Zero-trust security architecture moved from NIST publication theory to practical implementation guide in 2021. The SolarWinds attack and the US government executive order on cybersecurity accelerated adoption.
The zero-trust principle
Zero trust replaces the network perimeter model ('trust everything inside the firewall') with a policy model ('never trust, always verify'). Every access request is authenticated, authorised, and encrypted regardless of network location. An attacker who breaches the perimeter gets access to nothing, each resource, each API, each database connection requires verified identity and explicit authorisation.
Identity as the new perimeter
In zero-trust, identity is the control plane. Every user, service, and device has an identity. Access is governed by policies that evaluate identity, device health, resource, and context (time, location, risk score). Microsoft Entra ID (Azure AD), Okta, and Google BeyondCorp implement the identity-centric access model. The implementation starts with strong authentication (MFA, phishing-resistant hardware keys) and identity-based policies on every resource.
Microsegmentation in networks
Zero trust at the network layer uses microsegmentation: each workload is isolated by default, and explicit policies define permitted communication paths. In Kubernetes, Network Policies define which pods can communicate. At the cloud level, Virtual Network Service Endpoints, Private Endpoints, and NSG rules restrict lateral movement. The SolarWinds attack succeeded partly because the compromised build system had broad network access to production systems, microsegmentation would have limited the blast radius.
Practical starting points
Zero-trust is a direction, not a product. Practical starting points: enable MFA for all user accounts (the single highest-impact security improvement), implement conditional access policies for application access, replace VPN access with identity-aware proxies (BeyondCorp Enterprise, Zscaler, Cloudflare Access), enforce mTLS for service-to-service communication in Kubernetes via a service mesh, and use managed identities instead of service account passwords.