Zero Trust replaces the implicit 'trust inside the perimeter' model with 'never trust, always verify.' Every access request is authenticated, authorised, and continuously validated. The perimeter is dead; identity is the new perimeter.
Zero Trust is the dominant modern security architecture model and increasingly tested on the CISSP. You need to understand its core principles, how it contrasts with perimeter-based security, and what technologies implement it.
1. Verify Explicitly: Always authenticate and authorise based on all available data points — identity, location, device health, data classification, anomalies. 2. Use Least Privileged Access: Limit user access with just-in-time (JIT) and just-enough-access (JEA). 3. Assume Breach: Minimise blast radius, segment access, encrypt end-to-end, use analytics to drive threat detection.
Traditional model: Castle-and-moat. Hard outside, trusted inside. Once inside the network, lateral movement is easy.
Zero Trust: No implicit trust based on network location. A request from inside the office is treated the same as one from a coffee shop.
ZTNA (Zero Trust Network Access): Replace VPN with per-application access.
Microsegmentation: Divide the network into small zones. East-west traffic between segments requires authentication — prevents lateral movement.
Continuous Monitoring: Session trust is not static. Device posture and behaviour anomalies can revoke access mid-session.
NIST's Zero Trust Architecture publication (SP 800-207) defines seven tenets of Zero Trust and three deployment models: enhanced identity governance, micro-segmentation, and network infrastructure/software-defined perimeter.
Perimeter security vs. Zero Trust
| Dimension | Perimeter Model | Zero Trust Model |
|---|---|---|
| Trust basis | Network location | Identity + context + device |
| Inside network | Trusted by default | Untrusted — verify every request |
| VPN | Full network access | ZTNA: per-app access only |
| Lateral movement | Easy once inside | Blocked by microsegmentation |
| Access model | Static, role-based | Dynamic, risk-adaptive, least-privilege |