Glossary/Detection Engineering/Zero Trust Security

What Is Zero Trust Security? The Model Explained

A user logs in from the corporate office, on a managed laptop, inside the firewall. Under the old model, that login earned broad access to file shares, internal apps, and adjacent systems. Under zero trust, none of that location context grants anything. The request is evaluated on its own: who is asking, what device they are on, what they want to reach, and whether the policy allows it right now. Then the same check runs again on the next request.

That shift, from trusting the network to verifying every request, is the whole idea. Zero trust security is a model that removes implicit trust based on network location and replaces it with continuous, per-request verification of identity, device, and context.

This article covers the model itself: where it came from, the principles that define it, and how it maps to the NIST standard that formalized it. The mechanics of policy engines, enforcement points, and segmentation gateways are a separate subject, covered in the companion piece on zero trust architecture.

What is zero trust security?

Zero trust security is a strategy built on one assumption: no user, device, or connection is trusted by default, regardless of whether it sits inside or outside the network perimeter. Every access request is authenticated, authorized, and validated against policy before it is granted, and access is scoped to the minimum the request needs.

The phrase that captures it is "never trust, always verify." A traditional perimeter model treats the internal network as a trusted zone. Once an attacker gets inside, through a phished credential or an exposed service, that trust works against the defender. The intruder moves freely because the network assumes anyone inside belongs there. Zero trust removes that assumption. Being on the network is not evidence of anything.

It is worth being precise about what zero trust is and is not. It is not a product you buy, and it is not a single technology. It is a model that several technologies serve: identity verification, device posture checks, segmentation, least privilege access, and continuous monitoring. A vendor selling a "zero trust solution" is selling one or more of those components, not the model itself.

Where zero trust came from

The term was coined in 2010 by John Kindervag, then a principal analyst at Forrester Research, in a report titled "No More Chewy Centers: Introducing the Zero Trust Model of Information Security." The title mocked the prevailing design. Networks were built like an M&M: a hard, crunchy outside (the perimeter firewall) and a soft, chewy center (the flat, trusted internal network). Break the shell once and everything inside was exposed.

Kindervag's argument was that trust itself is a vulnerability. Classifying one side of a firewall as trusted and the other as untrusted was, in his analysis, a primary source of breaches. The fix was to stop granting trust based on network position and instead verify every request against identity and policy.

The model gained institutional weight over the following decade. In August 2020, the National Institute of Standards and Technology published SP 800-207, "Zero Trust Architecture," a vendor-neutral standard that gave the model a formal definition. In 2021, US Executive Order 14028 directed federal agencies to adopt zero trust, which pushed it from analyst concept to procurement requirement. By its fifteenth year, zero trust had moved from a contrarian idea to a baseline expectation.

Core principles of zero trust

Zero Trust Security
Three principles. One rule: never trust, always verify.
NIST SP 800-207 states seven tenets. Practitioners work the same model as three principles.
01
Verify explicitly
Authenticate and authorize every request on its own, using identity, device health, location, and context. Continuous, not once at login.
02
Least privilege access
Grant the minimum access the request needs, for the shortest time. A compromised credential yields far less.
03
Assume breach
Operate as though an attacker is already inside. Segment access, encrypt traffic, monitor continuously. Shrink the blast radius.
The connecting logic Containment. Zero trust accepts that breaches happen and designs so the damage stays small, a sharp break from a model whose entire defense was keeping attackers out.

NIST SP 800-207 defines seven tenets, but vendors and practitioners usually compress them into three working principles. Both views describe the same model.

1. Verify explicitly, every time

Authenticate and authorize every request using all available signals: user identity, device health, location, the resource being requested, and behavioral context. Verification is not a one-time event at login. It is continuous, and a session that looked safe a minute ago can be re-evaluated and cut off when the signals change.

2. Use least privilege access

Grant the minimum access the request needs, for the shortest time it needs it. Just-in-time and just-enough-access models limit standing permissions. This principle is the direct counter to privilege escalation: if an account holds only the rights it currently requires, a compromised credential yields far less.

3. Assume breach

Operate as though an attacker is already inside. Segment access so a single compromise cannot reach everything, encrypt traffic end to end, and monitor continuously to detect and respond. The goal is to shrink the blast radius. Assume-breach thinking is what turns a perimeter breach into a contained incident instead of a domain-wide one.

The connecting logic is containment. Zero trust accepts that breaches happen and designs so the damage stays small. That is a sharp break from a model whose entire defense was keeping attackers out.

The seven NIST tenets

SP 800-207 states the model as seven tenets. They are the authoritative version and worth knowing verbatim if you work near compliance.

#Tenet (NIST SP 800-207)
1All data sources and computing services are considered resources.
2All communication is secured regardless of network location.
3Access to individual enterprise resources is granted on a per-session basis.
4Access is determined by dynamic policy, including client identity, application, and the requesting asset's observable state.
5The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
6All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
7The enterprise collects as much information as possible about asset and network state and uses it to improve security posture.

Read them together and a single behavior emerges: every resource is protected, every request is checked against current policy on its own merits, and the decision is informed by as much real-time data as the enterprise can gather.

How the model replaces the perimeter

The clearest way to understand zero trust is to compare it against the model it replaces. Perimeter security and zero trust answer the question "should this request be allowed" in opposite ways.

