The usual five pillars: identity, device, network, applications and workloads, and data. In each one you enforce prior verification, telemetry during use, and the ability to revoke access live when context changes.
What is zero trust
Zero Trust is a security model that starts from an uncomfortable idea: no user, device or service deserves implicit trust simply because it sits inside the network. Every request is evaluated against verified identity, device posture, context (time, location, resource sensitivity) and the risk calculated in that moment. It is the response to the classic perimeter, where once a credential crossed the VPN it had open access. The operating principle is easy to state and hard to run: "never trust, always verify", least-privilege access, continuous verification.
Why it matters
The perimeter as we understood it a decade ago no longer exists: the workforce operates from homes, airports and coworking spaces; data lives in SaaS and cloud infrastructure; third parties reach internal systems from devices we do not control. Attackers know this and their recurring tactic is to enter through the open door —leaked VPN credential, stolen OAuth token, misconfigured exposed service— and, once inside, move laterally with ease. Zero Trust breaks that pattern because every lateral movement triggers fresh authentication against the current policy: access to the payroll server is not granted because you are on the network, it is granted because you are Ana, on an up-to-date corporate laptop, within business hours and with phishing-resistant MFA. European frameworks (NIS2, DORA) and references such as NIST SP 800-207 and CISA's Zero Trust Maturity Model push in this direction, and for the CISO the real win is not buying a product — it is shortening the time an attacker operates unseen.
Key points
Identity as the new perimeter: phishing-resistant MFA (FIDO2, passkeys) for every meaningful access, conditional access policies and continuous permission reviews. If identity is weak, the rest of the model wobbles.
Microsegmentation and per-application access: instead of exposing a whole network through VPN, each application is published behind its own proxy or broker (ZTNA) that validates identity, device and session. Network segmentation stops being a Visio diagram and becomes an enforceable policy.
Verified device posture: an endpoint that is unpatched, has EDR disabled or is missing from the inventory should not reach sensitive data, even if the user is legitimate. MDM, EDR signals and access control based on device health are mandatory.
Telemetry and detection are still essential: Zero Trust shrinks the attack surface, it does not erase it. The SIEM, the XDR layer and the SOC remain where detection and response happen when something slips through.
A phased journey, not a big bang: start with identity (strong MFA, SSO, conditional access), then devices and critical applications, then microsegmentation and data. Trying to do it all at once usually ends in internal resistance and rollback.
Example: Zero Trust transformation at a mid-sized insurer
An insurance company with staff split between offices, remote work and contractors runs the classic model: VPN into the corporate network and, from there, broad visibility into servers, file shares and internal applications. After an incident where a contractor credential falls to phishing and the attacker browses business files before anyone notices, leadership asks for a realistic Zero Trust plan.
The first wave tackles identity: corporate SSO, phishing-resistant MFA for everyone, conditional access policies that require a corporate device, a patched system and consistent geography. The second wave replaces the VPN with per-application access (ZTNA): the contractor no longer sees the network, only the application they have been authorized to use, within the agreed window, from a controlled browser. The third wave introduces microsegmentation between environments (finance, customers, development, administration) and wires the signals from EDR, IdP and ZTNA broker into the SIEM. The outcome is not that credentials never fall —they will— but that an attempt to move laterally generates friction and visible events instead of silence, and the team detects the pattern in hours instead of weeks.
Common mistakes
- Treating Zero Trust as a product you install. It is not a vendor or an appliance; it is a set of principles realised through identity, devices, network, applications and data, and it almost always crosses several teams and several budget lines.
- Rolling it out without executive backing. If the board signs off 'MFA mandatory' but the same executives ask for exceptions for convenience, the model breaks where models always break: at the top. Exceptions must be priced, logged and time-bound.
- Confusing Zero Trust with 'deny everything'. The goal is access with verification, not gratuitous friction. If the average employee loses half an hour a day authenticating, someone will look for shortcuts and will find them.
- Abandoning detection in the belief that Zero Trust makes SOC and SIEM unnecessary. Zero Trust reduces the useful surface for attackers, but adversaries will search for the weak link —an ungoverned SaaS integration, an unrotated API token— and they will find it.
- Trying to do it all at once. Zero Trust projects delivered in a single phase tend to get rolled back; those executed in waves (identity → devices and critical applications → microsegmentation → data) move slowly but stick.
Related services
This concept may be related to services such as:
Frequently asked questions
Is Zero Trust compatible with remote work and external contractors?
It is built exactly for that scenario. In the classic model the remote worker or the contractor obtained an open path into the network through VPN; under Zero Trust they obtain per-application access, conditional on verified identity, healthy device and audited session. In fact, it is for contractors and third parties where the benefit is most visible: they stop 'seeing the whole network' and only see what has been explicitly authorized.
How expensive is it to implement Zero Trust?
It depends on the starting point. Many organizations already own part of the puzzle (modern IdP, MFA, EDR, SIEM) and what they lack is orchestration and policy; others start from a flat VPN and need real investment in per-application access, microsegmentation and identity governance. The honest calculation compares that cost against the expected cost of a serious incident: incident response time, operational impact, regulatory fines and cyber-insurance premiums. The decision is made on risk, not on catalogues.
How do you measure whether a Zero Trust rollout is actually working?
With concrete indicators: mean time to detect lateral movement (should drop from weeks to hours), number of accesses blocked by conditional-access policy (a sustained zero usually means lax policy, not calm), percentage of critical applications behind ZTNA instead of VPN, and reduction of effective privileges after periodic certification. The SIEM is the natural source for these metrics.
Does Zero Trust prevent every attack?
No. An attacker who compromises legitimate credentials on a legitimate device during business hours can get past the first barrier. What Zero Trust guarantees is that this access is scoped to a specific application, that any movement outside that scope triggers fresh verification, and that every step leaves telemetry. Defense in depth — detection, response, backups and a continuity plan — remains essential.