Course Navigation
6 min read·Lesson 1 of 8

What Zero Trust Is (and Is Not)

A working definition of Zero Trust, the failures of perimeter security it addresses, and the most common misconceptions.

Zero Trust is the dominant security architecture of the decade. The US federal government mandated it. Every major cloud provider sells products labelled with it. And like any architecture that becomes a buzzword, it is widely misunderstood. This lesson defines what Zero Trust actually is, what changed to make it necessary, and what it is not.

The Old World: Perimeter Security

For thirty years, enterprise security followed the "castle and moat" model. You drew a network boundary — usually a firewall between your office LAN and the internet — and assumed:

  • Anything inside the network is trustworthy.
  • Anything outside must be filtered, blocked, or routed through a VPN to get in.

This worked when applications, users, and data all lived in the same building. It started breaking when:

  • Cloud and SaaS moved applications outside the perimeter. Your CRM is now Salesforce; your code is in GitHub; your data warehouse is Snowflake.
  • Mobile and remote work moved users outside the perimeter. VPN concentrators became chokepoints and single points of failure.
  • Lateral movement in breaches showed the model's flaw. Once an attacker phished a single employee, the "trusted" interior network gave them weeks of unobstructed lateral access — see Target 2013, NotPetya 2017, SolarWinds 2020.
  • Supply-chain attacks proved you cannot trust software in your network just because it is in your network.

By 2020 the perimeter was a fiction. Most production traffic was outside it; most attacks succeeded by getting inside it and exploiting the implicit trust.

Zero Trust: The Working Definition

Never trust, always verify. Treat every network as hostile. Authenticate and authorise every request — based on the identity of the user, the posture of the device, the context of the request, and the sensitivity of the resource — regardless of where the request comes from.

Three sentences. Each does a lot of work:

  1. "Treat every network as hostile" — the corporate LAN, the home office Wi-Fi, the airport hotspot, the AWS VPC. None gets implicit trust.
  2. "Authenticate and authorise every request" — not "log in once a day to the VPN." Every API call, every page load, every database query.
  3. "Based on identity, posture, context, sensitivity" — access decisions are dynamic. Access from a managed laptop running EDR is different from access from a personal phone running an outdated OS.

The Origin: BeyondCorp

Google was hit by Operation Aurora in 2009, a Chinese state-actor attack that pivoted across their internal network. Google decided their VPN-and-firewall model was unfixable and started building an alternative: BeyondCorp.

The principles, published from 2014 onwards, were:

  • No network has special trust. Connecting from the office is not different from connecting from a coffee shop.
  • Access is granted to individual applications, not to the network. There is no VPN.
  • Every request is authenticated, authorised, and encrypted regardless of source.
  • Devices are inventoried, certificate-bound, and continuously evaluated for posture.

BeyondCorp is the reference implementation everyone copies. The label "Zero Trust" was coined by Forrester's John Kindervag in 2010 and broadened beyond Google's specifics.

The Policy Catalyst: Executive Order 14028

In May 2021, after the SolarWinds breach, US President Biden signed Executive Order 14028, "Improving the Nation's Cybersecurity." It directed every federal agency to move to a Zero Trust architecture and tasked NIST and CISA with publishing concrete guidance:

  • NIST SP 800-207 (2020) — the formal Zero Trust Architecture standard. Next lesson.
  • CISA Zero Trust Maturity Model (v2 in 2023) — a 5-pillar maturity ladder. Also next lesson.
  • OMB M-22-09 — the implementation deadline for federal agencies.

Whether or not you are a US federal contractor, these documents are now the de facto reference. Enterprise procurement specifies "NIST 800-207 aligned." Auditors ask for it. Vendors map products to it.

What Zero Trust Is Not

It is easier to define by exclusion. Zero Trust is not:

MisconceptionReality
"A product I can buy"It is an architecture composed of identity, network, device, data, and policy components. Vendors sell pieces.
"Replace my VPN with a ZTNA gateway and I'm done"ZTNA is one pillar. Without identity governance, device posture, and microsegmentation, you have moved the VPN, not solved the problem.
"No trust anywhere ever"It is "never trust implicitly." Explicit, verified, time-bound trust is granted constantly. The verification is the point.
"Just MFA everything"MFA is foundational but not sufficient. MFA fatigue, push bombing, and AitM phishing kits all bypass weak MFA.
"A networking project"It is primarily an identity project. Network and device controls reinforce identity decisions.
"All or nothing"Maturity models exist precisely because adoption is incremental — typically a 3-5 year programme.

What Changes for Architects and Engineers

If you have built systems with the perimeter model in mind, here is what shifts:

  • From network location to identity. "Allow from 10.0.0.0/8" becomes "Allow if the requester is in group X with a compliant device."
  • From perimeter firewall to per-workload policy. East-west traffic between services inside the VPC is filtered the same as ingress from the internet.
  • From periodic auth to continuous evaluation. Tokens are short-lived; signals (impossible travel, new device, malware on endpoint) can revoke access mid-session.
  • From VPN to application-level access. Users get a token for an app, not a route to a network.
  • From shared service accounts to workload identity. Every service has its own identity (SPIFFE, IAM roles, managed identities) and authenticates per call.

The Honest Trade-offs

  • Complexity. Replacing one firewall with hundreds of policy decisions is more moving parts. Tooling is essential.
  • Cost. Identity providers, EDR, ZTNA, SIEM, microsegmentation — the price tag is real.
  • User experience. Done badly: constant MFA prompts and frustrated users. Done well: smoother than VPN, because access is application-direct.
  • Cultural change. "Trust the network" is baked into thirty years of habit. Re-training takes time.

The benefits compound: smaller blast radius from breaches, no VPN bottleneck for remote workers, easier mergers (no network merge required for access), and an auditable record of every access decision.

In the next lesson we will look at the formal model — NIST 800-207 and CISA's maturity ladder — that turns "never trust, always verify" into something concrete you can architect against.

Key Takeaways

  • Zero Trust assumes the network is hostile — verify every request, do not trust by location.
  • It replaces the "castle and moat" perimeter model with identity-centric, context-aware access.
  • It is an architecture and a strategy, not a single product you can buy.
  • The catalysts: cloud, SaaS, remote work, supply-chain attacks, and ransomware.
  • US Executive Order 14028 (2021) made it federal policy; CISA published a maturity model.

Test your knowledge

Try exam-style practice questions to reinforce what you've learned.

Practice Questions →