Your corporate VPN gives you a fat pipe straight into the internal network, and once you’re in, you’re in. That’s not security. That’s a drawbridge with no guards on the other side. Zero trust flips that model on its head — nothing is trusted by default, not your device, not your identity, not your location. Every single access request gets verified. Every time.

The TLDR

Zero trust is a security architecture that eliminates implicit trust. There is no “inside the network” anymore — every request is treated as if it originates from an untrusted network. You authenticate, you prove device posture, you get the minimum access needed, and you do it again next time. The model was formalized by NIST SP 800-207, and it’s not a product you buy — it’s a philosophy you implement across identity, devices, networks, applications, and data.

The Reality

Castle-and-moat security had a good run. Build a perimeter, put a firewall on it, VPN everyone in, and call it a day. The problem? Once the usual suspects get past the moat — and they will — they move laterally through your network like they own the place. Because functionally, they do.

Every major breach of the last decade tells the same story. The attackers didn’t kick down the front door. They compromised a single credential, landed inside the perimeter, and then pivoted. SolarWinds. Colonial Pipeline. The OPM breach. The pattern is identical: get in once, move everywhere.

Traditional VPNs are the worst offenders. They grant broad network access the moment authentication succeeds. You log in from a compromised laptop at a coffee shop, and suddenly that laptop has the same network access as a hardened workstation in the server room. That’s implicit trust, and it’s the exact thing zero trust was designed to kill.

The CISA Zero Trust Maturity Model exists because the federal government looked at its own infrastructure and realized the perimeter model was hemorrhaging. Executive Order 14028 made zero trust a mandate, not a suggestion.

How It Works

The Seven Tenets of NIST SP 800-207

NIST SP 800-207 defines seven tenets that form the foundation. Here’s what they actually mean:

  1. All data sources and computing services are considered resources. Your SaaS app, your on-prem database, your IoT thermostat — all of it. No exceptions.
  2. All communication is secured regardless of network location. Being “on the corporate network” doesn’t buy you trust. Traffic inside the perimeter gets the same scrutiny as traffic from outside.
  3. Access to individual resources is granted on a per-session basis. You don’t get a golden ticket. Each request is evaluated independently.
  4. Access is determined by dynamic policy. Identity, device state, behavioral patterns, time of day, geolocation — all of it feeds the access decision.
  5. The enterprise monitors and measures the security posture of all owned and associated assets. You can’t trust what you can’t see. Continuous monitoring is non-negotiable.
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. No static rules gathering dust. The policy engine evaluates in real time.
  7. The enterprise collects as much information as possible about the current state of assets and uses it to improve security posture. Telemetry feeds back into the system. It learns.

The Architecture: PDP and PEP

At the core of zero trust sit two components:

Every access request flows through this loop. No PDP approval, no access. Period.

Micro-segmentation

Instead of one big flat network where everything can talk to everything, micro-segmentation carves the network into granular zones. Your HR application can’t talk to your engineering database. Your print server can’t reach your payment system. If an attacker compromises one segment, they’re stuck there. The blast radius shrinks dramatically.

Continuous Verification

This is where zero trust separates from “just add MFA.” Authentication happens at login, sure. But zero trust also re-evaluates throughout the session. Device posture changed? Session revoked. Behavioral anomaly detected? Step-up authentication required. Geographic impossibility? Access denied. It’s not a one-time check — it’s a continuous conversation between your device and the policy engine.

How It Gets Exploited

Zero trust isn’t invincible — it shifts where the attacks happen.

Identity becomes the crown jewel. When everything hinges on identity verification, the usual suspects go straight for your identity provider. Compromise the IdP, and you’ve compromised the keys to the kingdom. The MITRE ATT&CK technique T1556 (Modify Authentication Process) maps directly to this — attackers target the authentication infrastructure itself.

Policy misconfiguration. Zero trust is only as good as the policies you write. Overly permissive policies, stale device trust rules, or exceptions that never got cleaned up — these are the cracks. Organizations buy the zero trust tooling and then write policies that recreate implicit trust with extra steps.

Token theft and session hijacking. If the PDP issues a token and an attacker steals it, they inherit that trust. Techniques like adversary-in-the-middle (T1557) and token replay become the priority attack paths.

The BeyondCorp lesson. Google pioneered zero trust with BeyondCorp starting around 2009, after Operation Aurora — a state-sponsored attack that penetrated their perimeter. Google’s response was radical: eliminate the privileged internal network entirely. Every Google employee accesses internal applications through the same infrastructure, whether they’re in the office or on a park bench. It works. But Google spent years and significant engineering resources to get there. The origin story matters because it shows that zero trust was born from a real breach, not a marketing deck.

What You Can Do

For Organizations: The Implementation Roadmap

Zero trust is a journey. You’re not flipping a switch — you’re rebuilding how access works.

  1. Inventory everything. You can’t protect what you don’t know about. Map your assets, your data flows, your identities. The NIST Cybersecurity Framework Identify function is your starting point.
  2. Centralize identity. One identity provider. Strong MFA — hardware keys, not SMS. Conditional access policies. This is the foundation everything else sits on.
  3. Implement device trust. Managed devices with verified posture get access. Unmanaged devices get limited access or none. Device compliance becomes a gate, not a suggestion.
  4. Deploy micro-segmentation. Start with your most sensitive resources. Segment them away from general network traffic. Expand outward.
  5. Replace VPN with ZTNA. Zero Trust Network Access grants per-application access, not network access. You authenticate to the application, not the network. The application is invisible to anyone who hasn’t been authorized to see it.
  6. Monitor continuously. SIEM, UEBA, EDR — feed telemetry into your policy engine. Anomalies trigger re-evaluation, not just alerts.
  7. Iterate. Use the CISA Zero Trust Maturity Model to benchmark where you are across the five pillars: Identity, Devices, Networks, Applications & Workloads, and Data.

For Individuals

You can apply zero trust thinking to your own life. Don’t trust a device just because it’s yours — keep it patched and hardened. Don’t trust a network just because it’s familiar — use encrypted connections everywhere. Don’t trust an app just because you installed it — audit permissions regularly. The principle scales down.

Sources & Further Reading