5 exercises — Practice zero trust security vocabulary in English: never trust always verify, identity-centric access, micro-segmentation, ZTNA, and continuous validation.
Core Zero Trust vocabulary clusters
Principles: never trust always verify, assume breach, least privilege, explicit verification
A security architect presents Zero Trust at a company all-hands: "Traditional security assumed that anything inside the network perimeter could be trusted. Zero Trust rejects that entirely. The principle is: never trust, always verify. Every access request — regardless of whether it comes from inside or outside the corporate network — must be authenticated, authorized, and continuously validated. The perimeter is gone. Identity is the new perimeter. Every user, device, and service must prove who they are before accessing anything." What does "identity is the new perimeter" mean in Zero Trust architecture?
Traditional perimeter model: trust is determined by network location. Inside VPN = trusted; outside = untrusted. Weakness: once an attacker is inside the network (via phishing, a compromised machine, a malicious insider), they can move laterally freely. Zero Trust model: network location is meaningless as a trust signal. Trust is derived from: verified identity (who are you?), device health (is your device compliant?), context (normal behavior? expected location? business hours?). BeyondCorp (Google's Zero Trust implementation): all corporate applications accessible only through an access proxy; no VPN required; access determined entirely by identity and device policy. Zero Trust vocabulary: Assume breach: operate as if attackers are already inside. Limit blast radius. Least privilege: grant minimum permissions needed for the task. Time-limited, just-in-time. Explicit verification: always authenticate and authorize using all available data points. Lateral movement: attacker moving from one system to another after initial compromise. Zero Trust prevents this via micro-segmentation. Blast radius: the scope of damage from a breach. Micro-segmentation limits blast radius. Identity provider (IdP): the authoritative source of identity (Okta, Azure AD, Google Workspace). Single Sign-On (SSO): one authentication grants access to multiple applications via the IdP. In conversation: 'Zero Trust isn't a product you buy. It's a mindset: assume any device could be compromised at any time, and design every access control accordingly.'
2 / 5
A security engineer explains micro-segmentation to a developer: "In a traditional flat network, if an attacker compromises your web server, they can reach your database, your internal APIs, your CI/CD system — everything. Micro-segmentation divides the network into small zones with explicit allow-list policies between them. Only the web server can talk to the API server on port 443. The API server can talk to the database on port 5432. Nothing else is allowed. An attacker who compromises the web server is contained in that zone." What is micro-segmentation and how does it prevent lateral movement?
Micro-segmentation: applying network access controls at the workload level (not the network perimeter). Traditional approach: large, flat network segments separated by VLANs with coarse firewall rules. Micro-segmentation: fine-grained policies per workload, per application, per identity. Implementation options: Software-defined networking (SDN): VMware NSX, Cisco ACI. Cloud security groups: AWS Security Groups, Azure NSGs — workload-level stateful firewall. Service mesh: Istio, Linkerd — mTLS between services; policy-enforced at the sidecar. Kubernetes NetworkPolicy: namespace-level network access control. Lateral movement prevention: if an attacker compromises pod A, NetworkPolicy restricts them to only the connections A is permitted to make. They cannot scan or reach other pods. Zero Trust network vocabulary: ZTNA (Zero Trust Network Access): replaces VPN. User authenticates to an access proxy; only specific applications are exposed, not the entire network. Software-defined perimeter (SDP): alternative term for ZTNA approach. East-west traffic: traffic between services within the same data center / cluster. North-south traffic: traffic between users/internet and internal services. Access proxy: sits between users and applications; enforces authentication and authorization before forwarding requests. In conversation: 'We did a red team exercise before and after micro-segmentation. Before: compromising one container led to database access in 4 minutes. After: the attacker was stuck in their zone for the entire 2-hour exercise.'
3 / 5
A platform team implements mutual TLS across services: "We're implementing mTLS between all internal services. In standard TLS, only the server presents a certificate — the client trusts the server. In mTLS, both sides present certificates. My service has a certificate issued by our internal CA; your service has one too. When my service calls yours, it presents its cert, yours validates it — and vice versa. No valid cert from our CA, no connection. A compromised service can't impersonate another service." What is mTLS and why is it valuable in a Zero Trust architecture?
