1 What zero trust actually means — and what it does not

Zero trust is a security model, not a product, not a firewall, and not something you can buy off the shelf. It is a set of principles that guide how you architect your security: verify every user, every device, and every request — even those originating from inside the network. No implicit trust. No free passes because something is “internal.” Continuous verification.

Core Zero Trust Principles

Never trust, always verify. Every access request — whether from an employee connecting remotely, a contractor working on a project, or a service deployed internally — is treated as untrusted until explicitly verified. This is the opposite of traditional security, which trusts anything inside the firewall.

Assume breach. Design your security as if attackers are already inside. A zero trust architecture assumes that some users, some devices, or some data have been compromised, and the system must function securely even under that assumption. This means lateral movement is restricted, data access is logged, and anomalies are detected in real time.

Use least-privilege access. Every user, every application, every service should have access only to what it needs to do its job, and nothing more. If a user needs to access a single spreadsheet, they should not have access to the entire file system. If an application needs to read a database, it should not have write or delete permissions.

What Zero Trust Is Not

Not a product. Vendors sell “zero trust appliances” and “zero trust platforms,” but these are components that help implement zero trust — they are not zero trust itself. Zero trust is an architecture; products are tools that support it.

Not a firewall. A traditional firewall controls traffic at the network edge. Zero trust operates at identity and application levels. You may still use firewalls with zero trust, but the firewall is not the strategy.

Not a one-time project. Zero trust is a continuous operational model. You do not “implement zero trust” and then move on. You continuously verify, continuously monitor, and continuously refine.

2 Why perimeter security failed — the model is obsolete

For decades, security operated on a simple premise: build a strong castle wall (the firewall), keep threats outside, trust everything inside. This worked when all employees sat in an office, all systems were on-premises, and the organisation controlled all devices and networks. Today, that assumption is fantasy.

Remote Work Shattered the Perimeter

When your workforce spreads across cities, countries, and time zones, accessing corporate systems from home networks, coffee shops, and airports, the perimeter ceases to exist. A VPN is a band-aid. A compromised home router, a public WiFi network, or a malicious ISP anywhere on the path to your corporate network can intercept traffic. The perimeter model assumes a clear boundary. Remote work dissolves it.

Cloud Adoption Moved Data Outside

Cloud providers operate globally. Your data lives in multiple regions, multiple availability zones, multiple providers. The perimeter model breaks down immediately. Your data is no longer “inside” your network; it is in third-party infrastructure managed by vendors whose security practices you audit but do not control. Zero trust acknowledges this: assume the network is hostile, even if it belongs to your cloud provider.

Bring Your Own Device (BYOD) and Supply Chain Attacks

Employees use personal smartphones, tablets, and laptops. You do not control their security posture. You do not know if they have patches applied, antivirus enabled, or mobile device management configured. The perimeter does not protect against attacks originating from unmanaged devices. Additionally, supply chain compromises — where attackers breach a software vendor and inject malware into updates distributed to thousands of organisations — prove that threats do not come exclusively from outside. They come from trusted partners.

Insider Threats Are Now As Dangerous As External Attacks

Disgruntled employees, contractors with excessive access, and compromised internal accounts pose as great a threat as external attackers. The perimeter model trusts everyone inside; insider attacks exploit this trust. Zero trust does not trust anyone, regardless of whether they are inside or outside the network.

3 The five pillars of zero trust — a practical framework

Zero trust is implemented across five foundational pillars. Each pillar addresses a different part of your security posture. Together, they create a comprehensive, identity-centric security model.

Pillar 1: Identity

Zero trust starts with identity. You must know who is accessing your systems. This requires strong authentication — multi-factor authentication (MFA) is now mandatory, not optional. Passwords alone are insufficient. Combine passwords with a second factor: a hardware key, a time-based code, a biometric, something that only the true user possesses.

Implement Single Sign-On (SSO) so that users authenticate once through a trusted identity provider, and that identity is verified for every access request. Every subsequent access — whether to a SaaS application, a cloud resource, or an on-premises system — re-verifies the user’s identity through conditional access policies: if the user is logging in from an unusual location, at an unusual time, or from an unusual device, challenge them. Require additional verification.

Pillar 2: Devices

Zero trust requires visibility and control over the devices accessing your systems. A compromised device is a compromised gateway to your data. You must inventory all devices, verify their security posture before granting access, and continuously monitor them.

Implement Mobile Device Management (MDM) to control smartphones and tablets. Require antivirus and endpoint detection and response (EDR) on all endpoints. Enforce encryption on all drives. Require operating system patches to be applied within a defined window. If a device falls out of compliance — a patch is missed, an antivirus signature expires, a managed application is uninstalled — automatically restrict its access until it is remediated.

Pillar 3: Network

Traditional networks assume that once you are inside, you are free to move around. Zero trust implements micro-segmentation: divide your network into small zones, and require authentication to move between them. An attacker who compromises one zone cannot automatically move to another.

Implement software-defined networking (SDN) and zero trust network access (also called “zero trust VPN” or “always-on VPN”) to encrypt and verify every connection. Apply network segmentation at the application level: group applications and data by sensitivity, and create policies that allow only necessary communication between groups. Monitor network traffic continuously for anomalies.

