Imagine a mid-sized financial company in Sydney has invested heavily in its security. Firewalls, antivirus software, a VPN for remote workers, and a dedicated IT team monitoring the network. By every traditional measure, they are protected. Then, one Tuesday morning, an attacker who obtained a single employee’s stolen credentials logs in through the VPN. The network sees a familiar username. It lets the attacker in.
For the next eleven days, that attacker moves through internal systems, reads sensitive client data, and prepares to exfiltrate it. No alarm goes off. No system questions whether that user should be accessing payroll files, legal documents, and the executive email server all in the same session.
This is not a hypothetical. Variations of this scenario have played out at hundreds of organisations across the United States, the United Kingdom, Australia, Brazil, and beyond. The method changes. The outcome rarely does. And the reason, almost always, is the same: too much trust was placed in the wrong things.
That is precisely the problem that Zero Trust was designed to solve.
The Old Way of Thinking About Security
For decades, cybersecurity was built on a simple idea. Draw a boundary around your organisation. Put walls up. Make sure nobody dangerous gets through those walls. And once someone is inside, trust them.
Security professionals called this the perimeter model, and they loved explaining it with a candy analogy. The network was like an M&M: a hard sugar-coated crunchy shell on the outside keeping threats away, and a soft milk chocolate chewy centre inside where everything was safe and trusted. Employees, systems, and applications inside the perimeter could communicate freely. The firewall was the wall. Get past it, and you were home.
For a period, this model worked well enough. Offices were physical places. Servers lived in basements. Employees came to work, sat at desks, and went home. The perimeter was real.
Then everything changed. Cloud computing moved data off the physical server and onto infrastructure owned by Amazon, Microsoft, or Google, i.e., infrastructure that sits nowhere near your firewall. Remote work became standard, meaning employees access sensitive company data from home networks in Karachi, Calgary, or Cape Town. Smartphones and personal laptops became work devices. Third-party vendors and contractors were given access to internal systems. The perimeter, in any meaningful sense, ceased to exist.
Attackers understood this long before most security teams did. They stopped trying to blow through the front wall. They found side doors, weak credentials, trusted insiders, and phishing emails. Once inside the supposedly safe chewy centre, they had extraordinary freedom to move around and cause damage. The perimeter model had a fatal flaw baked into its very design: it confused location with trustworthiness.
Who Invented Zero Trust, and Why
The story begins in 2008, when a security analyst named John Kindervag joined Forrester Research, one of the world’s most respected technology research firms. Kindervag was a blunt, practical thinker who had spent years working in network security and grown increasingly frustrated with the industry’s assumptions.
He noticed something that seems obvious in hindsight but had rarely been articulated clearly. The old perimeter model did not actually verify anything about the users or devices inside the network. It just trusted them. And the basis for that trust was simply their physical or network location — a fact that told you almost nothing about whether they were actually safe to trust.
He also noticed that the phrase the industry used to describe its security posture—”trust but verify” — was, in his view, dishonest. The phrase comes from a Russian proverb that US President Ronald Reagan famously borrowed during nuclear disarmament negotiations with the Soviet Union in the 1980s. The implication was that you verify first, and then decide whether to extend trust. But in practice, Kindervag observed that most organisations trusted a great deal and verified almost nothing.
The title came from the M&M analogy that had become standard in security culture. Kindervag’s argument was that security professionals needed to eliminate the soft chewy centre entirely — not just harden the outside shell. Security had to be present everywhere in the network, not just at the perimeter.
The Case That Started it All: Philip Cummings
The paper opened with a real case that illustrated the problem perfectly. In 2004, a man named Philip Cummings orchestrated what the FBI described as the largest identity theft case it had ever investigated. Cummings worked as a helpdesk employee at a company called TeleData Communications. He had legitimate, trusted access to credit report information for thousands of customers. He sold that access to fraudsters for sixty dollars a time, leaking 30,000 customer records. He even left a hidden mechanism in place so the data leaks continued for two years after he left the company. He was an insider. He was trusted. And that trust cost his victims everything.
So What Exactly is Zero Trust?
At its most fundamental level, Zero Trust is a security philosophy built on one sentence: never trust, always verify.
