Zero Trust is a security architecture that assumes no network location is inherently safe. Every request, whether from outside the office or inside it, must be authenticated and authorized. The traditional model (trust requests from inside the corporate network, distrust everything else) collapses when employees work remotely, when third-party services need access, and when attackers gain a foothold inside the perimeter. Zero Trust replaces "trust the network" with "trust the identity, the device, and the request".
Practical Zero Trust requires: strong identity for users (SSO with phishing-resistant MFA), strong identity for devices (managed devices with attestation), authentication on every request (no implicit trust based on IP or VPN), and policy that combines identity, device, and request context to make access decisions. Tools: Cloudflare Access, Tailscale, Google BeyondCorp, Microsoft Entra Conditional Access.
mTLS for service-to-service, OIDC + SAML for users, device certificates for devices, and fine-grained authorization policies (OPA, Cedar) make up most implementations.
Perimeter security failed in the cloud era. Zero Trust is the response: assume breach, verify everything. Every major cloud provider, every modern enterprise SaaS, and increasingly every well-run startup uses some form of Zero Trust for production access.
The API security article covers Zero Trust principles applied to public API endpoints.