Zero Trust is one of the most important shifts in cybersecurity thinking over the last decade. The traditional “castle and moat” security model assumed that everything inside the network perimeter was trusted. Zero Trust rejects that assumption entirely. Its core principle: “Never trust, always verify.”
The Problem with Traditional Perimeter Security
Old security model: Build a strong perimeter (firewall, VPN), and once someone is inside, they’re trusted to access most internal resources.
Why this fails:
- Attackers who breach the perimeter (via phishing, stolen VPN credentials) get wide access
- Insider threats — malicious or compromised employees — can access far more than they need
- Cloud and remote work blurred the perimeter — “inside the network” no longer means anything definitive
- Supply chain attacks enter through trusted vendor connections
Real example: In the SolarWinds breach (2020), attackers compromised a software update mechanism to gain access to thousands of organizations’ networks. Once inside, they moved laterally for months because internal trust was too permissive.
The Zero Trust Model
Zero Trust has three core principles:
1. Verify Explicitly
Always authenticate and authorize based on all available data points — identity, location, device health, service, workload, and behavior. Don’t grant access based solely on network location.
2. Use Least Privilege Access
Grant only the minimum permissions needed for each user, device, and application to do their job. Just-in-time (JIT) access means privileges expire automatically.
3. Assume Breach
Design systems assuming attackers are already inside. Segment networks, minimize blast radius, encrypt all traffic (even internal), and monitor everything.
Zero Trust in Practice
Identity as the New Perimeter
# In Zero Trust, identity verification happens on every request, not just login
# Conditional Access Example (Microsoft Entra ID / Azure AD):
# Rule: Allow access to Salesforce ONLY when:
# - User: verified with MFA
# - Device: compliant (MDM enrolled, patched, encrypted)
# - Location: known location OR satisfies risk conditions
# - Risk: sign-in risk = LOW
# Configuration in Entra ID:
# Entra > Protection > Conditional Access > New Policy
# Assignments: All users
# Target resources: Salesforce
# Conditions: Device platforms, Locations, Sign-in risk
# Access controls: Require MFA + compliant deviceNetwork Segmentation and Microsegmentation
# Traditional: one big flat network — everything talks to everything
# Zero Trust: microsegmented — each workload can only communicate with what it needs
# Example with Linux firewall rules (iptables):
# Web server can only talk to the database server, nothing else
# On the database server, only allow connections from web server:
iptables -A INPUT -s 10.0.1.10 -p tcp --dport 5432 -j ACCEPT # Web server IP
iptables -A INPUT -p tcp --dport 5432 -j DROP # Block all others
# In Kubernetes, Network Policies enforce Zero Trust:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database-policy
spec:
podSelector:
matchLabels:
app: database
ingress:
- from:
- podSelector:
matchLabels:
app: web-frontend # Only web pods can reach database
ports:
- protocol: TCP
port: 5432Least Privilege with RBAC
# Role-Based Access Control: assign minimum necessary permissions
# AWS IAM Least Privilege Example:
# Instead of giving developers broad S3 access:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-app-bucket/dev-team/*"
// Only this specific prefix in this specific bucket
}]
}
# NOT this (too broad):
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}Device Trust
# Zero Trust requires device health checks before granting access
# Devices must be: enrolled in MDM, encrypted, patched, running AV
# Mobile Device Management options:
# Microsoft Intune (enterprise)
# Jamf (macOS/iOS)
# Open-source: Headscale + Tailscale for network access control
# Tailscale (Zero Trust network access):
# Install on all devices
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
# Devices in your Tailscale network can only communicate
# with explicitly configured routes and ACLsContinuous Monitoring
# Zero Trust isn't "verify once at login" — it's continuous verification
# Monitor and re-evaluate access continuously:
# UEBA (User Entity Behavior Analytics) flags anomalies:
# - User downloads 10x more data than usual
# - Login from new country after 2 years
# - Access to systems they've never used before
# - Activity at unusual hours
# Free SIEM with UEBA capabilities:
# Wazuh + Elasticsearch + Kibana
# Enable rules: wazuh.com/blog/how-to-detect-anomalous-user-behaviorZero Trust Maturity Model
CISA publishes a Zero Trust Maturity Model with five pillars. You don’t implement everything overnight — it’s a journey:
- Identity — MFA, conditional access, identity governance
- Devices — MDM enrollment, device compliance, endpoint detection
- Networks — Microsegmentation, encrypted internal traffic, DNS filtering
- Applications — SSO, API security, just-in-time access
- Data — Data classification, DLP, encryption at rest and in transit
Where to Start
If you’re starting from zero, prioritize in this order:
- Enable MFA on everything (biggest bang for buck)
- Implement Conditional Access policies
- Deploy endpoint management (MDM)
- Start network segmentation (separate IoT, guest, production)
- Review and reduce user permissions (least privilege audit)
Wrap Up
Zero Trust isn’t a product you buy — it’s a philosophy you implement across identity, devices, networks, applications, and data. Every incremental step makes you more resilient. Start with MFA and conditional access, and build from there. The goal isn’t perfection; it’s making lateral movement so difficult that attackers give up or get caught quickly.