Zero Trust: never trust, always verify

Zero Trust as a security strategy, not a product: the NIST SP 800-207 principles (never trust always verify, assume breach, least privilege), the Policy Decision Point / Policy Enforcement Point / Trust Algorithm architecture, Continuous Adaptive Trust that re-evaluates the session throughout its life, why identity is the control plane, and the common myths.

The idea that reorganizes everything before it

This module built up the machinery of access: how you prove identity (factors, MFA, biometrics), how one login spreads across apps (SSO), and how the resulting session is held and defended (session management). Zero Trust is the strategy that ties all of it together and tells you how much to trust any of it, and when.


For decades security ran on a perimeter model: build a strong wall (the firewall), and treat anything inside as trusted. Once you were on the corporate network, you were largely free to move. That model died on contact with reality — cloud, remote work, SaaS, mobile, and contractors erased the “inside,” and attackers learned that breaching the perimeter once gave them a trusted run of everything behind it. Zero Trust is the response: stop trusting the network, and verify every access explicitly.


This is the capstone of the module and a strategic article. It is less about a single protocol and more about a way of thinking that recomposes factors, SSO, and sessions into one coherent posture. The canonical reference is NIST SP 800-207, complemented by the CISA Zero Trust Maturity Model.


The principles (NIST SP 800-207)

Zero Trust is often sloganized, but the substance is three disciplined principles.


Never trust, always verify

No request is trusted because of where it comes from. Being on the corporate LAN, on the VPN, or behind the firewall grants nothing. Every access — user to app, service to service, even inside the datacenter — is authenticated and authorized explicitly, on its own merits, using identity, device, and context. Trust is never inherited from the network.


Assume breach

Design as if an attacker is already inside. This flips the mindset from “keep them out” to “limit what they can do once in.” It drives segmentation (a breach in one place doesn’t spread), least privilege (a compromised account can reach little), rich logging (you can see the intruder), and short-lived, re-verified access (a foothold decays instead of persisting). You stop betting everything on a wall that will eventually be breached.


Least privilege

Every identity — human or workload — gets the minimum access needed, for the minimum time. No standing broad grants “just in case.” This is the same least-privilege principle that governs authorization and PAM, applied as a default posture: access is narrow, scoped, and expires. It is what makes “assume breach” survivable — if privileges are minimal, a compromise is contained by design.



The seven tenets, made concrete

NIST SP 800-207 doesn’t stop at slogans — it lists seven tenets that turn “never trust, always verify” into testable requirements. Paraphrased, and worth knowing because auditors and architects reference them by number:


  1. All data sources and computing services are resources. There is no privileged “trusted zone” of things that don’t need protection — every asset is in scope.
  2. All communication is secured regardless of network location. Being on the internal network changes nothing; traffic is authenticated and encrypted the same inside as outside.
  3. Access is granted per-session. A grant to one resource is evaluated on its own and does not automatically extend to the next resource or the next session.
  4. Access is determined by dynamic policy — identity, application, requesting device, and behavioral/environmental attributes — not by a static rule pinned to an IP range.
  5. The enterprise measures the integrity and posture of all assets. Device health is a first-class input; a non-compliant device is a lower-trust device.
  6. All authentication and authorization are dynamic and strictly enforced before access — evaluated continuously, not once, and enforced before the resource is reached.
  7. The enterprise collects telemetry on assets, infrastructure, and communications, and uses it to improve posture. Monitoring is not optional; it is the feedback loop that makes the Trust Algorithm smarter.

Read tenets 3 and 6 together and you get the operational essence: per-session, evaluated fresh, every time. Read tenet 5 and you see why device posture belongs next to identity in every decision. These seven are the checklist behind the architecture that follows.


The architecture: PDP, PEP, and the Trust Algorithm

NIST SP 800-207 describes Zero Trust with a small, precise set of components. Learning them turns the philosophy into something you can actually build.


