The SolarWinds attack. The Colonial Pipeline breach. The Okta compromise. Each of these incidents exploited the same fundamental assumption baked into traditional security architecture: that users and systems inside the network perimeter can be trusted.
That assumption is dead. Zero Trust is its replacement.
The Three Pillars of Zero Trust
Zero Trust is not a product you buy. It is an architectural philosophy built on three principles:
- Verify explicitly. Authenticate and authorise every request, every time, regardless of network location.
- Use least privilege. Grant the minimum access required to complete a task, and revoke it when the task is done.
- Assume breach. Design systems as if attackers are already inside. Limit blast radius, encrypt everything, log everything.
Identity Is the New Perimeter
In a Zero Trust model, identity replaces the network as the primary security boundary. This means investing heavily in your identity infrastructure: strong MFA (preferably hardware keys or passkeys), just-in-time access provisioning, and continuous risk-based authentication.
Every privileged action should require re-authentication. The window between credential compromise and privilege escalation is where breaches live.
Micro-Segmentation in Practice
Network micro-segmentation divides your infrastructure into small, isolated zones. Each communication path between zones requires explicit policy approval. The practical implementation differs by environment:
- Kubernetes: NetworkPolicy resources with default-deny rules, enforced by Calico or Cilium
- Cloud infrastructure: Security groups and VPC endpoints with explicit allow-lists
- Service mesh: mTLS everywhere with Istio or Linkerd, so no service trusts another without a valid certificate
Device Trust
User identity alone is insufficient. Every access decision should factor in device health: is the device enrolled in MDM? Is the OS patched? Does it have disk encryption enabled? Solutions like Kolide, Jamf, and Microsoft Intune can feed device posture signals into your identity provider.
The Zero Trust Maturity Model
CISA publishes a Zero Trust Maturity Model with five pillars: Identity, Devices, Networks, Applications, and Data. Use it as a roadmap. Most organisations are at the “Traditional” or “Initial” stage — and that is fine. Zero Trust is a journey measured in years, not a project with a completion date.
