Skip to content

Security term · last reviewed 2026-07-07

Zero trust

Also known as: Zero Trust Architecture, ZTA

Zero trust is a security model that trusts no user, device, or network location implicitly and verifies every request; it replaces the perimeter with per-request authentication and least privilege.

How it works

Zero trust is a security model that assumes no user, device, or network location is inherently trusted, so every request must be authenticated, authorized, and continuously validated before access is granted. It replaces the old "castle and moat" perimeter (trust anything inside the network) with per-request verification: check identity, device posture, and context on every access, and grant the least privilege needed. The US model of record is NIST SP 800-207, and the practical building blocks include strong identity with MFA, device health checks, micro-segmentation, and identity-aware access proxies such as ZTNA.

When it matters

Zero trust matters as organizations move to cloud, remote work, and SaaS, where there is no meaningful network perimeter left to defend. It is the right long-term posture for most companies. For a very small team, though, a full zero-trust rollout is a project without a near-term payoff; encrypted laptops and MFA capture much of the practical benefit first. See The Solo Founder's Identity and Security Stack.

Common misconceptions

  • "Zero trust is a product you buy." It is an architecture and a principle, delivered through many controls, not a single SKU.
  • "It means trusting no one, ever." It means never trusting implicitly; you still grant access, just verified per request.
  • "VPN equals zero trust." A flat VPN grants broad network trust, the opposite of the model; ZTNA is the zero-trust replacement.
← All terms