  • Policy Enforcement Point (PEP) — the gate in front of a resource. It intercepts each request and enforces the decision: allow, block, or allow-with-conditions. It does not decide; it executes. (A reverse proxy, an identity-aware gateway, a service mesh sidecar.)
  • Policy Decision Point (PDP) — the brain. For each request the PEP forwards, the PDP evaluates policy and returns allow/deny. It is split conceptually into the Policy Engine (runs the decision) and the Policy Administrator (issues/revokes the credentials or session tokens that let the PEP open the gate).
  • Trust Algorithm — the logic inside the PDP that weighs all the signals to reach a verdict: identity and its entitlements, device posture, request context (location, time), behavioral and threat-intelligence inputs. It can be binary or, better, score-based and adaptive — which is exactly the risk-based adaptive authentication idea from the factors article, generalized to every access decision.
  • Policy Information Points (PIPs) — the signal sources the Trust Algorithm reads: the identity provider, a device/EDR posture feed, threat intelligence, SIEM/behavioral analytics, entitlement data.
flowchart LR
  accTitle: Zero Trust policy decision and enforcement loop
  accDescr: A subject makes a request to a resource. The request reaches a Policy Enforcement Point, which forwards it to a Policy Decision Point. The Policy Decision Point runs a Trust Algorithm that reads signals from information points including the identity provider, device posture, context, and threat intelligence. The Trust Algorithm returns a decision of allow, step-up, or deny to the enforcement point, which grants or blocks access to the resource. A continuous re-evaluation arrow loops from the resource session back to the decision point so trust is reassessed as signals change.
  S[Subject: user or workload] --> PEP{Policy Enforcement Point}
  PEP -->|asks| PDP[Policy Decision Point<br/>Trust Algorithm]
  IdP[Identity + entitlements] --> PDP
  DEV[Device posture] --> PDP
  CTX[Context: location, time] --> PDP
  TI[Threat intel + behavior] --> PDP
  PDP -->|allow / step-up / deny| PEP
  PEP -->|granted| R[(Resource)]
  R -. continuous re-evaluation .-> PDP
The Zero Trust decision loop. Every request hits the Policy Enforcement Point, which asks the Policy Decision Point. The PDP's Trust Algorithm weighs live signals from the information points — identity, device posture, context, threat intel — and returns allow, deny, or step-up. Crucially the loop is continuous: trust is re-evaluated as signals change during the session, not decided once at login.

Continuous Adaptive Trust: verification that never stops

The classic weakness of authentication is that it happens once, at the door. Everything after login rides that single decision — which is exactly why a stolen session (SSO article) or a hijacked cookie (session article) is so powerful: it inherits a trust decision made minutes or hours ago, under conditions that may no longer hold.


Continuous Adaptive Trust (CAT) closes that gap. Trust is re-evaluated throughout the session, not frozen at login. The Trust Algorithm keeps watching, and if the picture changes, the decision changes:


  • The user’s location jumps to a new country mid-session → step up or re-authenticate.
  • Their behavior stops matching their profile (the behavioral-biometrics signal from the biometrics article) → raise risk, restrict, or challenge.
  • Their device falls out of compliance — patch missing, EDR disabled — → narrow or cut access immediately.
  • Threat intelligence flags the source IP → block the session in flight.

This is where the whole module converges. Behavioral biometrics feeds CAT silently. Step-up is CAT’s response to rising risk. Short sessions and server-side revocation are what let CAT actually act on a changed verdict. CAT is “always verify” extended from a single instant to the entire lifetime of access — the operational heart of a mature Zero Trust program.


Identity is the control plane

If network location no longer grants trust, something must — and that something is identity. In Zero Trust, the question “should this request be allowed?” is answered primarily from: who is the authenticated subject (user or workload), what are they entitled to, what is their device posture, and what is their real-time risk. Identity is the one signal present in every access decision.


That makes the identity provider and its policy engine the primary enforcement point — the control plane of the architecture. It is why this entire domain matters so much: strong authentication (factors, MFA, phishing-resistant passkeys), federated access (SSO) hardened against blast radius, and well-managed sessions are not separate topics — they are the substrate Zero Trust runs on. Weak identity means weak Zero Trust, no matter how much is spent on network tooling. This is the meaning of the industry phrase “identity is the new perimeter”: the boundary you defend is no longer the network edge, it is the identity making each request.



ZTNA: what replaces the trusted VPN

The most visible product-level expression of Zero Trust is ZTNA — Zero Trust Network Access, and contrasting it with the classic VPN makes the whole strategy concrete.


A traditional VPN is a perimeter tool in disguise: once you authenticate to it, you are placed on the network and can typically reach a broad range of internal resources — implicit trust granted by a single login, exactly the model Zero Trust rejects. If an attacker steals VPN credentials, they inherit that broad reach.


