What is Zero Trust?
Zero Trust is a security model based on the principle: "Never trust, always verify."
Unlike traditional perimeter-based security (castle-and-moat), Zero Trust assumes that threats can come from anywhere—inside or outside the network.
The Evolution of Security Models
Traditional (Castle & Moat) Zero Trust
┌─────────────────────────┐ ┌─────────────────────────┐
│ ┌───────────────────┐ │ │ 🔒 🔒 🔒 🔒 🔒 │
│ │ Trusted Network │ │ │ Every access verified │
│ │ (Free movement) │ │ │ at every point │
│ └───────────────────┘ │ │ │
│ 🏰 │ │ 🔒 Identity 🔒 Device│
│ Firewall = Moat │ │ 🔒 Network 🔒 Data │
└─────────────────────────┘ └─────────────────────────┘
Once inside, trusted Nothing trusted by default
Why the shift?
- Remote work is now standard
- Cloud resources exist outside the network perimeter
- Insider threats are real
- VPNs alone aren't enough
Core Principles
1. Verify Explicitly
- Always authenticate and authorize based on all available data points
- Consider: user identity, location, device health, service/workload, data classification
2. Use Least Privilege Access
- Limit user access with just-in-time (JIT) and just-enough-access (JEA)
- Risk-based adaptive policies
- Data protection
- No standing access to sensitive systems
3. Assume Breach
- Minimize blast radius through segmentation
- Verify end-to-end encryption
- Use analytics for threat detection
- Plan for containment, not just prevention
Zero Trust Pillars
┌─────────────────────────────────────────────────────────┐
│ ZERO TRUST PILLARS │
├─────────┬─────────┬─────────┬─────────┬─────────┬──────┤
│Identity │ Devices │ Apps │ Data │ Infra │Network│
├─────────┼─────────┼─────────┼─────────┼─────────┼──────┤
│ MFA │ MDM │ SSO │ Classify│ JIT │Segment│
│ Cond. │ Health │ CASB │ DLP │ IaC │Encrypt│
│ Access │ EDR │ Shadow │ Rights │ Monitor │Micro- │
│ PIM │ Patching│ IT │ Mgmt │ │segment│
└─────────┴─────────┴─────────┴─────────┴─────────┴──────┘
Identity: Strong authentication (MFA), conditional access policies, identity governance, privileged identity management
Devices: Device compliance requirements, endpoint detection and response (EDR), mobile device management (MDM), device health attestation
Applications: Application-level permissions, shadow IT discovery, cloud access security broker (CASB), in-app permissions
Data: Data classification, encryption at rest and in transit, data loss prevention (DLP), rights management
Infrastructure: Just-in-time access, version control, telemetry for anomaly detection, infrastructure as code
Network: Network segmentation, threat protection, encryption, microsegmentation
Implementation in Cloud
Azure Zero Trust Stack:
| Component | Azure Service | Purpose | |-----------|--------------|---------| | Identity | Azure AD, Entra ID | SSO, MFA, Conditional Access | | Device | Intune | MDM, compliance policies | | Apps | Defender for Cloud Apps | CASB, shadow IT | | Data | Purview | Classification, DLP | | Infrastructure | PIM | Just-in-time admin access | | Network | Azure Firewall, NSGs | Segmentation | | Detection | Sentinel | SIEM, threat detection |
AWS Zero Trust Components:
- IAM policies with conditions
- AWS Organizations (SCPs)
- VPC security (security groups, NACLs)
- AWS GuardDuty (threat detection)
- AWS Verified Access (application access)
- AWS Private CA (certificates)
Conditional Access Deep Dive
Conditional Access is the "if-then" engine of Zero Trust:
IF: User attempts access
├── Who: User/Group membership
├── What: Application being accessed
├── Where: Location/IP range
├── How: Device platform, compliance state
└── Risk: Sign-in risk, user risk
THEN: Access decision
├── Allow (with or without controls)
├── Block
├── Require MFA
├── Require compliant device
├── Require approved app
└── Limit session duration
Example Policies:
- Require MFA for all users accessing cloud apps from outside corporate network
- Block access to financial apps from non-compliant devices
- Require password change for high-risk sign-ins
- Allow mobile access only through approved MDM apps
Traditional vs Zero Trust Comparison
| Aspect | Traditional | Zero Trust | |--------|-------------|------------| | Trust model | Trust internal network | Trust nothing | | Perimeter | Network edge | Identity-based | | Access | Broad network access | Least privilege | | Verification | Once at entry | Continuous | | VPN reliance | Heavy | Reduced/eliminated | | Lateral movement | Easy once inside | Restricted | | Breach impact | Wide blast radius | Contained segments |
Real-World Implementation Scenario
Scenario: Employee accessing company data
Traditional approach:
- Connect to corporate VPN
- Access any internal resource
- No further verification until session ends
Zero Trust approach:
- Authenticate with MFA (identity verified)
- Device compliance check (healthy, patched, encrypted)
- Conditional access evaluates:
- Location: Known vs unknown
- Risk score: Normal vs elevated
- Device: Managed vs personal
- Access granted to specific approved resources only
- Continuous monitoring during session
- Session timeout requires re-authentication
- Anomaly detection triggers step-up authentication
Zero Trust Maturity Model
Stage 1: Traditional
- Perimeter-based security
- VPN for remote access
- Minimal MFA
Stage 2: Advanced
- MFA deployed broadly
- Conditional access policies
- Device management started
Stage 3: Optimal
- Full identity verification
- Device health required
- Microsegmentation
- Real-time risk assessment
- Automated response
Common Implementation Mistakes
- "We have MFA, we're Zero Trust" - MFA is just one piece
- Deploying too fast - Start with identity, then expand
- Ignoring user experience - Security shouldn't be painful
- Not monitoring - Zero Trust requires continuous verification
- Forgetting service accounts - Non-human identities matter too
Exam Tips
Common exam questions:
- Identify Zero Trust principles
- Choose the right conditional access policy
- Understand the shared responsibility in Zero Trust
- Know which service implements which pillar
Key concepts to remember:
- Zero Trust ≠ Zero Access
- Identity is the new perimeter
- Verify explicitly, always
- Assume breach, contain damage
Key Takeaway
Zero Trust is becoming the standard for modern security. Cloud certifications (especially security-focused ones like AZ-500 and Security+) heavily test these concepts. In practice, implementing Zero Trust is a journey, not a destination—start with identity and expand from there.