Architecture
Zero Trust
A security architecture that eliminates implicit trust based on network location, requiring every access request to be authenticated, authorised, and continuously validated regardless of origin.
Zero Trust is defined formally in NIST SP 800-207. It rests on three principles:
- Verify explicitly — authenticate and authorise every request based on all available data points (identity, device, location, behaviour, data sensitivity)
- Use least-privilege access — limit user access to just enough rights, for just enough time
- Assume breach — minimise blast radius, segment access, encrypt end-to-end, use analytics to detect anomalous activity
Zero Trust is an architectural philosophy, not a product. It can be implemented with enterprise tooling or with appropriately configured SME-scale tools. The most important investment is typically a robust identity foundation — Entra ID, Okta, or equivalent — with MFA enforced universally and Conditional Access policies validating device compliance.