mTLS (mutual TLS): extends standard TLS by requiring the client to present a certificate in addition to the server. Both sides prove their identity cryptographically. How it works: standard TLS handshake + client presents certificate + server validates client certificate against trusted CA. Benefits: service-to-service authentication without API keys, service account tokens, or shared secrets. Workload identity: each service has a unique certificate (rotated automatically by infrastructure like SPIFFE/SPIRE or a service mesh). If a service is compromised, its certificate can be revoked instantly. Service mesh mTLS: Istio, Linkerd inject sidecar proxies that handle mTLS transparently — developers don't need to implement it in application code. Certificate vocabulary: CA (Certificate Authority): issues and signs certificates. Internal CA for internal services. Certificate rotation: replacing certificates before expiry — automated in modern infrastructure (cert-manager, SPIFFE). SPIFFE (Secure Production Identity Framework for Everyone): standard for workload identity. Issues SVIDs (SPIFFE Verifiable Identity Documents). mTLS policy modes: permissive (allows both mTLS and plaintext — for gradual migration), strict (requires mTLS). Certificate pinning: hard-coding the expected certificate — fragile but prevents CA compromise attacks. In conversation: 'mTLS is the foundation of Zero Trust for service-to-service communication. You can't rely on network location alone — you need cryptographic proof of identity at every hop.'
4 / 5
A security engineer explains Just-In-Time (JIT) access: "Our engineers used to have permanent admin access to production. That's a standing privilege — it exists 24/7 even when not needed. If their accounts are compromised, attackers have permanent admin access. JIT access changes this: you request elevated access for a specific reason, for a specific duration. The system logs the reason, grants access for 2 hours, then revokes it automatically. Minimum standing privilege; maximum just-in-time." What is standing privilege and why does JIT access reduce risk?
Standing privilege: persistent, always-on elevated permissions. Problem: a compromised account immediately grants an attacker those elevated permissions, 24/7. JIT (Just-in-Time) access: request access → justify the reason → receive time-limited grant → access is revoked automatically after the window. Examples: JIT SSH access to production servers (via Teleport, AWS Systems Manager Session Manager), temporary database access, elevated Kubernetes RBAC for incident response. Privileged Access Management (PAM) vocabulary: PAM (Privileged Access Management): systems for managing privileged access. Examples: HashiCorp Vault, CyberArk, BeyondTrust. Principle of least privilege: grant only the minimum permissions needed for the task. Zero standing privilege: the goal — no permanent elevated access. All elevated access is JIT. Privilege escalation: attacker gaining higher permissions than initially available. Session recording: recording privileged sessions for audit and forensics. Access review / recertification: periodic review of who has access to what — removing access no longer needed. Breakglass access: emergency elevated access with strong logging and alerting — used when JIT systems are unavailable during an incident. In conversation: 'JIT access is uncomfortable to implement the first time — engineers say it slows them down. Six months in, they appreciate it: it's a forcing function for better runbooks and better automation.'
5 / 5
A security architect reviews a Zero Trust implementation: "A full Zero Trust architecture has three planes. The control plane: the policy engine evaluates every access request — who are you, what device, what context, what do you want to access? The data plane: policy enforcement points (PEPs) sit in front of resources and enforce decisions from the policy engine. And the management plane: administering the policies themselves. The policy engine considers: identity (verified), device health (MDM compliance), behavior (normal for this user?), context (time, location, risk score)." What is a policy enforcement point (PEP) in Zero Trust architecture?
NIST Zero Trust Architecture (SP 800-207) components: Policy Engine (PE): makes access decisions. Evaluates: subject identity, device health, context, resource classification. Outputs: grant, deny, or conditional access. Policy Administrator (PA): communicates the PE decision to the PEP — creates tokens or sessions for granted access. Policy Enforcement Point (PEP): the gatekeeper. Sits in front of every protected resource. Receives decisions from the PA and either allows or blocks connections. Examples: API gateway, access proxy (BeyondCorp Enterprise, Cloudflare Access), service mesh sidecar. Zero Trust maturity vocabulary: Implicit trust zone: a network area where trust is assumed (the old model). Zero Trust eliminates these. Continuous validation: periodic re-evaluation of access sessions — not just at login, but throughout the session. Re-authenticate if device health changes. Risk score: dynamic score based on user behavior, device health, location — feeds into access policy. Conditional access: access policy that adapts to context. Example: allow access without MFA from a compliant corporate device on the corporate network; require MFA for the same resource from an unmanaged device on public Wi-Fi. Posture assessment: evaluating whether a device meets security requirements before granting access. In conversation: 'Zero Trust is a journey, not a destination. Most organisations start with strong identity (MFA + SSO everywhere), then add device trust, then micro-segmentation, then continuous validation — each stage reduces attack surface significantly.'