / DevSecOps: This model embeds security into every stage of the software‑development lifecycle (SDLC) instead of adding it later. Its relevance mostly comes from the need to protect codebases, mitigate supply‑chain threats and satisfy increasingly strict compliance expectations. All this while maintaining the velocity that modern businesses demand.
- Cyber‑Kill‑Chain / MITRE ATT&CK: The Cyber‑Kill‑Chain model describes the linear progression of an attack from early reconnaissance to the final objective. It shows where defenders can intervene. The MITRE ATT&CK framework (Adversarial Tactics & Techniques) is a matrix‑style knowledge base that maps how attackers achieve each stage of the kill‑chain (tactics) with concrete techniques, sub‑techniques and mitigations. It is continuously updated with real‑world observations. The Cyber‑Kill‑Chain tells you when an attack occurs while MITRE ATT&CK tells you how it happens. Both provide an actionable framework for hunting, defending and responding to modern threats in complex and multi‑cloud environments. Together they give a common basis for threat‑intel sharing, detection engineering and incident response planning.
ZT tops this list of security models because the traditional corporate network perimeter is largely gone, continuous verification and convergence in an unified control plane are required, regulatory guidelines are mandatory in many industry (NIST 800‑207, EU Cybersecurity Act) and due to the need of scalable automation in cloud deployments (e.g., policy‑as‑code, API‑driven provisioning, AI‑driven risk scores etc.).
Yet ZT by itself is not sufficient so it’s combined with other security models. Below are several illustrative examples:
- Legacy infrastructure that run in a company‑owned datacentre and were built before today’s cloud‑native and micro‑segmentation technologies cannot be easily micro‑segmented. Thus these legacy on‑prem assets still benefit from DiD firewalls and intrusion detection.
- In specific sectors like healthcare, highly regulated data (e.g., medical records) often requires risk‑based governance and formal audit trails beyond what ZT delivers alone.
- In SDLC, application development pipelines need Secure‑by‑Design practices. Indeed, ZT does protect access but cannot guarantee that code is free of vulnerabilities.
- Incident response benefits from the MITRE ATT&CK framework to map adversary behaviour and orchestrate detections. Then ATT&CK tells the ZT system which controls to trigger and ZT produces the telemetry that ATT&CK then classifies.
Key Zero Trust trends
Among the new trends come ZTNA (Zero Trust Network Access). ZTNA is an implementation of ZT that provides authorized users a secure identity-based access to applications and/or services. With ZTNA, the user never connects to the corporate network. The ZTNA provider (e.g., Zscaler, CrowdStrike or Cloudflare) acts as a broker and creates a secure and encrypted tunnel directly from the user’s device to the specific application. This completely bypasses the need for a VPN.
ZTNA provides a direct access to an application and eliminates the performance bottlenecks, complex management and large attack surface associated with VPNs .In fact, ZTNA replaces the traditional VPN with an identity and application centric model. Secure remote access with VPN is thus becoming a legacy solution. While VPN still serves niche purposes like accessing legacy internal applications, ZTNA is clearly becoming the standard for modern secure access architectures.
The practical implementation of ZTNA is evolving through frameworks like Google’s BeyondCorp for application access and Secure Access Service Edge (SASE). SASE is a cloud architecture that combines network and security-as-a-service functions built on ZT principles. Google’s BeyondCorp objective is to enable all Google employees to work effectively from untrusted networks without the need of a VPN.
Beyondcorp Reference Architecture. Source: https://www.beyondcorp.com/
BeyondCorp consists of multiple building blocks: Identity provider (IdP), device posture service, context engine (risk evaluator), policy decision point (PDP), policy enforcement point (PEP) and auditing/logging. All of these components are cloud‑native and highly distributed so the verification happens close to the user (at the edge) and the decision travels back in milliseconds.
Here is an example of ZT access flow based on the BeyondCorp (Conditional‑Access) model:
- Alice works from a coffee shop on her personal laptop.
- She signs in with her Google Workspace credentials and a FIDO2 security key.
- The device‑posture service reports: OS = macOS 13, no corporate EDR installed, no disk encryption.
- The risk engine flags the missing corporate controls and raise Alice’s risk score to 78 %.
- The policy (PDP) says risk > 70 % (require step‑up MFA challenge).
- Consequently, Alice is prompted to enter a one‑time passcode generated by her mobile authenticator app which she then submits.
- The PDP now evaluates the request to access Google Drive. The policy for that resource says risk ≤ 80 % (allow read/write).
- The PEP forwards her request and Alice can edit her documents.
If Alice had tried to access a higher‑privilege resource like the Google Cloud Console, the same policy might have said risk ≤ 50 % (allow). The request would be denied despite Alice’s successful MFA and would force her to connect from a compliant device.
Among other ZT trends in the implementation of modern security models is the convergence with SIEM/SOAR. ZT systems are integrating with Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms to use real-time analytics and threat detection to inform access decisions. Also, since manual policy enforcement doesn’t scale, trends heavily favour automated policy enforcement based on real-time risk assessment and AI-driven analytics.
TLDR
Zero Trust is no longer just a theory; it’s the foundational framework for modern cybersecurity, driving trends toward identity-based, automated and cloud-native security solutions. It is also clear that there is not a single “magic bullet” security architecture that works perfectly for every organization, industry or technology stack.
Depending on each use cases, layering ZT with other proven models like DiD, least‑privilege, risk‑based governance and secure by design creates a resilient and adaptable security posture that can meet both operational speed and compliance demands.
Companies are moving away from a patchwork of tools and toward integrated ZT platforms from vendors (like Zscaler, Palo Alto, Cisco etc.) that offer a unified policy across all resources. The focus has shifted from network perimeters to user and device identity as the new security perimeter. Multi-factor authentication (MFA) is now also a bare minimum requirement since it is the most effective and practical control to verify a user’s identity.