Core Principles

No user, device, or network is trusted by default. Every access request is authenticated and authorized, regardless of source location.

Design systems assuming attackers are already inside. Minimize blast radius with segmentation and limit lateral movement.

Grant only the minimum necessary access. Use just-in-time (JIT) access elevation for privileged operations.

Authenticate and authorize using all available data points: identity, location, device health, service, workload, data classification.

Zero Trust Pillars

Pillar	Focus	Key Technologies
Identity	Strong authentication for all users and services	MFA, SSO, FIDO2, conditional access policies
Device	Verify device health and compliance before access	MDM, EDR, device certificates, posture checks
Network	Micro-segmentation, encrypt all traffic	ZTNA, SD-WAN, software-defined perimeter
Application	Per-application authorization, app-layer filtering	API gateway, WAF, app proxy, CASB
Data	Classify and protect data, encrypt at rest and transit	DLP, encryption, data classification labels
Visibility	Continuous monitoring and telemetry	SIEM, UEBA, XDR, log analytics

Level	Characteristics
Traditional	Perimeter-based, implicit trust inside network, VPN-centric
Initial	MFA enabled, basic device management, some segmentation
Advanced	Conditional access, device compliance, per-app auth, microsegmentation
Optimal	Continuous validation, JIT/JEA access, full automation, adaptive policies

Aspect	Perimeter Model	Zero Trust
Trust model	Trust inside, verify outside	Never trust, always verify
Network access	VPN to full network	Per-application, least privilege
Lateral movement	Easy once inside	Prevented by microsegmentation
Remote work	VPN required	ZTNA, works from anywhere
Cloud fit	Poor (no perimeter)	Excellent