ZTNA inverts this. Instead of putting you on the network, it brokers per-application access through a policy-checked gateway (a PEP), granting a connection to one resource only after the PDP evaluates identity, device posture, and context for that request. Key differences:


  • Application-level, not network-level. You reach the specific app you’re authorized for, never a flat network segment.
  • Resources stay dark. Applications aren’t exposed on the network; they’re reachable only through the broker, shrinking the attack surface an intruder can even see.
  • Continuously evaluated. Access can be narrowed or cut mid-session as posture changes — the CAT idea in action — whereas a VPN tunnel, once up, is trusted until it drops.

ZTNA is often delivered as part of a SASE (Secure Access Service Edge) platform, but remember the myth ahead: ZTNA is a component that applies Zero Trust to remote access, not Zero Trust itself.


Where to start: a pragmatic adoption path

Because Zero Trust is a journey, the practical question is never “how do we finish?” but “where do we start, and in what order?” A defensible sequence, consistent with the CISA maturity model:


  1. Inventory. You cannot protect what you cannot see — enumerate identities (human and non-human), devices, and the applications/data they reach. This is tenet 1 in practice.
  2. Fix identity first. MFA everywhere, phishing-resistant factors for privileged and admin access, and consolidation onto a strong IdP. This is the highest-leverage move because identity is the control plane.
  3. Bring in device posture. Feed device health/compliance into access decisions so an unmanaged or vulnerable device is treated as lower-trust.
  4. Enforce least privilege. Trim standing access, adopt just-in-time elevation, and scope entitlements — shrinking the blast radius that “assume breach” is designed around.
  5. Segment and broker access. Replace flat network trust with per-application access (ZTNA) and micro-segmentation so a foothold cannot spread.
  6. Instrument and adapt. Wire telemetry into monitoring and ITDR, and turn the Trust Algorithm from static rules toward continuous, risk-based evaluation.

The order matters: teams that start at step 5 (buy a segmentation appliance) while skipping step 2 (fix identity) get the label of Zero Trust without the protection — the exact failure mode the myths below describe.


Common myths

Zero Trust is one of the most misused terms in security. Clearing the myths is part of understanding it.


  • “Zero Trust is a product you buy.” The biggest myth. No vendor ships Zero Trust in a box. It is a strategy and architecture assembled from identity, device posture, policy, segmentation, and monitoring. A product can be a component; none is the whole.
  • “Zero Trust is one technology.” It is not micro-segmentation alone, nor a ZTNA gateway alone, nor MFA alone. It is a coherent combination guided by principles and a maturity model — remove identity, or monitoring, or least privilege, and it stops being Zero Trust.
  • “Zero Trust means trusting nothing / no usability.” It means removing implicit, unearned trust — not making systems unusable. Done well it is often smoother: when risk is low, verification is invisible (a passkey, a compliant device pass silently); friction appears only when risk rises. Trust is earned per-request, not abolished.
  • “It’s a project you finish.” Zero Trust is a journey measured by maturity, not a box to check. The CISA Zero Trust Maturity Model frames it across pillars (identity, devices, networks, applications, data) that advance from traditional to optimal over time. You mature it; you don’t complete it.
  • “Zero Trust replaces the firewall / VPN entirely on day one.” It changes their role and reduces reliance on them, but adoption is incremental — you segment, add identity-aware access, and retire flat network trust gradually, not in a single cutover.


Micro-segmentation and the blast radius

“Assume breach” needs a mechanism, and micro-segmentation is the main one at the network and workload layer. The old model was a flat internal network: breach one machine and you could reach thousands. Micro-segmentation divides the environment into small, individually policed zones — ideally down to per-workload — so that reaching one thing does not grant reach to the next.


The effect is to shrink the blast radius. An attacker who compromises a single server finds that lateral movement — the technique behind nearly every large breach — is blocked by policy at each hop, and each hop must itself pass identity and posture checks. Combined with least privilege on identities, segmentation turns a foothold from a launchpad into a dead end. This is the network-side complement to everything the identity control plane does: identity decides who, segmentation limits how far.


