Zero Trust

Zero trust is a security architecture and strategy built on a single principle: never trust, always verify. Rather than assuming that users, devices, or systems inside your network perimeter are safe, zero trust requires continuous verification of every access request, regardless of where it originates.

For CISOs and security leaders evaluating their organisation’s security posture, zero trust represents a fundamental shift from perimeter-based defence to identity-centric, context-aware access control. It assumes breach as a starting point and designs controls around limiting what an attacker can reach if they get in.

Field	Detail
Full name	Zero trust architecture (ZTA)
Type	Security architecture / strategy
Originated by	John Kindervag (Forrester Research, 2010); concept formalised by NIST SP 800-207 (2020)
Applies to	Network architecture, identity and access management, cloud security, data protection
UK relevance	Referenced in NCSC guidance, aligned with Secure by Design principles, increasingly expected in public sector procurement
Wikipedia	Zero trust security model
Wikidata	Q100527941

Why perimeter security is no longer enough

Traditional security models operate on the assumption that everything inside the corporate network is trusted. This worked when employees sat in offices, applications ran on-premises, and the network boundary was clearly defined.

That model has broken down. Remote and hybrid working means users connect from anywhere. Cloud adoption moves applications and data outside the corporate perimeter. Supply chain integrations give third parties access to internal systems. And threat actors who breach the perimeter can move laterally with minimal resistance, escalating privileges, accessing sensitive data, and establishing persistence before detection.

Zero trust addresses this by removing implicit trust entirely. Every access request is evaluated against identity, device health, location, behaviour patterns, and the sensitivity of the resource being accessed. Access is granted on a least-privilege basis, scoped to the minimum required, and continuously reassessed.

Core principles

Zero trust is not a single product or technology. It is an architectural approach built on several interconnected principles.

Verify explicitly – authenticate and authorise every access request based on all available data points: identity, device compliance, location, resource sensitivity, and anomaly detection.

Least privilege access – limit access to the minimum permissions needed for the task, for the minimum duration required. Just-in-time and just-enough-access models replace standing privileges.

Assume breach – design controls on the assumption that an attacker is already inside the network. Segment the environment, encrypt data in transit and at rest, monitor continuously, and limit blast radius.

These principles apply across identity and access management, network segmentation, endpoint security, application access, and data classification. Implementation is typically incremental, starting with identity as the control plane and expanding to cover networks, workloads, and data.

Zero trust and UK regulatory context

The NCSC references zero trust principles across its guidance on network architecture, cloud security, and Secure by Design. The NCSC’s network architecture guidance explicitly recommends moving away from traditional perimeter models towards identity-based, zero trust approaches.

For organisations subject to NIS2, the directive’s requirements around access control, network segmentation, and continuous monitoring align directly with zero trust architecture. DORA mandates similar controls for financial services. And public sector procurement frameworks increasingly expect suppliers to demonstrate zero trust principles in how they protect government data.

ISO 27001’s access control requirements (Annex A controls) are strengthened by zero trust implementation, moving from policy-based access to continuous, context-aware enforcement.

How we help you move towards zero trust

Zero trust is not something you buy, it is something you build, incrementally, based on your current architecture, risk profile, and operational reality. We help organisations assess their current posture against zero trust principles through our cyber resilience audit and review service, aligned to the NCSC Cyber Assessment Framework.

Our consultancy team designs zero trust roadmaps that are practical and achievable, identifying the highest-impact changes first, integrating with existing infrastructure, and avoiding the disruption of a wholesale replacement. Our MXDR service provides the continuous monitoring and detection that zero trust assumes, identifying anomalous access, lateral movement, and privilege escalation in real time.

Learn more about our cyber resilience audit and review →

Related glossary terms

• NCSC CAF – UK government cyber assessment framework that evaluates access control and network security
• Threat modelling – structured analysis that identifies where zero trust controls deliver the most value
• MITRE ATT&CK – adversary tactics framework used to model the lateral movement that zero trust is designed to prevent

External references

• Wikipedia: Zero trust security model – encyclopaedic overview
• Wikidata: Q100527941 – canonical entity identifier
• NIST SP 800-207: Zero Trust Architecture – the foundational zero trust reference document
• NCSC: Zero trust architecture – UK government guidance

Frequently asked questions