2.2.1. Zero Trust Architecture
š” First Principle: Zero Trust is a security model that treats every access request as potentially compromised, regardless of where it comes from. It requires explicit verification of identity and device health, enforces least-privilege access, and assumes a breach has already occurred ā meaning it monitors continuously rather than trusting once.
The old model was "trust but verify" at the perimeter: get inside the network and you're trusted. Zero Trust flips this to "never trust, always verify" ā being on the corporate network grants no inherent trust, being a known user grants no permanent trust, and passing authentication once doesn't mean you're trusted forever.
Microsoft's Zero Trust model has three guiding principles:
| Principle | What It Means | In Practice |
|---|---|---|
| Verify explicitly | Authenticate and authorize based on all available data points | Use identity, location, device health, service/workload, data classification, and anomalies |
| Use least privilege access | Limit access to only what's needed, for only as long as needed | RBAC, just-in-time access (PIM), just-enough-access policies |
| Assume breach | Design as if attackers are already inside | Minimize blast radius, encrypt data, use analytics to detect threats |
ā ļø Exam Trap: MFA alone does not fulfill Zero Trust. MFA verifies identity ā but Zero Trust also requires device compliance checking, least-privilege role assignment, and ongoing monitoring. A user who passes MFA from an unmanaged personal device in an unusual location is not "Zero Trust verified."
Reflection Question: Your CISO says "we've deployed MFA for all users, so we've implemented Zero Trust." What two additional elements are missing from this claim?