Pillar 4: Applications

Applications are often the weakest security layer. Zero trust requires you to manage application access as tightly as you manage identity. Every application should require authentication and authorisation. Use API gateways to enforce access policies. Implement role-based access control (RBAC) within applications so that users see only the data and functionality they need.

Continuously scan applications for vulnerabilities. Use software composition analysis (SCA) to identify known vulnerabilities in open-source libraries. Implement runtime application self-protection (RASP) to detect and prevent attacks in real time.

Pillar 5: Data

Data is the target. Zero trust assumes that data may be accessed by attackers, insiders, or compromised accounts, and the system must still protect it. Classify all data by sensitivity: personal data, financial data, intellectual property, public information. Apply encryption to sensitive data at rest and in transit. Implement data loss prevention (DLP) to prevent sensitive data from leaving your organisation.

Monitor data access continuously. Every read, every write, every copy operation should be logged and analysed for anomalies. If a user suddenly accesses thousands of files they have never touched before, or if data is accessed at 3 a.m. from an unusual location, alert your security team.

4 Implementation roadmap — a phased approach to zero trust

Zero trust is not implemented overnight. Most organisations follow a phased approach, building maturity over 18–36 months. Below is the authoritative roadmap: the five phases of zero trust maturity, with key activities in each phase.

Phase 1: Identity and Access (Months 0–6)

Start with identity. Deploy multi-factor authentication across all users and all systems. No exceptions. Implement Single Sign-On (SSO) to centralise authentication. Set up conditional access policies that challenge users logging in from new locations or unusual times. This phase requires user education — MFA will frustrate staff initially — but it is non-negotiable. This is where zero trust begins.

Phase 2: Device Trust and Endpoint Visibility (Months 6–12)

Deploy Mobile Device Management (MDM) and endpoint detection and response (EDR) tools to every device. Scan devices for compliance: patches applied, antivirus active, encryption enabled. Deny access to non-compliant devices. Implement a Software Asset Management (SAM) system to track what is installed where. This phase requires significant operational overhead, but it gives you visibility into your attack surface.

Phase 3: Network Segmentation and Micro-Segmentation (Months 12–18)

Implement software-defined networking (SDN) and deploy zero trust network access solutions. Divide your network into trust zones based on application criticality and data sensitivity. Require authentication to move between zones. Apply microsegmentation within zones — an attacker compromising one server cannot laterally move to another without passing through a security checkpoint.

Phase 4: Application and Data Protection (Months 18–24)

Enforce role-based access control (RBAC) within critical applications. Implement data loss prevention (DLP) to monitor and prevent unauthorised data exfiltration. Encrypt sensitive data at rest and in transit. Conduct application security assessments and remediate findings. Deploy runtime protection on applications to detect and block attacks.

Phase 5: Continuous Monitoring and Threat Analytics (Months 24–36+)

Implement security analytics and threat intelligence to detect anomalies in real time. Use machine learning to baseline normal user and device behaviour, then alert when deviations occur. A user accessing 10,000 files in one session, a service account making unexpected API calls, a device connecting from a new geography — these all trigger automated alerts and investigation.

5 What boards must do now — eight immediate action items

1. Mandate Multi-Factor Authentication Across All Users

No exceptions. MFA must be deployed to every user, every system, every cloud application within 90 days. This is the single highest-impact security control. It stops most credential-based attacks.

2. Establish Zero Trust Governance

Create a zero trust steering committee with representation from IT, security, operations, and business units. Define a zero trust roadmap with clear phases, timelines, and success metrics. Assign executive ownership. Without governance, zero trust becomes a security team effort that stalls when priorities shift.

3. Inventory All Access and Devices

Conduct a comprehensive audit: what systems do you have, who has access to them, what devices connect to them, what data do they contain. Most organisations are shocked to discover unmanaged systems, shadow IT, and unnecessary access. This inventory is your baseline.

4. Deploy Conditional Access Policies

Implement identity and access management (IAM) solutions with conditional access: if a user logs in from a new location, require additional verification. If a device is missing a patch, deny access. If access patterns deviate from normal behaviour, challenge the user.

5. Implement Endpoint Detection and Response (EDR)

Deploy EDR to all endpoints — servers, workstations, laptops, and critical IoT devices. EDR is no longer optional; it is table stakes. The cost is modest; the protection is enormous.

6. Segment Your Network

Start with data centres and move to branch offices and remote access. Divide applications and data into trust zones. Require authentication to move between zones. This prevents attackers from lateral movement.

7. Enforce Encryption for Sensitive Data

Identify sensitive data, classify it, encrypt it at rest and in transit. Implement Data Loss Prevention (DLP) tools to monitor exfiltration attempts.

8. Establish Continuous Monitoring and Analytics

Deploy a security information and event management (SIEM) system or cloud-native equivalent. Collect logs from all systems. Use machine learning to detect anomalies. Threat detection must be continuous, not once-per-day.

6 Five critical questions every director should ask