DimensionPerimeter modelZero trust model
Trust basisNetwork location (inside = trusted)Identity, device, and policy, per request
VerificationOnce, at the perimeterContinuous, every request
Default postureAllow internal trafficDeny until verified
Access scopeBroad once insideLeast privilege, scoped
Breach assumptionKeep attackers outAssume attackers are in
Internal movementLargely unrestrictedRestricted by segmentation

The practical payoff shows up in lateral movement. In a flat perimeter network, an attacker who lands on one host can pivot toward higher-value systems with little resistance, because internal traffic is trusted. Zero trust breaks that by requiring authentication and authorization for each internal hop, so a single foothold does not open the rest of the environment.

This is also why a VPN is not zero trust. A VPN extends the trusted perimeter to a remote user and then grants broad network access once connected. It answers "is this connection from an approved tunnel," not "should this identity reach this specific resource right now." Zero trust network access (ZTNA) brokers per-application access instead, which is why many organizations adopting zero trust phase VPNs out.

What it takes to operate zero trust

The model rests on a few capabilities working together. None of them is zero trust alone; together they enforce it.

  • Strong identity. Multi-factor authentication and a central identity provider, so the system actually knows who is asking. Identity becomes the new control plane.
  • Device posture. Signals about the requesting device: is it managed, patched, free of known compromise. A valid credential on a compromised laptop should not pass.
  • Segmentation. Dividing the environment so access to one resource does not imply access to others. This is the structural enforcement of "limit the blast radius."
  • Policy-driven access decisions. A control point that evaluates each request against rules using identity, device, and context signals, then allows or denies.
  • Continuous monitoring. Telemetry on every session so policy can re-evaluate and revoke access when behavior or risk changes.

How these components are arranged, the policy engine, policy administrator, and enforcement points, is the domain of zero trust architecture and is covered in the companion article. This piece stays on the model and its principles.

Why organizations adopt it

The model earns its place by addressing how breaches actually unfold today. Three drivers stand out.

Identity-based attacks dominate. Stolen and phished credentials are a leading entry point, and a perimeter model has no answer once a valid credential walks through the front door. Verifying identity and device on every request, not just at login, blunts that path.

Work moved off the perimeter. Remote work, cloud workloads, and SaaS mean the resources and the users are often both outside the corporate network. There is no single perimeter left to defend. Zero trust shifts the control point to identity and policy, which travel with the user and the resource.

Breach containment beats breach prevention as a strategy. No defense keeps every attacker out. A model that assumes breach and limits the blast radius produces smaller, more recoverable incidents than one whose only plan was a wall.

Frequently asked questions

What is zero trust security in simple terms?

Zero trust security is a model that trusts no user or device by default and verifies every access request, regardless of whether it comes from inside or outside the network. The guiding phrase is "never trust, always verify." Being on the network grants no access on its own.

Is zero trust a product I can buy?

No. Zero trust is a strategy, not a product. Vendors sell components that support it, such as identity providers, multi-factor authentication, segmentation, and policy enforcement tools, but no single product delivers zero trust by itself. The model is how those pieces are combined and governed.

What is the difference between zero trust security and zero trust architecture?

Zero trust security is the model and strategy: the principles and the "never trust, always verify" approach. Zero trust architecture is the technical design that implements it, including the policy engine, policy administrator, and enforcement points defined in NIST SP 800-207. One is the why and the principles, the other is the how and the components.

What are the core principles of zero trust?

The three working principles are verify explicitly on every request, enforce least privilege access, and assume breach. NIST SP 800-207 states the same model as seven tenets, the heart of which is that every resource is protected and every request is checked against dynamic policy before access is granted.

Does zero trust replace VPNs and firewalls?

It changes their role. A VPN grants broad network access after one check, which is the opposite of zero trust. Zero trust network access brokers per-application access instead, and many organizations phase VPNs out as they adopt it. Firewalls and other perimeter tools still have uses, but they stop being the primary basis for trust.

Frequently asked questions

What is zero trust security in simple terms?

Zero trust security is a model that trusts no user or device by default and verifies every access request, regardless of whether it comes from inside or outside the network. The guiding phrase is "never trust, always verify." Being on the network grants no access on its own.

Is zero trust a product I can buy?

No. Zero trust is a strategy, not a product. Vendors sell components that support it, such as identity providers, multi-factor authentication, segmentation, and policy enforcement tools, but no single product delivers zero trust by itself. The model is how those pieces are combined and governed.

What is the difference between zero trust security and zero trust architecture?

Zero trust security is the model and strategy: the principles and the "never trust, always verify" approach. Zero trust architecture is the technical design that implements it, including the policy engine, policy administrator, and enforcement points defined in NIST SP 800-207. One is the why and the principles, the other is the how and the components.

What are the core principles of zero trust?

The three working principles are verify explicitly on every request, enforce least privilege access, and assume breach. NIST SP 800-207 states the same model as seven tenets, the heart of which is that every resource is protected and every request is checked against dynamic policy before access is granted.

Does zero trust replace VPNs and firewalls?

It changes their role. A VPN grants broad network access after one check, which is the opposite of zero trust. Zero trust network access brokers per-application access instead, and many organizations phase VPNs out as they adopt it. Firewalls and other perimeter tools still have uses, but they stop being the primary basis for trust.

Practice track
SOC Analyst Tier 1
Build your foundational skills to monitor, detect, and escalate security alerts. This track includes essential tools, basic log analysis, and introductory incident response labs.
Browse SOC Analyst Tier 1 Labs โ†’