Glossary · Security testing

What is Zero Trust?

Also known as: Zero Trust Architecture, ZTA, Never trust, always verify

Zero Trust is a security model built on the principle never trust, always verify. It grants no implicit trust based on network location, treating every user, device, and connection as untrusted until proven otherwise through continuous verification of identity, enforcement of least privilege, and segmentation.

Key takeaways

  • Zero trust removes implicit trust based on network location.
  • Every access request is continuously verified, not assumed safe once inside.
  • Core pillars include strong identity, least privilege, and segmentation.
  • It directly limits an attacker's ability to move laterally after a breach.

What is the core idea behind zero trust?

Traditional security treated the corporate network like a castle: a hardened perimeter outside, and broad trust for anything inside. Zero trust rejects that assumption. It starts from the premise that the network may already be compromised, so no user, device, or request is trusted simply because it originates from inside the firewall.

Instead, trust must be earned continuously. Each access request is evaluated against identity, device health, and policy at the moment it is made, and access is granted only for what is needed, only for as long as it is needed. The mantra never trust, always verify captures this shift from location-based trust to verification-based trust.

What are the building blocks of a zero-trust architecture?

Zero trust is an architecture and strategy rather than a single product. Guidance such as the CISA Zero Trust Maturity Model describes it across several pillars, all reinforcing the same principle of continuous, contextual verification.

  • Strong identity and authentication, often with multi-factor and continuous evaluation.
  • Least privilege access, so each identity can reach only what it requires.
  • Micro-segmentation, so a breach in one area does not grant reach into others.
  • Device and workload verification, checking health and posture before granting access.
  • Continuous monitoring and policy enforcement across every request.

How does zero trust reduce breach impact?

The biggest payoff of zero trust is containment. Because trust is never implied by network position, an attacker who compromises one system cannot simply roam the internal network. Each subsequent hop demands fresh verification, which sharply limits lateral movement and the blast radius of any single compromise.

Adopting zero trust is a journey, not a switch, and its controls need testing to be trusted. Breach and attack simulation can validate whether your segmentation and identity controls actually stop an attacker mid-pivot, rather than assuming they do.

Frequently asked questions

Is zero trust a product you can buy?
No. Zero trust is a security strategy and architecture, not a single product. It is achieved by combining identity, access, segmentation, and monitoring capabilities under a consistent never-trust, always-verify policy.
How is zero trust different from a traditional firewall perimeter?
A perimeter model trusts everything inside the network boundary. Zero trust removes that implicit internal trust, verifying every user, device, and request individually regardless of where it originates.
Does zero trust require multi-factor authentication?
Strong identity verification, commonly including multi-factor authentication, is a central pillar of zero trust. Continuous, contextual authentication ensures access decisions reflect current risk rather than a one-time login.

Authoritative sources

← Back to the glossary