Zero Trust: Never Trust, Always Verify
The modern security model that assumes breach and verifies everything. Three principles, six pillars β and the exam tests them constantly.
What is Zero Trust?
Imagine a building where everyone shows ID at every door β not just the front entrance.
The old security model was like a castle with a moat: once you got past the front gate (the corporate firewall), you were trusted everywhere. Walk freely, open any office, access any file.
Zero Trust says: no. Every door checks your ID. Every time. Even if you just walked through the door next to it. Even if you work here. Even if youβve been here for 20 years.
Why? Because threats come from inside too. A stolen password, a compromised laptop, a disgruntled employee β if theyβre already βinside,β the old model canβt stop them.
The three core principles
These three principles appear in nearly every security question on the exam:
| Principle | What It Means | Example |
|---|---|---|
| Verify explicitly | Always authenticate and authorise based on all available data points | Check the userβs identity, device health, location, AND the sensitivity of what theyβre accessing |
| Use least privilege access | Give only the minimum permissions needed, for only as long as needed | Sam gives Tina βstore managerβ access, not βglobal admin.β Elevated access expires after 4 hours. |
| Assume breach | Design systems as if an attacker is already inside | Segment networks, encrypt data, monitor for anomalies, limit blast radius |
Exam tip: recognising Zero Trust principles in questions
The exam often describes a scenario and asks βwhich Zero Trust principle does this follow?β
Pattern recognition:
- If the answer involves checking multiple factors before granting access β Verify explicitly
- If the answer involves limiting permissions or time-bound access β Least privilege
- If the answer involves monitoring, segmentation, or encryption β Assume breach
Sometimes questions combine principles: βCheck device compliance (verify explicitly) and grant read-only access for 2 hours (least privilege).β
Zero Trust vs the old model
| Feature | Zero Trust | Traditional (Castle-and-Moat) |
|---|---|---|
| Trust model | Never trust, always verify | Trust everything inside the network |
| Network location | Not a factor in trust decisions | Inside = trusted, outside = untrusted |
| Access control | Least privilege, just-in-time | Broad access once authenticated |
| Verification | Continuous β every request | Once β at the perimeter |
| Breach assumption | Designs for breach from day one | Assumes perimeter will hold |
| Remote work | Works perfectly β location doesn't matter | Requires VPN to 'get inside' |
The six pillars of Zero Trust
Microsoft implements Zero Trust across six areas. Think of each pillar as a door that checks your ID independently:
| Pillar | What It Covers | Microsoft Service |
|---|---|---|
| Identity | Users, service accounts, devices requesting access | Microsoft Entra ID (MFA, Conditional Access) |
| Devices | Device health and compliance | Intune, Defender for Endpoint |
| Applications | App permissions and shadow IT | Defender for Cloud Apps, app consent policies |
| Data | Data classification and protection | Microsoft Purview (labels, DLP, encryption) |
| Infrastructure | Server and cloud resource security | Microsoft Defender for Cloud, secure configurations |
| Network | Network segmentation and monitoring | Azure Firewall, NSGs, Global Secure Access |
Scenario: Sam implements Zero Trust at BrightStar
Sam decides BrightStar Retail needs proper security. Hereβs how Zero Trust applies:
- Identity: All 50 employees use MFA β even in the store
- Devices: Only company-managed tablets and laptops can access inventory data
- Applications: Employees canβt install random apps that connect to company data
- Data: Customer payment information is encrypted and labelled βConfidentialβ
- Infrastructure: The POS system runs on a separate network segment
- Network: Store Wi-Fi for customers is completely isolated from the business network
The result: When a phishing email compromises Tinaβs password, MFA blocks the attacker. Even if they bypass MFA, they can only access Tinaβs store-manager resources β not the financial system.
Common Zero Trust misconceptions
| Misconception | Reality |
|---|---|
| βZero Trust means zero accessβ | No β it means verified access, not no access |
| βItβs a single product you buyβ | No β itβs a strategy applied across products and services |
| βIt replaces firewallsβ | No β firewalls are one layer within Zero Trust (the network pillar) |
| βOnly for big enterprisesβ | No β even a 50-person business like BrightStar can implement it |
π¬ Video walkthrough
Flashcards
Knowledge Check
Raj at Lakewood University needs to give Professor Chen temporary admin access to set up a new course site. The access should expire automatically after 48 hours. Which TWO Zero Trust principles does this demonstrate? (Select 2)
Sam wants to ensure that even if an employee's password is stolen, an attacker cannot access BrightStar's inventory system. Which Zero Trust principle should Sam prioritise?