It sounds simple. The implications are profound. Zero Trust means that no user, no device, no application, and no network connection is ever automatically trusted — regardless of who they are, where they are, or whether they have been granted access before. Every single request to access a resource must be verified, every time, before access is granted.
Think of it this way. In the traditional model, once you show your ID at the front door of a building, you can walk into any room you like. In a Zero Trust model, every room has its own lock. Every door requires a new verification. Even if you have been in the building for years, you still have to prove who you are and why you need access each time you want to enter a new space.
Zero Trust is not a product you can buy off a shelf. It is not a piece of software or a specific technology. It is an architecture, i.e., a way of designing and operating your entire security posture, built around the assumption that threats exist both inside and outside your network at all times.
The core principle is paired with a second, equally important assumption: assume breach. Zero Trust organisations operate as though attackers have already gotten in. This sounds alarming, but it is actually a far more honest and effective way to design security. If you assume a breach has occurred or will occur, you build systems that limit what an attacker can do even when they are inside.
The Three Pillars of Zero Trust
Zero Trust rests on three foundational principles. Understanding these is essential before understanding how it is implemented.
Pillar 1: Verify Every User and Device, Every Single Time
In a Zero Trust environment, authentication is not a one-time event. It is continuous. Every time a user or device attempts to access a resource such as an application, a database, a file, a system, etc., their identity and the health of their device must be verified again. This typically involves multi-factor authentication, which requires users to confirm their identity through more than one method simultaneously, such as a password and a biometric scan or a one-time code sent to a trusted device.
The system also checks contextual factors: is this person logging in from a device they normally use? Is the login happening at a normal time of day? Is the device fully patched and compliant with security policies? A sales manager who logs in from their usual laptop at 9am gets a different level of scrutiny than an account that suddenly logs in from a new country at 3am.
Pillar 2: Give People Only the Access They Actually Need
This principle is called least privilege access, and it is one of the most practically impactful ideas in modern security. Every user, application, and system should have access to the absolute minimum set of resources required to do their specific job — nothing more. An accountant does not need access to the engineering department’s source code repository. A customer service representative does not need to see the CEO’s email. By limiting the scope of what every identity can access, you dramatically limit what an attacker can reach even if they successfully compromise that identity. Least privilege also means that access should be time-limited where possible.
Pillar 3: Always Assume You Have Already Been Breached
This pillar changes how organisations think about security fundamentally. Instead of building systems designed to prevent every possible breach — an impossible goal — Zero Trust organisations build systems designed to contain and minimise the damage when a breach occurs. This means creating micro-segmentation: dividing the network into small, isolated zones so that even if an attacker gains access to one zone, they cannot automatically reach any other. It means monitoring all traffic continuously, including traffic inside the network, so that unusual patterns are detected quickly, and designing incident response processes that can isolate a compromised account or device almost immediately.
NIST Stepped in and Made it Official
Kindervag’s ideas had significant influence throughout the 2010s, but Zero Trust remained something of an industry philosophy rather than an official standard. That changed decisively in 2020, when the United States National Institute of Standards and Technology published NIST Special Publication 800-207: Zero Trust Architecture.
NIST, for readers who may not be familiar with it, is a US government agency within the Department of Commerce. It does not invent security concepts. What it does, with enormous global authority, is formalise them into rigorous, vendor-neutral frameworks that governments, regulators, and enterprises around the world use as the basis for their own security policies. An NIST publication carries weight in boardrooms and government agencies from Washington to Wellington to Winnipeg.
NIST SP 800-207 took Kindervag’s philosophy and translated it into a concrete architecture with specific logical components, defined roles, and an implementation roadmap that organisations of any size could follow. It established seven core tenets of Zero Trust, defining how data sources must be treated as resources, how all communication must be secured regardless of network location, how access must be granted per-session and on a per-resource basis, and how the enterprise must continuously collect information to improve its security posture.
The ripple effect of that executive order extended well beyond the United States. The UK, Australia, Canada, the European Union, and a number of other governments and regulatory bodies have all developed their own Zero Trust frameworks in the years since, largely aligning with the NIST model.
