⚡ One-Line Definition
Zero Trust is a security model built on the principle of "never trust, always verify" — no user, device, or network segment is trusted by default, even if it's already inside the corporate network. Every access request must be authenticated, authorised, and continuously validated regardless of where it originates. Zero Trust replaces the old castle-and-moat model where everything inside the perimeter was trusted.

The Problem Zero Trust Solves

Traditional network security relied on a hard perimeter — like a castle with a moat. Get inside the walls (VPN, office network) and you were trusted. This model breaks down in the modern world of remote work, cloud services, BYOD, and sophisticated attackers who can breach the perimeter or already be inside as malicious insiders.

❌ Traditional Perimeter Security
Trust everyone inside the network
VPN = full network access once connected
One hard external boundary (firewall)
Internal traffic largely uninspected
Breach perimeter = access everything
Identity verified once at login
Flat network — lateral movement easy
✅ Zero Trust Model
No implicit trust — verify everything always
Access granted per-resource, not per-network
Perimeter is everywhere and nowhere
All traffic inspected and logged
Breach = attacker still can't move laterally
Continuous authentication and re-validation
Microsegmentation limits blast radius

Core Principles of Zero Trust

🔍
Verify Explicitly
Always authenticate and authorise based on all available data points — identity, location, device health, service/workload, data classification, and anomalies. Never assume trust based on network location alone.
🔒
Use Least Privilege Access
Limit user access to only what they need for their current task using just-in-time (JIT) and just-enough-access (JEA). Minimise lateral movement potential if credentials are compromised.
💥
Assume Breach
Design as if attackers are already inside the network. Minimise blast radius through segmentation, encrypt all traffic, use analytics to detect anomalies, and verify end-to-end encryption.
📊
Continuous Validation
Authentication isn't a one-time event. Re-verify continuously — if behaviour changes (unusual location, time, data volume), re-authenticate or terminate the session. Context-aware access decisions.
🎯 The Phrase That Appears on the Exam

"Never trust, always verify" is the tagline of Zero Trust and appears directly in Security+ SY0-701 objectives. If a scenario describes a security model where internal users are not automatically trusted and every request is verified, the answer is Zero Trust. If it mentions implicit trust — that's the traditional model Zero Trust replaces.

The Five Pillars of Zero Trust

1
Identity
Identity is the new perimeter in Zero Trust. Every user, service account, and workload must have a verified identity before being granted access. This means strong MFA, privileged access management (PAM), and continuous identity validation — not just a username and password at login.
Technologies: MFA, Single Sign-On (SSO), Identity Provider (IdP), Privileged Access Workstations (PAW), Privileged Identity Management (PIM), conditional access policies based on user risk score.
2
Devices
Only healthy, compliant devices are granted access. Device health is checked before access is granted and monitored continuously — an unpatched device or one with detected malware should have access revoked automatically.
Technologies: MDM (Mobile Device Management), EDR (Endpoint Detection and Response), device compliance policies, certificate-based device authentication, BYOD policies that require enrolment before access.
3
Network / Microsegmentation
Microsegmentation divides the network into small, isolated zones so that even if an attacker breaches one segment, they cannot move laterally to others. Instead of flat east-west traffic across the internal network, every connection between segments requires authentication and authorisation.
Technologies: Software-defined networking (SDN), VLANs, firewall rules between segments, east-west traffic inspection, Software-Defined Perimeter (SDP). Exam term: microsegmentation is explicitly listed in SY0-701 as a Zero Trust technique.
4
Applications & Workloads
Access to applications is granted per-application, not per-network. Users authenticate to individual apps rather than connecting to a network that contains apps. Apps themselves are verified — in a cloud environment, workloads and APIs must also authenticate to each other.
Technologies: Application-level proxies, CASB (Cloud Access Security Broker), API gateways with authentication, Zero Trust Network Access (ZTNA) replacing VPN — users get access to specific apps, not the entire network.
5
Data
Protect data wherever it lives — on-premises, cloud, endpoints. Data classification determines access controls: sensitive data requires stronger authentication, is encrypted at rest and in transit, and access is logged. DLP policies prevent exfiltration.
Technologies: Data Loss Prevention (DLP), information rights management (IRM), encryption at rest and in transit, data classification labels, access controls based on data sensitivity level.

