"Zero trust" has become the security industry's favorite marketing term. Every vendor claims to sell it. Every CISO claims to implement it. And yet most organizations that say they have zero trust are still running flat networks with VPN access that grants the keys to the kingdom.
Let us cut through the noise and talk about what zero trust actually means, how it works in practice, and how to implement it without a seven-figure budget.
What Zero Trust Actually Means
The core idea is deceptively simple: never trust, always verify. Every request — whether it comes from inside or outside your network — must be authenticated, authorized, and encrypted before access is granted.
Traditional security follows a castle-and-moat model. You have a perimeter (the moat), and once you are inside, you are trusted. This model fails catastrophically when an attacker breaches the perimeter, because lateral movement is unrestricted.
Zero trust eliminates the concept of a trusted internal network. There is no "inside" and "outside." Every access request is treated as if it originates from an untrusted network.
The Core Principles
1. Verify explicitly. Every access decision is based on all available data points: identity, device health, location, resource sensitivity, anomaly detection. Not just "do they have a valid session cookie."
2. Least privilege access. Users and services get the minimum permissions they need, for the minimum duration they need them. No standing privileges. No "admin because it is easier."
3. Assume breach. Design your systems as if an attacker is already inside. Segment your network. Encrypt internal traffic. Log everything. Minimize the blast radius of any single compromise.
Identity-Based Access
Identity is the new perimeter. In a zero trust architecture, access decisions are based on identity — not network location.
This means:
Strong authentication. Passwords are not sufficient. Use phishing-resistant MFA (passkeys, hardware tokens). Conditional access policies should evaluate risk signals before granting access.
Identity-aware proxies. Instead of VPNs that grant network-level access, use identity-aware proxies that grant application-level access. Google's BeyondCorp model popularized this approach.
Traditional VPN flow:
User → VPN → Internal Network → Any Internal Service
Zero trust flow:
User → Identity Provider → Policy Engine → Specific ServiceService-to-service identity. Machines need identities too. Use mutual TLS (mTLS) or SPIFFE/SPIRE for workload identity. Every service authenticates to every other service it communicates with.
# Example: Istio service mesh mTLS policy
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICTMicrosegmentation
Flat networks are the enemy of zero trust. If an attacker compromises one service, they should not be able to reach every other service on the network.
Microsegmentation divides your network into small, isolated zones. Traffic between zones must pass through policy enforcement points.
Network-level segmentation uses firewalls, security groups, or network policies:
# Kubernetes NetworkPolicy: payment service can only
# talk to the database and the notification service
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: payment-service-policy
namespace: production
spec:
podSelector:
matchLabels:
app: payment-service
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app: postgres
ports:
- port: 5432
- to:
- podSelector:
matchLabels:
app: notification-service
ports:
- port: 8080Application-level segmentation uses service meshes (Istio, Linkerd) or API gateways to enforce policies based on service identity, not just IP addresses.
The key insight: default deny. Nothing can communicate with anything unless explicitly allowed. Start with zero access and open only what is needed.
Real-World Implementation
Here is what a pragmatic zero trust implementation looks like for a mid-size engineering team:
Phase 1: Identity Foundation (Month 1-2)
- Deploy a centralized identity provider (Okta, Entra ID, or Keycloak for self-hosted)
- Enforce MFA on all accounts, preferably phishing-resistant (passkeys or hardware tokens)
- Implement SSO for all internal applications
- Remove shared accounts and service account passwords, replace with short-lived tokens
Phase 2: Access Control (Month 3-4)
- Replace VPN with an identity-aware proxy (Cloudflare Access, Tailscale, or Pomerium)
- Implement role-based access control with least privilege
- Set up just-in-time access for elevated permissions (Temporal access that expires)
- Audit and remove standing admin privileges
Phase 3: Network Segmentation (Month 5-6)
- Segment production, staging, and development environments
- Implement network policies for service-to-service communication
- Enable mTLS for internal traffic
- Deploy a service mesh if running microservices
Phase 4: Monitoring and Response (Ongoing)
- Centralize logging (access logs, authentication events, network flows)
- Set up anomaly detection for unusual access patterns
- Implement automated response for high-confidence threats
- Regular access reviews and permission audits
Tools and Frameworks
You do not need to build zero trust from scratch. Here are practical tools for each layer:
Identity and access: Okta, Microsoft Entra ID, Keycloak (self-hosted), Auth0
Network access: Cloudflare Access (replaces VPN, free for up to 50 users), Tailscale (mesh VPN with identity-based ACLs), Zscaler Private Access, Pomerium (open source)
Service mesh: Istio, Linkerd, Cilium (eBPF-based, no sidecar)
Policy engine: Open Policy Agent (OPA) for unified policy across infrastructure
# OPA policy example: deny access outside business hours
# for non-admin users
package httpapi.authz
default allow = false
allow {
input.user.role == "admin"
}
allow {
input.user.role == "developer"
is_business_hours
input.method == "GET"
}
is_business_hours {
now := time.clock(time.now_ns())
now[0] >= 9
now[0] < 18
}Device trust: Kolide, CrowdStrike Falcon, Microsoft Intune
Secrets management: HashiCorp Vault, AWS Secrets Manager, Doppler
Common Mistakes
Thinking zero trust is a product you buy. It is an architecture and a set of principles. No single vendor provides "zero trust in a box" no matter what their marketing says.
Starting too big. Do not try to implement everything at once. Start with identity (Phase 1) and build outward. Each phase delivers value independently.
Ignoring developer experience. If your zero trust controls make developers miserable, they will find workarounds. Security that gets bypassed is worse than no security because it creates a false sense of safety. Make the secure path the easy path.
Forgetting service-to-service. Most teams focus on user-to-application access and ignore east-west traffic between services. An attacker who compromises one service should not be able to freely query your database.
Not logging enough. Zero trust requires visibility. If you cannot see what is happening, you cannot enforce policy. Log every access decision, every authentication event, and every network flow.
Getting Started This Week
If you do nothing else, do these three things:
-
Enable MFA everywhere. Right now. On every account, every service. This alone prevents the majority of account compromises.
-
Audit your access. List every person and service that has access to your production environment. Remove any access that is not actively needed. Set calendar reminders to review quarterly.
-
Inventory your network. Map which services talk to which other services. Identify the services that can reach everything. Those are your highest-risk targets — segment them first.
Zero trust is not a destination. It is a direction. Every step you take toward explicit verification, least privilege, and breach assumption makes your organization more resilient. Start where you are, with what you have, and keep moving forward.
For hands-on hardening steps that complement a zero trust strategy, read Linux Server Hardening: A Practical Guide for AlmaLinux and Ubuntu.