To answer the question directly: Zero Trust is not a certifiable standard in the way that ISO 27001 is. You cannot obtain a “Zero Trust certificate.” But NIST SP 800-207 is the authoritative, internationally referenced framework for what Zero Trust Architecture means and how it should be implemented. For practical purposes, it functions as the global standard.
How Google Proved Zero Trust Works at Scale
Theory is valuable. Proof at scale is convincing. The most compelling real-world proof that Zero Trust works came from Google, and it was born out of a crisis.
In 2009, Google was hit by a sophisticated state-sponsored cyberattack that became known as Operation Aurora. The attack, targeted the Gmail accounts of human rights activists and stole intellectual property from Google and over thirty other major organisations including Adobe, Akamai, and several US defence contractors. Google disclosed the breach in January 2010 and promptly made a decision that most organisations would never contemplate: they scrapped their entire internal security architecture and started over.
The result was a project called BeyondCorp. Rather than trying to patch the perimeter model that had failed them, Google eliminated the concept of the corporate network perimeter entirely. They moved all internal applications onto the public internet, where they are accessible to anyone but protected by rigorous identity and device verification that happens before any access is granted. An employee working from a Google office in California has exactly the same level of network trust as an employee working from a coffee shop in Tokyo. Location is irrelevant. Identity, device health, and access policy are everything.
Google began publishing the BeyondCorp research starting in 2014, sharing the architecture and methodology with the wider security community. It was one thing for Kindervag to argue that Zero Trust was theoretically sound. It was another thing entirely for Google, operating at the scale of tens of thousands of employees across dozens of countries, to demonstrate that it was not only workable but arguably more secure and more convenient than the model it replaced.
How Zero Trust Actually Works Inside an Organisation
Understanding Zero Trust in principle is one thing. Understanding what it actually looks like inside a working organisation is another. Let us walk through a typical day.
An employee at a healthcare company in Toronto starts their morning and opens their laptop. The Zero Trust system immediately begins a series of checks before anything else happens. It confirms the user’s identity through multi-factor authentication. It checks the device: is it enrolled in the company’s device management system? Is the operating system fully up to date? Is the hard drive encrypted? Is antivirus running and current? If the device passes these checks, it receives a certificate confirming its compliance status.
The employee now wants to access the patient records system. A request is sent to what NIST calls the Policy Engine — the brain of the Zero Trust architecture. The Policy Engine evaluates the request against a set of rules. Who is this person? What is their role? What device are they on? What time is it? What is the sensitivity of the data they are requesting? Has this person’s behaviour been normal lately? If everything checks out, the Policy Engine issues a decision: grant access, and only to the specific patient records this employee’s role requires.
Meanwhile, the network is segmented into isolated zones. The patient records system sits in one zone. The billing system sits in another. The HR system is in yet another. A connection between zones requires its own separate authorisation. If the employee’s account were compromised, an attacker could not pivot from the patient records zone to the billing system without triggering a new authentication and policy check — one they would almost certainly fail.
Every action the employee takes is logged. The security system watches for anomalies continuously. If at any point the employee’s behaviour deviates from their normal pattern — accessing records at 3am, downloading an unusually large number of files, attempting to access a system they have never touched before — the system can automatically revoke their session and require fresh verification, or escalate an alert to the security team.
Zero Trust vs VPN: What is the Difference?
The VPN, or Virtual Private Network, was the defining remote access technology of the 2000s and 2010s. It creates an encrypted tunnel between a remote worker’s device and the corporate network. Once connected, the remote worker effectively appears to be inside the office, on the trusted internal network, with access to internal resources.
The VPN solved a real problem elegantly for its era. But it was designed for a world where the perimeter was real, the internal network was safe, and remote workers were the exception rather than the rule. In 2026, none of those things are true.
The fundamental problem with VPNs as a primary security control is what happens after connection. A VPN authenticates the user once, at the moment of connection, and then places them inside the trusted internal network. From that point forward, the attacker who has stolen that user’s VPN credentials has exactly the same access to the internal network as the legitimate employee. The VPN cannot tell the difference. And because corporate VPNs typically grant broad network access rather than application-specific access, that attacker can move laterally through the network with frightening ease.
