The traditional castle-and-moat security model assumes everything inside the network perimeter is trusted. That assumption died with the cloud. Zero trust replaces it with a simple principle: never trust, always verify.
The three pillars of zero trust
Verify explicitly: Authenticate and authorise every request based on all available data — identity, location, device health, service, workload, and anomalies. No implicit trust based on network location.
Use least privilege access: Limit access to only what is needed, when it is needed. Time-bound access, just-in-time provisioning, and risk-based adaptive policies minimise the blast radius of any breach.
Assume breach: Design as if the attacker is already inside. Segment everything, encrypt all traffic (east-west and north-south), and instrument for detection rather than only prevention.
Identity is the new perimeter
In a zero trust model, identity replaces the network as the control plane. Every human and machine identity gets a certificate. Every service-to-service call is mutually authenticated with mTLS. SPIFFE/SPIRE gives you workload identity in Kubernetes. Combine this with a service mesh like Istio or Linkerd and you get cryptographic identity between every pod.
Network microsegmentation
Flat networks allow lateral movement — once an attacker is in, they can reach anything. Microsegmentation enforces network policies at the workload level. In Kubernetes, NetworkPolicy resources define exactly which pods can talk to which other pods on which ports. Default deny, explicit allow. This alone limits the blast radius of a compromise dramatically.
Device trust
Zero trust extends to devices. Before a device can access corporate resources, it must pass a health check: is the OS up to date? Is disk encryption enabled? Is the endpoint agent running? Tools like BeyondCorp Enterprise, Cloudflare Access, or Tailscale enforce device posture as part of the access decision.
Secrets management
Static credentials are the enemy of zero trust. Use dynamic secrets with short TTLs: HashiCorp Vault generates database credentials on demand that expire in minutes. AWS IAM Roles for Service Accounts give pods time-limited AWS credentials without storing anything. Rotate everything. Log every access.
Implementation roadmap
Start with identity and SSO. Add MFA everywhere. Enforce device posture. Implement mTLS between services. Apply least-privilege IAM. Add network policies. Centralise logging and anomaly detection. Zero trust is a journey, not a product you install.