IDSync — identity software buyer platform
Run Stack Finder

Architecture

Zero Trust

Zero Trust is a security model that assumes no implicit trust based on network location and instead verifies every access request against identity, device posture, and context before granting least-privilege access.

Last reviewed 5/30/2026

Key points

  • The shorthand is 'never trust, always verify' — replacing the old perimeter model.
  • Identity is the new perimeter: every access decision starts with strong authentication of the user and device.
  • Key pillars (per NIST SP 800-207): identities, devices, networks, applications, data — all governed by continuous, policy-driven verification.
  • ZTNA (Zero Trust Network Access) is the network/access slice; full Zero Trust is broader.
  • Zero Trust is an architecture, not a product — every major identity vendor sells into it.

What is Zero Trust?

Zero Trust is a security architecture built on the principle that no user, device, or workload should be trusted by default — not because it's inside the corporate network, not because it's on a managed laptop, not because it once authenticated successfully. Every access request is evaluated against identity, device posture, and contextual signals, granted with least privilege, and continuously re-verified.

NIST SP 800-207 is the canonical reference. CISA's Zero Trust Maturity Model provides a practical roadmap across five pillars: identities, devices, networks, applications & workloads, and data.

Why the old model broke

The traditional perimeter model treated "inside the corporate network" as trusted. That worked when employees sat at desks behind a firewall and apps ran in your own data center. It stopped working when:

  • Apps moved to SaaS — the "perimeter" is now Salesforce, Slack, GitHub, AWS.
  • Employees moved to coffee shops, homes, and the road.
  • Attackers proved they could pivot inside the network once they got past the perimeter (every major breach since 2013).
  • Contractors, partners, and BYOD made "inside" meaningless.

How identity fits

In every credible Zero Trust reference, identity is the foundation:

  • Strong, ideally phishing-resistant MFA at the IdP.
  • SSO as the policy enforcement point in front of every app.
  • Device posture (managed, encrypted, patched) as a signal.
  • Continuous, risk-adaptive evaluation — not just at login.
  • Least-privilege, just-in-time access for sensitive resources.

This is why IAM vendors (Okta, Microsoft, Ping, Cisco Duo) and ZTNA vendors (Zscaler, Netskope, Cloudflare, Palo Alto) all credibly claim to "do Zero Trust" — they each cover a pillar.

When buyers care

Zero Trust shows up on the roadmap when:

  • The board mandates a Zero Trust strategy (very common since 2021–2022).
  • US federal customers cite OMB M-22-09 / Executive Order 14028.
  • Cyber insurance asks specifically about it.
  • A breach (yours or a peer's) makes "trust the network" look indefensible.

Common pitfalls

  • Buying a "Zero Trust product." No single product delivers ZTA; it's an architecture built from identity, device, network, and data controls.
  • Stopping at ZTNA. Network-only Zero Trust without strong identity and governance is half a strategy.
  • Treating it as a one-time project. Maturity models are stage-gated for a reason.

FAQ

Is Zero Trust the same as ZTNA?

No. ZTNA (Zero Trust Network Access) is the network-access component — replacing VPNs with identity-and-context-aware app access. Full Zero Trust covers identity, device, app, and data pillars in addition to network.

Does Zero Trust eliminate the need for a firewall?

No. It changes where you place trust. Network controls are still useful as defense in depth.

Standards & references