Zero Trust Network Access (ZTNA), the technology that implements Zero Trust for remote connectivity, works very differently. Rather than creating a tunnel into the network, ZTNA grants access only to the specific application or resource being requested. The user never touches the broader network. They are authenticated continuously, not just at login. If their credentials are stolen, the attacker gets access to one application, not an entire network. The blast radius of any single compromise is dramatically smaller.
| Feature | VPN | Zero Trust (ZTNA) |
|---|---|---|
| Authentication | Once, at connection | Continuous, every request |
| Access scope | Broad network access | Application-specific only |
| Impact of stolen credentials | Attacker gains full network access | Attacker gains access to one application |
| Lateral movement risk | High | Minimal |
VPNs are not entirely obsolete — they still have specific use cases and can be part of a layered security approach — but they are no longer sufficient as the primary mechanism for securing remote access in a modern organisation.
Real Examples of Zero Trust in Action
Beyond Google’s BeyondCorp, Zero Trust principles have shaped some of the most significant security responses of the past decade.
The US federal government’s response to the SolarWinds attack is perhaps the clearest example of Zero Trust becoming policy at the highest level.
SolarWinds was a supply chain attack in which attackers compromised a software update from a widely used IT management tool. Because thousands of organisations, including multiple US government agencies, automatically trusted updates from this vendor, the attackers were able to install malicious code that gave them persistent access to internal systems for months. The resulting Executive Order 14028 directly cited the need for Zero Trust Architecture as the response.
Microsoft, which was itself compromised in the SolarWinds attack, has since moved its entire enterprise toward Zero Trust principles and publicly documented the journey. Microsoft’s implementation covers 220,000 employees across 600 offices in 191 countries, making it one of the largest Zero Trust deployments in existence.
At a smaller scale, organisations across healthcare, finance, and critical infrastructure have found that Zero Trust dramatically reduces the impact of credential theft, ransomware, and insider threats. When every zone of the network requires its own verification, ransomware that encrypts one department’s files cannot automatically spread to other departments.
How to Start Implementing Zero Trust in 2026
Zero Trust implementation is a journey, not a single project. Most organisations approach it through a phased maturity model, and NIST SP 800-207 provides a helpful framework for thinking about this progression.
Step 1: Define Your Protect Surface
The first and most important step is understanding what you are protecting. Before you can apply Zero Trust principles, you need to identify your most sensitive data, your most critical applications, and your most privileged users. Kindervag himself has long argued that organisations should start by defining their “protect surface” — not the entire network, but the specific high-value assets that most need protection.
Step 2: Secure Identity First
Identity is the foundation of everything that follows. Implementing strong multi-factor authentication across all users and systems is the highest-impact single step any organisation can take toward Zero Trust.
Step 3: Manage and Verify Devices
Every device accessing your resources should be enrolled in a Mobile Device Management system, verified for compliance at the point of access, and monitored continuously. Devices that fall out of compliance should automatically have their access restricted until compliance is restored.
Step 4: Segment the Network and Replace VPN Access
From there, organisations move toward network micro-segmentation, replacing broad VPN access with application-specific Zero Trust Network Access, and building out the monitoring and analytics capability needed to detect anomalous behaviour in real time. This is a multi-year journey for most organisations. The important thing is to begin.
Does Your Business Actually Need Zero Trust?
A common misconception, particularly among small and medium business owners, is that Zero Trust is an enterprise-grade framework reserved for governments and corporations with thousands of employees and vast security budgets. This is simply not true, and the persistence of this belief is leaving smaller organisations unnecessarily exposed.
The scale of Zero Trust implementation can and should match the scale of the organisation. A small accounting firm in Melbourne is not going to build a Security Operations Centre or deploy a dedicated Zero Trust Network Access platform on day one. But that same firm can implement multi-factor authentication for every user today, adopt least privilege principles in how they assign access rights, ensure every device is managed and compliant before it accesses client data, and use a modern identity provider that applies contextual access policies automatically.
Cloud-native tools have made this dramatically more accessible. Microsoft Entra ID, Google Workspace, Okta, and similar identity and access management platforms offer Zero Trust-aligned features including conditional access policies, device compliance checking, and continuous authentication that organisations of any size can adopt without building custom infrastructure.
Where Zero Trust is Heading in 2026 and Beyond
Zero Trust is not a finished idea. It is actively evolving, and the direction of that evolution is being shaped by three major forces.
