Skip to content
Infilux AppSec Logo
Glossary · Zero Trust

What is Zero Trust?

Zero Trust is a security model that treats every user, device, and service as untrusted by default — regardless of whether they sit inside or outside the corporate network. Every access request is independently authenticated, authorised, and policy-evaluated based on identity, device posture, location, and context. The phrase 'never trust, always verify' captures the model. It replaces the legacy castle-and-moat perimeter with continuous verification at every resource.

Traditional perimeter security assumed: inside the firewall is trusted, outside is not. Once an attacker breached the perimeter (or an employee did anything on a VPN), they had broad lateral access. Cloud workloads, SaaS apps, remote work, and supply-chain attacks have made this assumption fatal. Zero Trust replaces it.

Implementation is layered. Identity becomes the new perimeter — strong authentication (MFA, phishing-resistant) plus device posture (managed? encrypted? patched?) plus risk signals (impossible travel, anomalous behaviour). Access is granted just-in-time, just-enough, to specific resources for specific durations — not 'VPN onto the network and reach everything.' Microsegmentation prevents lateral movement; identity-aware proxies replace VPNs; service-to-service authentication uses mTLS or signed JWTs rather than IP allowlists.

Zero Trust is not a product. It's an architecture pattern with multiple implementation paths — Google's BeyondCorp, Microsoft's Zero Trust framework, NIST SP 800-207. Most enterprises adopt incrementally: identity-aware proxies for SaaS first, then conditional access for managed devices, then microsegmentation for the highest-value workloads, then service mesh for east-west traffic.

Key points

  • Principle: 'never trust, always verify' — no implicit trust from network location.
  • Components: strong identity (MFA), device posture, just-in-time access, microsegmentation, continuous evaluation.
  • Replaces VPN-based perimeter with identity-aware proxies.
  • Reference architecture: NIST SP 800-207.
  • Adopted incrementally — most teams take 18–36 months for a comprehensive rollout.

Frequently asked

Is Zero Trust the same as ZTNA?+
ZTNA (Zero Trust Network Access) is a specific category of products that implement Zero Trust principles for remote access — replacing the VPN. Zero Trust is the broader architecture; ZTNA is one component. Other Zero Trust components include identity providers (Okta, Entra ID), CASB / SSE for SaaS, microsegmentation tools, and service-mesh-based service-to-service authentication.
Can we adopt Zero Trust without ripping out the VPN?+
Yes, and most enterprises do. The typical migration: deploy ZTNA alongside the VPN for new applications; gradually move existing applications behind the ZTNA proxy; retire the VPN for general access after 12–24 months; keep a small legacy VPN for niche cases (network appliance management, specific legacy apps).
What about service-to-service traffic in microservices?+
Same Zero Trust principles apply. Service-to-service authentication should use mutual TLS (mTLS) or signed-JWT bearer tokens, not IP allowlists. Service mesh tools (Istio, Linkerd, Consul) make this practical at scale by automating certificate issuance and rotation.

Related services

Cloud Security AssessmentNetwork Infrastructure VAPTVirtual CISO

Continue learning

VAPTEASMRed TeamingSOC as a ServiceDark Web MonitoringGRC ComplianceISO 27001SOC 2MITRE ATT&CK