Zero Trust Key Terms for the Exam

TermDefinitionWhy It Matters
MicrosegmentationDividing the network into small isolated zones with access controls between each segmentPrevents lateral movement — explicitly named in SY0-701
Implicit trustTrusting a user or device based solely on network location (being inside the perimeter)This is what Zero Trust eliminates — the old model
ZTNAZero Trust Network Access — grants access to specific applications, not the whole network (replaces VPN)Modern alternative to traditional VPN
Least privilegeUsers get the minimum access needed for their role — no moreCore Zero Trust principle, also tested standalone
Just-in-time (JIT)Privileged access granted only when needed and automatically revoked after — not persistentReduces window of exposure for privileged accounts
Continuous validationRe-verifying identity and device health throughout a session, not just at loginDetects session hijacking and behavioural anomalies
Policy decision point (PDP)The component that evaluates access requests against policy and makes allow/deny decisionsPart of NIST Zero Trust architecture framework
Policy enforcement point (PEP)The component that enforces the PDP's decisions — sits between the user and the resourcePair with PDP — together they form the Zero Trust control plane
Assume breachDesigning security as if attackers are already inside — focus on limiting damage, not just preventionThird core principle of Zero Trust
East-west trafficTraffic moving between systems inside the network (server-to-server) — traditionally uninspectedZero Trust inspects this too — microsegmentation controls it
Zero Trust vs Defence in Depth

These are related but different concepts. Defence in depth layers multiple security controls (firewall + IDS + antivirus + MFA) — but can still have implicit trust inside those layers. Zero Trust is an architectural philosophy that eliminates implicit trust entirely.

In practice, Zero Trust uses defence-in-depth techniques (MFA, encryption, segmentation, logging) but applies them with the principle that no entity is ever trusted by default — the "never trust" mindset is the distinguishing factor. On the exam, if the scenario involves eliminating implicit trust or not trusting the internal network, the answer is Zero Trust.

Exam Scenarios

💬 "A company implements a policy requiring all users — including those on the internal corporate network — to authenticate with MFA before accessing any resource. Internal traffic is inspected and no device is trusted by default. Which security model does this describe?" → Zero Trust — specifically the "never trust, always verify" principle. The key indicator is that internal network location provides no implicit trust.
💬 "An attacker compromises a workstation on the corporate network but cannot access any other systems because each server-to-server connection requires separate authentication. Which Zero Trust technique prevented lateral movement?" → Microsegmentation — dividing the network into isolated segments so that a breach in one area cannot spread to others without re-authentication. This is explicitly named in SY0-701.
💬 "An organisation wants to replace their VPN with a solution that grants remote users access to specific applications rather than the entire corporate network. Which technology implements this?" → ZTNA (Zero Trust Network Access) — provides application-level access rather than network-level access, a core Zero Trust replacement for traditional VPN.
💬 "A security architect proposes granting privileged access to administrators only when needed for a specific task, with access automatically revoked after the task is complete. What is this technique called?" → Just-in-time (JIT) access — a Zero Trust technique that eliminates persistent privileged accounts, reducing the window of exposure if credentials are stolen.
💬 "Which Zero Trust principle assumes that attackers may already be inside the network and designs security controls to minimise the impact of a breach?" → "Assume breach" — the third core Zero Trust principle. It shifts focus from purely preventing breaches to limiting blast radius, detecting attackers quickly, and containing damage through segmentation and logging.
💬 "A company's security model trusts all traffic originating from within their office network without additional verification. A security consultant flags this as a risk. What model should replace it?" → Zero Trust — the current model relies on implicit trust based on network location (being on the office network). Zero Trust eliminates this by requiring explicit verification for every access request regardless of origin.

Ready to pass Security+?

See the best courses, practice tests, and study guides for SY0-701.

See Security+ Resources →

Why Perimeter Security Failed — The Case for Zero Trust

Traditional network security was built on a castle-and-moat model: everything inside the corporate network perimeter was trusted, everything outside was untrusted. Firewalls and VPNs enforced this boundary. This model broke down for three interconnected reasons. First, the perimeter dissolved — remote work, cloud services, and mobile devices mean corporate data and users now exist everywhere, not inside a defined network edge. Second, breaches proved the assumption wrong — once an attacker got inside the perimeter (through phishing, a compromised endpoint, or a vulnerable VPN), they could move laterally with minimal resistance because internal traffic was implicitly trusted. Third, insider threats proved that not all threats come from outside — a malicious or compromised insider with trusted network access could do enormous damage.

