What Zero Trust Actually Means
Zero trust is not a product, a vendor, or a single technology. It is an architectural principle: never trust, always verify. In practical terms, it means that no user, device, or application is inherently trusted based on their network location. A laptop on the corporate LAN receives no more default trust than a phone on a coffee shop Wi-Fi network. Every access request is authenticated, authorised, and encrypted regardless of where it originates. NIST Special Publication 800-207 provides the reference architecture, defining three core principles: all resources are accessed securely regardless of location, access is granted on a per-session basis using least-privilege policies, and all traffic is inspected and logged. Forrester, who coined the term in 2010, estimates that fewer than 5% of organisations have fully implemented zero trust — but the journey is incremental, not binary.
Start With Identity — It Is the New Perimeter
For mid-market businesses, the single highest-impact zero trust investment is identity. Multi-factor authentication (MFA) on every application eliminates the most common attack vector: stolen credentials. Microsoft reports that MFA blocks 99.9% of account compromise attacks. Beyond MFA, implement conditional access policies that evaluate context: is this device managed? Is this location recognised? Is this access pattern normal? Azure AD (now Entra ID), Okta, and Google Workspace all support conditional access policies that are straightforward to configure. Single sign-on (SSO) reduces password fatigue while centralising access control. The goal is a single identity plane where every application access decision is evaluated in real time against policy — not a VPN that grants blanket network access after a single authentication event.
- MFA on every application (blocks 99.9% of credential attacks)
- Conditional access policies based on device, location, and behaviour
- SSO to centralise access control and reduce password sprawl
- Eliminate VPN as primary access mechanism where possible
- Regular access reviews to enforce least-privilege principles
Network Segmentation Without a Forklift Upgrade
Microsegmentation — dividing the network into isolated zones with individual access controls — is a core zero trust tenet. For enterprises, this can mean a multi-year SDN implementation. For mid-market businesses, pragmatic segmentation delivers 80% of the value at 20% of the cost. Start by separating your network into functional zones: corporate endpoints, servers, IoT devices, and guest access. Use VLANs and firewall rules to restrict lateral movement between zones. Ensure that if an attacker compromises a user endpoint, they cannot reach the database server directly. Cloud-native environments make this easier: AWS Security Groups, Azure Network Security Groups, and Google Cloud firewall rules all enable microsegmentation without additional hardware. The key metric is blast radius — how far can an attacker move laterally from any given compromise point?
Monitoring and Verification: The Ongoing Work
Zero trust is not a project with an end date — it is an operational posture. Continuous monitoring and verification are what transform a zero trust architecture from a diagram into reality. Every access event should be logged and analysable. Anomalous patterns — a user accessing systems they have never used before, large data transfers at unusual times, access from new geographic locations — should trigger automated responses. Endpoint health checks should verify patch status, antivirus currency, and configuration compliance before granting access. BlackFog's anti data exfiltration layer fits naturally into a zero trust architecture: even if every other control fails and an attacker gains authenticated access, they cannot exfiltrate data to unauthorised destinations. This is defence in depth operationalised — multiple independent controls, each assuming the others have failed.