Zero Trust for workloads and non-human identities

Zero Trust is usually taught with a human user in mind, but most access in a modern system is machine to machine — services, containers, functions, scripts, and increasingly AI agents calling each other. These non-human identities (NHIs) now vastly outnumber humans, and the same principles apply without exception: every service call is authenticated and authorized explicitly, granted least privilege, and never trusted merely for originating “inside the cluster.”


In practice this means workloads get strong, verifiable identities rather than shared secrets in config files — standards like SPIFFE/SPIRE, cloud workload identity (managed identities, IAM roles), and short-lived, automatically rotated credentials instead of long-lived API keys. The Trust Algorithm evaluates a service’s identity and posture just as it would a user’s. This is the bridge to the PAM & NHI domain later in the curriculum: as human authentication hardens, attackers pivot to the softer, more numerous machine identities — and Zero Trust has to cover them too, or it has a gap exactly where the volume is.


Where Zero Trust sits among the frameworks

Zero Trust is not an island — it connects to the guidance security teams already answer to, and naming those links helps you position it with leadership. NIST SP 800-207 is the architectural reference; the CISA Zero Trust Maturity Model turns it into pillars and maturity stages for practical assessment; and the US federal mandate (OMB M-22-09) pushed agencies onto Zero Trust timelines, which is much of why the term went mainstream. The DoD Zero Trust Reference Architecture adds a defense-grade breakdown of capabilities.


It also complements rather than replaces the frameworks from the wider curriculum. Zero Trust is a strategy for access; NIST CSF frames the whole risk program around it; ISO 27001 governs the management system; least privilege and segmentation show up in nearly every control catalog (CIS Controls, PCI-DSS). Practically, adopting Zero Trust gives you evidence for many access-control requirements at once — a point worth making to a compliance owner, because it reframes the work from “another security project” into “a posture that satisfies obligations you already have.” The same MFA rollout, least-privilege review, and continuous monitoring that advance your maturity also produce audit evidence for access control, authentication, and logging requirements across several of those frameworks simultaneously — one body of work, many boxes checked.


A worked example: assume breach on a Monday

Make “assume breach” concrete. An attacker phishes an employee, Daniel, and steals a valid session. Two worlds respond differently.


  • In the perimeter model: Daniel’s session was on the corporate VPN, so the attacker is now inside, treated as trusted. They move laterally across a flat network, reach systems Daniel never used, and escalate — because being inside meant being trusted. The single stolen session becomes a broad compromise.
  • In a Zero Trust model: every resource the attacker reaches for is re-evaluated per request. The device they’re on isn’t Daniel’s managed, compliant laptop, so posture checks fail or force step-up. His behavior — new locations, unusual resources, odd timing — diverges from his profile, raising the risk score and triggering re-authentication the attacker can’t satisfy. Least privilege means even Daniel’s legitimate access is narrow, and micro-segmentation blocks lateral movement toward anything he didn’t already use. The stolen session is contained close to where it started, and the telemetry lights up for the SOC.

Nothing here assumes the breach was prevented — it assumes it happened and asks how far it gets. That is the entire point of the strategy: not a taller wall, but a building where breaking into one room doesn’t open the rest.


Pitfalls beyond the myths

Even teams that understand Zero Trust in principle stumble on recurring operational traps. Knowing them in advance is most of avoiding them:


  • Friction backlash. Bolt on verification everywhere at once and users revolt, then leadership pulls back and the program stalls. The fix is the adaptive posture: make low-risk access invisible (compliant device + passkey passes silently) so friction appears only when risk rises. Zero Trust done well is felt less, not more.
  • Breaking legitimate access. Aggressive policies that misjudge posture or context can lock out real users and real workloads — a self-inflicted outage. Roll out in monitor-first mode (log what would be blocked) before enforcing, and stage enforcement gradually.
  • Ignoring non-human identities. Teams harden human login and leave service accounts, API keys, and machine identities on old implicit trust — the attacker’s next move. NHIs must be in scope from the start.
  • Policy sprawl. Per-resource, per-context rules multiply into an unmanageable tangle no one fully understands — which becomes its own risk. Centralize policy, express it as code where possible, and review it, so the Trust Algorithm stays comprehensible.
  • Tool-first thinking. Buying products before defining principles, inventory, and identity foundations yields spend without posture — the failure the myths warned about, seen from the operational side.
  • Coverage blind spots. Applying Zero Trust to the shiny new cloud apps while legacy systems, third-party connections, and shadow IT keep their old flat trust. Attackers head straight for the unprotected remainder, so the inventory from step one has to be honest about what’s not yet covered.
  • Declaring victory. Treating a milestone as the finish line and letting posture drift. Zero Trust is maintained continuously or it decays.