Zero Trust addresses all three by replacing the perimeter assumption with a simple rule: trust nothing, verify everything, regardless of network location. A user on the corporate network is not more trusted than a user on their home connection. A service account is not trusted just because it's on an internal server. Every access request is authenticated and authorised based on identity, device health, and context — every time.

The Five Pillars of Zero Trust

Identity verification is the foundation. Every user, device, and service must prove its identity before accessing any resource. This means strong authentication (MFA at minimum, ideally phishing-resistant MFA using FIDO2 hardware keys or passkeys), continuous identity validation (not just at login but throughout the session), and integration with an identity provider (Okta, Azure AD, Ping Identity). Passwords alone are not sufficient in a Zero Trust architecture.

Device health extends verification beyond identity to the device itself. A user may be legitimate, but if they're logging in from an unmanaged personal device with an outdated OS and no endpoint protection, the risk profile of that session is very different from a company-managed, patched, EDR-protected laptop. Zero Trust considers device posture — patch level, security software status, certificate presence — as part of the access decision. This is enforced through device compliance policies in MDM solutions (Microsoft Intune, Jamf).

Least privilege access ensures users and services only have the permissions they actually need for their role, granted for the minimum time necessary. This extends to just-in-time (JIT) access — privileged access is not permanently assigned but granted on request, used for the task, then revoked. Permanent administrator accounts are replaced with accounts that can escalate temporarily when needed and be audited completely.

Microsegmentation replaces flat internal networks where everything can talk to everything with small, isolated segments where traffic between segments requires explicit authorisation. A database server should only accept connections from the specific application servers that legitimately query it — not from every device on the corporate network. If an attacker compromises a workstation in a microsegmented network, they're contained in that segment and cannot reach the database without triggering another authentication and authorisation check.

Continuous monitoring treats security as a real-time process rather than a gate at login. User behaviour analytics (UEBA), SIEM correlation, and EDR telemetry feed into continuous risk scoring. If a user who normally logs in from New York suddenly authenticates from Eastern Europe and starts downloading large volumes of data, that behavioural anomaly triggers additional verification or access suspension — even though their initial authentication was legitimate.

Zero Trust in Practice — Real Implementations

Pure Zero Trust is an architectural goal rather than a single product you install. Real implementations use combinations of: Identity Provider (IdP) for centralised authentication (Azure AD, Okta), MFA on all authentication flows, Conditional Access policies that evaluate device compliance and risk signals before granting access, ZTNA (Zero Trust Network Access) replacing VPN with identity-aware proxies that grant access per-application rather than per-network, microsegmentation tools (Illumio, Guardicore) to enforce east-west traffic controls, and SASE (Secure Access Service Edge) that delivers network security as a cloud service for distributed workforces.

On the exam: Zero Trust is tested primarily as a concept and architecture, not as a specific configuration task. Know the core principle (never trust, always verify), the three main controls (strong identity verification, least privilege, microsegmentation), and the contrast with the traditional perimeter model. SY0-701 specifically added Zero Trust as a significant topic area — any scenario describing a security architecture for a remote-first or cloud-heavy organisation is likely testing Zero Trust concepts.

Zero Trust vs Traditional VPN

Traditional VPNs grant network-level access — once connected, a user typically has access to the entire internal network segment. Zero Trust Network Access (ZTNA) grants application-level access — a user is granted access only to the specific applications their role requires, with all other resources invisible and unreachable from their session. This is a fundamental difference: a VPN breach gives an attacker broad internal access, while a ZTNA breach (if the attacker can even complete authentication) gives them access only to specific applications.

This is why Security+ SY0-701 frames ZTNA as a VPN replacement rather than a complement. From an exam perspective: traditional VPN = perimeter model (trusted once inside), ZTNA = Zero Trust (verified per application, per session).

Related Articles

IAM Explained Cloud Concepts Network Segmentation Network Attacks Physical Security VPNs Explained Encryption Types Incident Response Security+ Exam Domains Security+ Cheat Sheet Best Security+ Resources