GLOSSARY · FUNDAMENTALS
Zero trust
A security model that treats every request as unauthenticated and unauthorized until proven otherwise, regardless of where it comes from.
Zero trust is a rejection of the old perimeter assumption: that everything inside the network is safe and everything outside is hostile. That model started breaking when organizations added VPNs, cloud workloads, and remote employees, and it shattered when attackers learned that compromising one insider account was enough to move freely across a trusted network.
The core operating principle is “never trust, always verify.” Every request (user login, service-to-service call, device checking in) must be authenticated and authorized at the point of access. Identity becomes the perimeter. Context matters: a login from a managed device on a known IP gets treated differently than the same credentials appearing from a new country on a personal phone.
In practice, zero trust is an architecture journey, not a product you buy. The typical path runs through identity consolidation (a single IdP for everything), device management (knowing what is on the network before granting access), microsegmentation (limiting what any one account or workload can reach), and continuous logging. Each step delivers value independently; you do not have to finish the whole arc before you benefit.