Vocabulary for Zero Trust Security: 30 Essential Terms Explained
Master the English vocabulary of Zero Trust architecture — identity-centric perimeter, microsegmentation, least privilege, mTLS, and more for security professionals.
Zero Trust is one of the most discussed security paradigms in modern IT — and one of the most misunderstood. If you work on security engineering, cloud architecture, or compliance, you will encounter its vocabulary constantly in documentation, audits, vendor conversations, and architecture reviews.
This guide explains the 30 most important Zero Trust terms in plain English, with pronunciation notes, usage examples, and context to help you use them confidently.
The Core Philosophy
Before the vocabulary, understand the principle. Zero Trust is built on one idea:
“Never trust, always verify.”
The traditional security model assumed that anything inside the corporate network was safe. Zero Trust rejects that assumption entirely. Every request — from every user, device, and service — must be authenticated and authorised, regardless of where it originates.
Foundational Zero Trust Vocabulary
1. Identity-Centric Perimeter
Pronunciation: /aɪˈdentɪti ˈsentrɪk ˈperɪmɪtə/
In traditional security, the perimeter was the network boundary (firewall, VPN). In Zero Trust, the perimeter moves to the identity — the user, device, or service making the request. Access decisions are based on who you are, not where you are.
Usage: “We’ve shifted from a network-centric to an identity-centric perimeter, which means VPN is no longer our primary control.”
2. Microsegmentation
Pronunciation: /ˌmaɪkrəʊˌseɡmenˈteɪʃən/
Dividing a network into small, isolated segments so that even if an attacker gains access to one segment, they cannot move laterally to others. Think of it as internal firewalls between every workload.
Usage: “Our microsegmentation policy ensures that the payment service can only communicate with the authorisation service — nothing else.”
3. Least Privilege
Pronunciation: /liːst ˈprɪvɪlɪdʒ/
The principle that users, services, and systems should have only the minimum permissions required to do their job — nothing more. Also called principle of least privilege (PoLP).
Usage: “Following least privilege, the deployment pipeline has write access only to the staging bucket, not production.”
4. mTLS (Mutual TLS)
Pronunciation: /ˌmjuːtʃuəl tiː el es/
Standard TLS verifies the server’s identity to the client. Mutual TLS (mTLS) requires both sides to present certificates — the client proves its identity to the server and the server proves its identity to the client. Essential for service-to-service authentication in Zero Trust environments.
Usage: “All inter-service traffic is secured with mTLS — no service can call another without a valid certificate.”
5. Zero Trust Network Access (ZTNA)
A framework or product that replaces VPN by granting access to specific applications rather than the entire network. Users authenticate through an identity provider and receive access only to what they need.
Usage: “Since deploying ZTNA, remote employees connect directly to their authorised apps — they never touch the internal network.”
Identity and Authentication Terms
6. Identity Provider (IdP)
The service that manages identities and authenticates users (e.g., Okta, Azure AD, Google Workspace). In Zero Trust, the IdP is the source of truth for all access decisions.
7. Continuous Authentication
Unlike one-time login, continuous authentication re-verifies the user or device throughout a session — checking signals like location, device health, and behaviour. If something changes, access can be revoked in real time.
Usage: “Our CASB performs continuous authentication — if a user’s device fails a health check mid-session, their access is immediately terminated.”
8. Adaptive Access Control
Access policies that dynamically adjust based on context — device compliance, user role, time of day, location risk score. If risk is low, seamless access. If risk is high, step-up authentication is triggered.
9. Step-Up Authentication
A security challenge presented when a user attempts a high-risk action (e.g., accessing sensitive data or changing account settings), even if they are already logged in.
Usage: “Accessing production credentials triggers step-up authentication — the engineer must verify via their hardware token.”
10. Service Account
A non-human identity used by applications and services to authenticate with other services or APIs. In Zero Trust, service accounts require the same scrutiny as human accounts — short-lived credentials and least privilege policies.
Network and Segmentation Terms
11. East-West Traffic
Traffic that moves laterally between services within a network (server to server). In traditional models, east-west traffic was often unmonitored. Zero Trust applies inspection and policy enforcement here.
Contrast: North-south traffic moves between the internal network and the internet (client to server).
12. Lateral Movement
A technique attackers use to progressively move through a network after initial compromise, seeking higher-privilege systems or sensitive data. Microsegmentation and Zero Trust policies are designed to limit this.