Force 1: Artificial Intelligence
AI is transforming what continuous monitoring actually means in a Zero Trust environment. Traditional monitoring looks for known patterns of malicious behaviour. AI-driven security systems can build a behavioural baseline for every user and device across millions of data points and detect deviations that no human analyst would ever notice. AI makes the “assume breach” pillar of Zero Trust genuinely actionable at scale.
Force 2: Post-Quantum Cryptography
Quantum computing poses a long-term but serious threat to the encryption that underlies all of our current security infrastructure. NIST has already released its first post-quantum cryptographic standards, and forward-looking organisations are beginning to incorporate them into their Zero Trust implementations. Rather than waiting for a quantum breach to occur, you architect your security today to withstand the threats of tomorrow—the same “harvest now, decrypt later” threat model.
Force 3: Market Growth
The global Zero Trust security market was valued at approximately 37 billion US dollars in 2025 and is projected to reach nearly 183 billion dollars by 2035, growing at a compound annual rate of over 17 percent. This level of investment is driving rapid innovation in Zero Trust tools, making sophisticated capabilities available to a much broader range of organisations than could access them even three years ago.
Common Misconceptions About Zero Trust
Several persistent myths about Zero Trust are worth addressing directly, because they often become excuses for inaction.
Misconception 1: Zero Trust Means Trusting Nobody, Including Employees
This misreads the principle entirely. Zero Trust does not mean treating your employees as suspects. It means that the organisation’s security architecture does not rely on implicit trust that can never be revoked or questioned. Employees are still granted the access they need to do their jobs. The difference is that access is explicitly verified and contextually appropriate, rather than assumed by default.
Misconception 2: Zero Trust Requires Replacing All Infrastructure at Once
Most successful Zero Trust implementations are incremental, layered on top of existing systems and expanded over time. NIST SP 800-207 explicitly acknowledges that most enterprises will exist in a hybrid state during a transition that could take years.
Misconception 3: Zero Trust Architecture Is Purely a Technology Solution
Zero Trust also requires changes in how organisations think about access, how they train their people, and how they design their business processes. Technology enables Zero Trust. Culture and policy sustain it.
Concluding “What is Zero Trust Security Model?”
Return for a moment to the company in Sydney we described at the beginning. The one with the firewall, the antivirus, the VPN, and the attacker who moved freely for eleven days. Under a Zero Trust architecture, that scenario looks very different. The stolen credentials alone are not enough to grant access — multi-factor authentication would have stopped the attacker at the door.
If somehow they passed that check, every subsequent attempt to access a new system or zone would require fresh verification against a policy engine that would find the access request unusual. The lateral movement that made the breach so damaging would be blocked not by a bigger wall on the outside, but by dozens of verification points on the inside.
Zero Trust does not promise that breaches will never happen. It promises that when they do, the damage will be contained, detected faster, and resolved more quickly. That is not a marketing claim. It is an architectural reality backed by NIST standards, proven at Google’s scale, mandated by the United States government, and adopted by security-conscious organisations on every continent.
- Zero Trust is built on one principle: never trust, always verify. No user, device, or connection is automatically trusted.
- It rests on three pillars: continuous verification, least privilege access, and assuming breach has already occurred.
- NIST SP 800-207 (2020) formalised Zero Trust into the global reference architecture, mandated for US federal agencies by Executive Order 14028 in 2021.
- Google’s BeyondCorp proved Zero Trust works at enterprise scale, eliminating the need for VPNs entirely.
- ZTNA replaces broad VPN network access with application-specific, continuously verified access, shrinking the blast radius of any breach.
- Zero Trust scales to organisations of any size such as MFA, least privilege, and device compliance are accessible starting points for any business.
The question for your organisation is not whether zero trust architecture is relevant. It is where you start.
If this post has introduced you to ideas you want to explore further, we recommend reading our post on post-quantum cryptography to understand how Zero Trust and quantum-resistant encryption are converging into the security architecture of the next decade. And if you want to understand the broader threat landscape that makes Zero Trust so urgent, our analysis of the World Economic Forum’s Global Risk Report 2026 is a good place to continue.
References
https://thecyberskills.com/category/learn-train/
