Zero Trust Architecture Vocabulary
Vocabulary Reference
| Term / Phrase | Meaning in context |
|---|---|
| "never trust, always verify" | The core zero trust principle: no implicit trust is granted based on network location, device, or previous session — every access request is verified every time. |
| Microsegmentation | Dividing a network into small isolated zones with independent access controls so that a compromise in one zone cannot spread laterally to others. |
| Identity perimeter | In zero trust, the security boundary is defined by verified identity rather than physical or network location — "identity is the new perimeter". |
| BeyondCorp | Google's zero trust implementation that eliminated VPN-based corporate access, granting access based on device health and user identity from any network. |
| "verify explicitly" | A zero trust principle stating that every access decision should use all available data points — identity, location, device health, service, data classification — not just one factor. |
| Least privileged access | Granting users and systems only the minimum access needed for their specific task, limiting the blast radius of a compromise. |
1. A security architect explains to the development team: "We no longer assume anything inside the corporate network is safe. Every service call must authenticate and authorise, regardless of where it originates." Which principle are they describing?
2. After a server in the payments zone is compromised, the attacker cannot reach the HR database because the two zones have separate access controls and the attacker's credentials are not authorised for the HR zone. What architecture feature prevented lateral movement?
3. In a zero trust architecture presentation, the lead architect says: "The old model had a hard shell and a soft centre — once inside the network you were trusted. We have replaced the network perimeter with ___." What completes this sentence?
4. A team is discussing Google's model where employees access internal applications from any network using device certificates and their Google account — no VPN required. Which real-world zero trust implementation is being referenced?
5. The security team's access policy for a sensitive API states: "Access is granted only after validating user identity, device compliance status, request context, and data classification. No single factor is sufficient alone." This approach is described as:
Exercise complete!
out of 5 questions