Usage: “The breach was contained because microsegmentation prevented lateral movement beyond the initial endpoint.”
13. Software-Defined Perimeter (SDP)
A security framework that creates a perimeter around individual users and devices rather than network segments. The perimeter is defined by policy, not physical infrastructure.
14. Network Policy
In Kubernetes and cloud environments, a set of rules defining which pods or services can communicate with each other. Network policies are a key tool for implementing microsegmentation at the workload level.
15. Encryption in Transit
Encrypting data as it moves between services, even within the internal network. In Zero Trust, all traffic — internal or external — should be encrypted in transit.
Access Control Terms
16. Policy Decision Point (PDP)
The component that evaluates access requests against policy rules and makes allow/deny decisions. Often cloud-native tools like OPA (Open Policy Agent) serve as the PDP.
17. Policy Enforcement Point (PEP)
The component that intercepts access requests and enforces the decision made by the PDP. The PEP sits between the user and the resource.
18. Attribute-Based Access Control (ABAC)
A model where access decisions are based on attributes — user department, device OS version, resource classification, time of request. More flexible than role-based access control (RBAC).
Usage: “Our ABAC policy grants data export permissions only to managers, on managed devices, during business hours.”
19. Just-In-Time (JIT) Access
Granting elevated access only for a specific task and a limited time window, then automatically revoking it. Eliminates standing privileged access.
Usage: “Production database access is JIT-only — engineers request a 2-hour window, which expires automatically.”
20. Standing Privilege
Permanent, always-on elevated access granted to a user or service. Zero Trust aims to eliminate standing privilege in favour of JIT access.
Device and Endpoint Terms
21. Device Posture
The security state of a device at a given moment — patch level, encryption status, EDR agent presence, compliance with organisational policy. A key input to Zero Trust access decisions.
Usage: “Access was denied because the user’s device posture check showed an outdated OS and no endpoint protection running.”
22. Managed Device
A device enrolled in the organisation’s mobile device management (MDM) or endpoint management system, allowing IT to enforce policies and perform remote wipe if needed.
23. Endpoint Detection and Response (EDR)
Security software that monitors endpoints for suspicious activity and can respond automatically (isolate, quarantine, alert). EDR data feeds into device posture checks.
Monitoring and Trust Terms
24. Trust Score / Risk Score
A numerical or categorical measure of how much a given access request should be trusted, based on aggregated signals (identity confidence, device health, location anomaly, behaviour baseline).
25. Behavioural Analytics (UEBA)
User and Entity Behaviour Analytics — detecting anomalies in how users and systems behave compared to their historical baseline. A user downloading 10x their normal data volume triggers an alert.
26. Data Plane vs Control Plane
- Control plane — where policy is defined and trust decisions are made
- Data plane — where actual traffic flows and policy is enforced
In Zero Trust architecture, separating these planes is a best practice.
27. Blast Radius
Originally from chaos engineering, this term is used in security contexts to describe the potential scope of damage if a component is compromised. Zero Trust design aims to minimise blast radius through segmentation and least privilege.
28. Zero Standing Access (ZSA)
An extreme form of least privilege where users have no access by default — every access request must be explicitly granted in real time, with full audit logging.
29. Workload Identity
The identity assigned to a compute workload (container, VM, serverless function) rather than a human user. Workload identities enable mTLS and fine-grained service mesh policies.
30. Audit Trail / Access Log
A complete, tamper-resistant record of who accessed what, when, from where, and with what result. In Zero Trust, comprehensive audit trails are non-negotiable — they are the evidence layer.
Usage: “Our audit trail showed that the service account accessed the secrets store 847 times in 10 minutes — a clear anomaly that triggered the incident response.”
Key Takeaways
- Zero Trust moves the perimeter from the network edge to the identity of every user, device, and service.
- Microsegmentation and least privilege limit the blast radius of any breach.
- mTLS ensures both parties in a service call are verified — not just the server.
- Adaptive access control uses context (device posture, location, behaviour) to make dynamic access decisions.
- JIT access eliminates standing privilege — access is granted only when needed, and automatically revoked.
- Understanding the distinction between PDP (decides) and PEP (enforces) is essential for architecture conversations.
Zero Trust is not a product you buy — it is a strategy you implement. Knowing this vocabulary puts you in a position to lead those conversations in English with confidence.