Zero Trust: the end of the trusted internal network
The 'hard shell, soft centre' model no longer works. We explain what Zero Trust is, where to start a rollout and what to avoid.
For years, network security rested on one assumption: there’s an “outside” (dangerous) and an “inside” (trusted), with a firewall in between. The problem is that once an attacker crosses that boundary — through phishing, a VPN or a vulnerable service — they move through the soft centre almost unopposed. Zero Trust flips that assumption.
What Zero Trust means
The principle is simple: never trust, always verify. No user, device or service is trusted just because it’s “inside” the network. Every access is authenticated, authorised and limited to the necessary minimum — regardless of where it comes from. The framework for this approach is described in, among others, NIST SP 800-207.
It isn’t a product you buy, but an architecture and a mindset. You can’t “switch on Zero Trust” with a single purchase — you build it step by step.
The pillars it rests on
- Strong identity. The foundation is trustworthy authentication — ideally phishing-resistant (FIDO2 keys, passkeys).
- Least-privilege access. Users and services get exactly what they need, and only for as long as they need it.
- Microsegmentation. The network is split into small zones, so compromising one element doesn’t grant access to the rest — the same logic that breaks a ransomware attack chain.
- Context and device verification. An access decision considers device posture, location and risk, not just a correct password.
- Continuous monitoring. Trust isn’t granted once and for all — it’s constantly re-evaluated.
Where to start
Don’t begin with a big “everything at once” rollout. An incremental approach works better:
- Inventory identities, devices and your most important assets.
- Strengthen authentication (phishing-resistant MFA) for critical access.
- Break up the flat network — start by segmenting the most sensitive systems.
- Replace “trust in the VPN” with per-application access, verified every time.
What to avoid
The biggest trap is treating Zero Trust as a marketing label stuck onto existing products. The second is trying to do everything at once and paralysing the organisation. Zero Trust is a direction you move toward in stages, starting where the risk is greatest. If you’d like to plan that path for your network, get in touch.
Sources and further reading: NIST SP 800-207 (Zero Trust Architecture).