What is zero trust in one sentence?

Zero trust is a security model that never grants implicit trust based on network location and verifies every request against identity, device, and context policies before allowing access.

Is zero trust a product?

No. It is an architectural pattern. Many products help — Okta, Zscaler, Cloudflare Access, Tailscale, BeyondCorp-style proxies — but no one product makes you zero trust.

Google's internal zero-trust implementation, started after the 2009 Aurora attacks. They published a series of papers that became the unofficial industry blueprint.

Does zero trust replace VPNs?

It can. Many zero-trust implementations replace the traditional network VPN with identity-aware proxies that authenticate every request rather than trusting anyone inside the VPN tunnel.

Is zero trust required for compliance?

Not directly. The US federal government mandates it for agencies via OMB M-22-09. Commercial compliance frameworks (SOC 2, ISO 27001) do not require zero trust by name but the underlying controls map to it.

Glossary · Security

What is Zero Trust Architecture?

Zero Trust is a security model that throws out the idea of a trusted internal network and replaces it with a policy engine that verifies every request — who you are, what device you are on, where you are coming from, what you are trying to do — before granting access to any resource, even if the request came from inside the building.

The phrase

Forrester analyst John Kindervag coined "Zero Trust" in 2010 to describe a security model in which no implicit trust is granted to anything inside or outside the network perimeter. Google's BeyondCorp papers (published 2014 onward) operationalized the idea at scale, and the US National Institute of Standards and Technology codified it in SP 800-207 in 2020. The Biden administration's 2022 OMB memo M-22-09 made it the federal baseline.

Why the old perimeter model failed

For decades the model was: build a fence around the office network, trust everything inside, distrust everything outside, and route remote employees through a VPN that put them "inside." That model breaks the moment one machine inside the fence is compromised — a single phishing victim hands the attacker the keys to everything on the trusted network. It also stopped reflecting reality: employees work from coffee shops, services live on twelve different SaaS platforms, and "inside" stopped being a meaningful concept.

What zero trust is not

Zero trust is not "buy this product and you are done." Several vendors market a single appliance as "the zero trust solution" and the framing is misleading — zero trust is an organizing principle that touches identity, endpoint, network, application, and data, no one product covers all of it. It is also not the same as "no VPN" — replacing a VPN with an identity-aware proxy is a common zero trust pattern, but you can have a VPN inside a well-designed zero trust environment and you can have zero actual zero trust inside a VPN-less network.

The three pillars

Identity: every request is tied to a strongly authenticated user, usually with phishing-resistant multi-factor authentication. Device: the requesting device's posture is evaluated — is it patched, encrypted, free of known malware? Context: is the request coming from a reasonable location, at a reasonable time, for a resource this user normally accesses? All three are evaluated on every request, not once at login.

At QUANT LAB

Zero trust shows up in our work in two places. First, our cloud infrastructure builds default to identity-aware proxies and per-service IAM rather than relying on network-level trust. Second, our penetration tests on internal environments often reveal that the "zero trust" diagrams on the wall do not match how policy actually works — gaps an Active Directory attacker can drive a truck through. Real zero trust is harder than buying a product; the architecture has to be enforced everywhere or it is enforced nowhere.

A pragmatic adoption path

Most organizations do not implement zero trust in one project — they do it one application at a time, starting with the most sensitive systems. A practical sequence: consolidate identity to a single provider with MFA on every application; put your most sensitive apps behind an identity-aware proxy that evaluates user and device on every request; replace standing VPN access with per-session, per-resource grants; then expand the model to less sensitive resources over time. Trying to do it all at once is how mature programs end up with shelfware.

Long-form deep-dives that use this term

All posts

Related terms

Building a zero trust environment?

We architect identity-aware access for cloud-first organizations and test it like an adversary would. Book a 30-minute call.

Cloud infrastructure