The common thread: Zero Trust fails not on the concept but on rollout discipline — adaptive friction, monitor-before-enforce, full identity scope, manageable policy, and sustained attention.


Recap

Zero Trust is the strategy that gives the rest of this module its purpose:


  1. It replaces perimeter trust with explicit, per-request verification — principles: never trust always verify, assume breach, least privilege (NIST SP 800-207).
  2. Its architecture is a PEP (enforces) and a PDP running a Trust Algorithm over signals from PIPs — decision and enforcement, cleanly separated.
  3. Continuous Adaptive Trust re-evaluates trust across the whole session, turning “always verify” from a login moment into a constant — powered by behavioral signals, step-up, short sessions, and revocation.
  4. Identity is the control plane: with the network neutralized, identity decides access, so strong authentication, SSO, and session hygiene are the foundation Zero Trust stands on.
  5. It is a strategy and journey, not a product — the myths all collapse to that one truth.


Three questions to test yourself

  1. Map the module together: for a single “transfer money” request, name which Zero Trust component (PEP, PDP, Trust Algorithm, a PIP) each of these corresponds to — the identity provider’s MFA result, the reverse proxy in front of the API, the risk score, and the device-compliance feed.
  2. A vendor pitches your CISO a “Zero Trust platform” that is essentially a network micro-segmentation appliance. Give three questions that expose whether adopting it alone would actually deliver Zero Trust.
  3. Explain, using Continuous Adaptive Trust, how a Zero Trust system should react differently to a stolen SSO session than a perimeter model would. Which controls from earlier in this module make that reaction possible?

Hands-on exercises

  1. Locate the components in a real stack. For a system you know (even a personal cloud account), identify what plays the PEP (the gate), what plays the PDP (the policy decision), and which signals feed the decision (MFA, device, location). Sketch the request path.
  2. Score your identity maturity. Using the CISA Zero Trust Maturity Model’s Identity pillar, place an organization you know on the traditional → initial → advanced → optimal scale for MFA coverage, least privilege, and continuous evaluation. Name the single highest-impact next step.
  3. Rewrite a perimeter rule as Zero Trust. Take a legacy rule like “anyone on the VPN can reach the internal wiki.” Rewrite it as a per-request, identity-and-device-based policy, and state which PIP signals your Trust Algorithm would need to enforce it.

Frequently asked questions

What is Zero Trust?

Zero Trust is a security strategy that removes implicit trust based on network location and requires every access request to be explicitly verified. Its guiding principles, formalized in NIST SP 800-207, are 'never trust, always verify,' 'assume breach,' and 'least privilege' — access is granted per-request, based on identity, device, and context, not on being inside a corporate network.

What are the PDP and PEP in Zero Trust?

The Policy Enforcement Point (PEP) is the gate that sits in front of a resource and allows or blocks each request. The Policy Decision Point (PDP) is the brain that decides: it runs the Trust Algorithm over signals about the identity, device, and context, and returns an allow/deny to the PEP. The PEP enforces; the PDP decides. Together they replace the old 'inside the firewall means trusted' model.

What is Continuous Adaptive Trust?

Continuous Adaptive Trust (CAT) means trust is re-evaluated throughout a session, not granted once at login. If risk signals change mid-session — a new location, anomalous behavior, a device that falls out of compliance — the system can step up authentication, restrict access, or terminate the session. It extends 'always verify' from a single login moment to the entire lifetime of access.

Why is identity the control plane in Zero Trust?

Because when network location no longer confers trust, the decision of who gets access rests on identity: the authenticated user or workload, their entitlements, their device posture, and their real-time risk. Identity is the one signal present in every access decision, so the identity provider and its policies become the primary enforcement point — the control plane — of a Zero Trust architecture.

Is Zero Trust a product you can buy?

No. Zero Trust is a strategy and an architecture, not a single product or technology. No vendor can sell you 'Zero Trust' in a box; it is achieved by combining strong identity, device posture, least-privilege policy, segmentation, and continuous monitoring, guided by a maturity model. Treating it as a product to purchase is the most common and most damaging misconception.