Identity & Access Management

Zero Trust Architecture

Perimeter security assumes "inside the network = trusted"; zero trust assumes breach and verifies every request — regardless of network location — every time: never trust, always verify.
  • Perimeter security draws a hard line at the network edge and trusts everything inside it — once an attacker breaches that edge, lateral movement to other systems is largely unchecked
  • Zero trust's core principle: never trust, always verify — every request is authenticated, authorized, and encrypted, whether it originates from outside the network or from a machine sitting right next to the target
  • BeyondCorp, Google's internal implementation, replaced VPN-based access entirely with per-request device-and-user verification — the corporate network itself is treated as no more trustworthy than the public internet
  • Microsegmentation breaks a flat network into many small zones with policy enforced between them, so a single compromised workload can't freely reach every other service on the same network
  • Continuous verification checks device posture (patched OS, encrypted disk, managed/enrolled) alongside user identity — a valid, correctly-authenticated user on a compromised laptop is still a real risk
  • Zero trust is adopted gradually — identity-aware proxies, mTLS everywhere, short-lived credentials — rarely a single product; the enforcement mechanics live in Api And Service To Service Auth and Authorization Models, zero trust is the architectural stance tying them together
A flat, perimeter-trusted network vs a microsegmented, per-request-verified one
In the perimeter model, one breached service can reach its neighbors freely; in the zero-trust model, every hop is independently checked
Perimeter vs zero trust
Perimeter modelZero trust
Trust boundaryNetwork edge (firewall/VPN)Every individual request
Lateral-movement riskHigh once inside the perimeterLow — each hop re-verified
Verification frequencyOnce, at the network boundaryContinuous, per-request
Key technologiesVPN, firewall, flat internal networkIdentity-aware proxy, mTLS, short-lived credentials, microsegmentation
Sources
  • Zero Trust Networks (2nd ed.)Ch. 1 — Zero Trust Fundamentals
  • Zero Trust Networks (2nd ed.)Ch. 8 — Case Study: BeyondCorp