What is Zero Trust?

Zero Trust represents a fundamental shift from the traditional castle-and-moat security model, which assumed that everything inside the corporate network could be trusted. In a Zero Trust architecture, identity becomes the new perimeter, and every access request is evaluated based on multiple signals: user identity and authentication strength, device health and compliance status, network location and context, resource sensitivity, and behavioral anomalies. Key technical components include strong identity verification (MFA, passwordless authentication), micro-segmentation (limiting lateral movement between network zones), least-privilege access, continuous monitoring and validation (re-evaluating trust throughout a session), and comprehensive logging for security analytics. While no compliance framework explicitly mandates Zero Trust by name, the model aligns closely with requirements across SOC 2, ISO 27001, HIPAA, and GDPR. NIST Special Publication 800-207 provides the definitive architecture guide. Organizations typically adopt Zero Trust incrementally, starting with identity and access management before extending to network segmentation and workload protection.