What is the core principle of Zero Trust Architecture (ZTA)?
Zero Trust abandons the old "castle-and-moat" model where anything inside the perimeter is trusted. NIST SP 800-207 defines the principle: "never trust, always verify." Every access request — even from inside the corporate network — must be authenticated (who are you?), authorized (are you allowed?), and continuously validated. Trust is never granted implicitly based on network location. Each resource access is evaluated against identity, device posture, and context. Google's BeyondCorp was the pioneering large-scale implementation, removing the privileged corporate VPN entirely.
2 / 5
What does microsegmentation achieve in a Zero Trust network?
Microsegmentation creates fine-grained security zones around individual workloads or applications, each with its own policy. The goal is to stop lateral movement — the technique attackers use to pivot from an initially compromised host to higher-value targets. In a flat network, one breached machine can reach everything; with microsegmentation, an attacker who compromises the web tier still cannot reach the database tier without passing additional policy checks. It is typically enforced by software-defined networking, host firewalls, or a service mesh applying mTLS and authorization policies between every service pair.
3 / 5
In Zero Trust, what is the policy decision point (PDP) vs the policy enforcement point (PEP)?
NIST's ZTA model splits the control logic. The Policy Decision Point (the "brain") takes signals — identity, device health, location, time, risk score — and computes whether to grant access. The Policy Enforcement Point (the "gate") is positioned in the traffic path and executes the verdict: it establishes or terminates the session. This separation lets you centralize policy logic while distributing enforcement close to each resource. An access proxy is a common PEP; the identity provider plus policy engine form the PDP.
4 / 5
What is the role of device posture assessment in Zero Trust?
Device posture (or device trust) means access decisions consider the health of the requesting device, not just the user's identity. Even a correctly authenticated user on a compromised, unpatched, or unmanaged laptop may be denied access to sensitive resources. Signals include: is disk encryption on? Is the OS up to date? Is endpoint detection and response (EDR) running? Is the device enrolled in MDM? This is why Zero Trust is described as identity-centric AND device-aware — and why posture is re-evaluated continuously, not just at login.
5 / 5
What problem with traditional VPNs does Zero Trust Network Access (ZTNA) solve?
ZTNA replaces the VPN's all-or-nothing model. A traditional VPN places the connected device onto the internal network — once you are "in," you can often reach far more than you need, and the network implicitly trusts you. If your laptop is compromised, the attacker inherits that broad reach. ZTNA instead brokers access to specific applications through an identity-aware proxy, never exposing the underlying network. Access is least-privilege by default and continuously re-evaluated. Applications are effectively invisible (dark) to anyone not explicitly authorized.