Identity & Access Management
Zero Trust Architecture
Perimeter security assumes "inside the network = trusted"; zero trust assumes breach and verifies every request — regardless of network location — every time: never trust, always verify.
- Perimeter security draws a hard line at the network edge and trusts everything inside it — once an attacker breaches that edge, lateral movement to other systems is largely unchecked
- Zero trust's core principle: never trust, always verify — every request is authenticated, authorized, and encrypted, whether it originates from outside the network or from a machine sitting right next to the target
- BeyondCorp, Google's internal implementation, replaced VPN-based access entirely with per-request device-and-user verification — the corporate network itself is treated as no more trustworthy than the public internet
- Microsegmentation breaks a flat network into many small zones with policy enforced between them, so a single compromised workload can't freely reach every other service on the same network
- Continuous verification checks device posture (patched OS, encrypted disk, managed/enrolled) alongside user identity — a valid, correctly-authenticated user on a compromised laptop is still a real risk
- Zero trust is adopted gradually — identity-aware proxies, mTLS everywhere, short-lived credentials — rarely a single product; the enforcement mechanics live in Api And Service To Service Auth and Authorization Models, zero trust is the architectural stance tying them together
| Perimeter model | Zero trust | |
|---|---|---|
| Trust boundary | Network edge (firewall/VPN) | Every individual request |
| Lateral-movement risk | High once inside the perimeter | Low — each hop re-verified |
| Verification frequency | Once, at the network boundary | Continuous, per-request |
| Key technologies | VPN, firewall, flat internal network | Identity-aware proxy, mTLS, short-lived credentials, microsegmentation |