Zero Trust
Security model that doesn't implicitly trust any user or system, verifying every request regardless of its origin inside or outside the network.
seed#zero-trust#security#identity#network#authentication#authorization
What it is
Zero Trust is a security model based on "never trust, always verify." Unlike the traditional perimeter model (trust everything inside the network), Zero Trust verifies every request regardless of its origin.
Principles
- Verify explicitly: authenticate and authorize every request
- Least privilege: give only necessary permissions
- Assume breach: design as if the attacker is already inside
Pillars
- Identity: strong authentication (MFA, passwordless)
- Devices: verify device state and compliance
- Network: microsegmentation, don't trust internal network
- Applications: identity-based access, not network-based
- Data: classification and protection of sensitive data
Implementation
- Identity-aware proxies (BeyondCorp, Cloudflare Access)
- Service mesh with mTLS
- Context-based access policies
- Exhaustive logging and monitoring
Perimeter model vs zero trust
| Aspect | Traditional perimeter | Zero Trust |
|---|---|---|
| Trust | Implicit inside the network | None — always verify |
| Access | VPN + firewall | Identity-aware proxy |
| Segmentation | VLANs, subnets | Per-service microsegmentation |
| Authentication | Once (entering the network) | Every request |
| Lateral movement | Easy once inside | Blocked by default |
| Remote work | Requires VPN | Native — location is irrelevant |
Adoption steps
- Identity inventory: map users, services, and devices
- MFA everywhere: multi-factor authentication as a requirement, not an option
- Microsegmentation: isolate services with service mesh and mTLS
- Contextual access policies: evaluate identity + device + location + time
- Continuous monitoring: detect anomalies in access patterns
Why it matters
The perimeter security model assumes everything inside the network is trustworthy. Zero trust eliminates that assumption: every request is authenticated and authorized regardless of its origin. It is the security model that reflects the reality of distributed systems and remote work.
References
- BeyondCorp — Google's implementation.
- NIST Zero Trust Architecture — SP 800-207.
- CISA Zero Trust Maturity Model — CISA, 2023. Maturity model for zero trust implementation.