What is zero trust?
Zero trust is a way of thinking about security. The core idea is that you should not automatically trust anyone or anything, even if they are inside your corporate network.
Traditional security followed a "castle and moat" approach. You built strong defenses around the perimeter of your network. Once someone was inside — authenticated and on the network — they were largely trusted. This made sense when everyone worked in an office and all your applications lived on servers in the building.
That model stopped working when people started working from home, using cloud applications, and accessing company data from personal devices. The network perimeter dissolved. Zero trust is the response to that reality.
The term was coined by Forrester Research analyst John Kindervag in 2010 and has since been adopted as a guiding framework by organizations including Microsoft, Google, and the US federal government.
What are the core principles of zero trust?
Zero trust is built on three fundamental ideas.
Verify explicitly. Every access request must be authenticated and authorized based on all available data points: user identity, device health, location, the resource being accessed, and any anomalies detected. No one gets a free pass.
Use least privilege access. Give users only the minimum access they need to do their jobs, and only for as long as they need it. This limits the blast radius when something goes wrong.
Assume breach. Design your systems as if an attacker is already inside your network. Segment access, encrypt data, and monitor continuously. This mindset drives you to build defenses in depth rather than relying on a single perimeter.
These principles work together. Verify explicitly means checking identity at every step. Least privilege means limiting what verified users can do. Assume breach means planning for the worst case.
Is zero trust a product you can buy?
No. This is one of the most common misconceptions. Zero trust is a strategy and an architecture, not a product. No single vendor can sell you "zero trust in a box."
Many vendors market their products as "zero trust solutions," and some of those products are genuinely useful building blocks. But implementing zero trust requires combining multiple technologies, policies, and processes.
The key building blocks include strong identity verification (MFA, passwordless authentication), device health assessment, conditional access policies, least privilege access controls (role-based access, just-in-time access), micro-segmentation to limit lateral movement, continuous monitoring to detect anomalies, and data protection through encryption and data loss prevention.
How does Microsoft approach zero trust?
Microsoft has been one of the most vocal advocates for zero trust, and their product ecosystem reflects it. Microsoft Entra ID sits at the center of Microsoft's zero trust architecture.
Entra ID handles identity verification. Every access request is authenticated through Entra ID, which can enforce MFA, evaluate sign-in risk, and apply conditional access policies.
Conditional access is the policy engine. It evaluates each access request against a set of conditions (user, device, location, risk level, target application) and makes a real-time access decision: allow, block, or require additional verification.
Intune (Microsoft Endpoint Manager) handles device compliance. It can check whether a device meets your security requirements before granting access — whether the device is encrypted, whether the OS is up to date, whether it is managed by your organization.
Microsoft Defender products provide threat detection and response across endpoints, email, cloud apps, and identity.
Entra ID Governance (P2 tier) adds access reviews, entitlement management, and privileged identity management for ongoing access control.
For organizations already using Microsoft 365, many zero trust building blocks are already available in their existing licenses. The challenge is configuring and integrating them properly.
What does zero trust mean for identity governance?
Identity is often called the "new perimeter" in zero trust architecture. When there is no network boundary to protect, the user's identity becomes the primary security control point. This makes identity governance essential to any zero trust strategy.
Verify explicitly requires knowing who your users are and maintaining accurate identity data. Governance processes ensure that user accounts are created correctly, attributes are kept up to date, and stale accounts are removed.
Least privilege requires ongoing management of access rights. It is not enough to grant minimum access on day one. You need processes to review and adjust access as people change roles, take on new responsibilities, or no longer need certain permissions. Without governance, access accumulates over time — the opposite of least privilege.
Assume breach means limiting the damage a compromised account can cause. If a user only has access to what they need for their specific job, a compromised account is a contained incident rather than a catastrophe. Governance processes like regular access reviews and automated deprovisioning directly support this containment.
How do you start implementing zero trust?
Zero trust can feel overwhelming because it touches everything. The practical approach is to start with the highest-impact areas and build out gradually.
Start with identity. Make sure every user account is properly managed and that MFA is enforced everywhere. If you are using Entra ID, enable conditional access policies. This single step addresses a huge portion of common attacks.
Enforce device compliance. If you have Intune, start requiring device compliance checks before granting access to sensitive applications.
Implement least privilege. Review who has admin access across your systems. Reduce the number of global admins. Implement just-in-time access for privileged roles using Entra ID PIM.
Review and clean up access. Run access reviews to identify and remove unnecessary permissions. Set up governance processes to prevent access from accumulating again.
Monitor and iterate. Use sign-in logs and audit logs to identify anomalies. Refine your conditional access policies based on what you learn.
Adcyma supports the identity governance side of zero trust for organizations using Entra ID. By automating least-privilege access management, lifecycle processes, and regular access reviews, it helps maintain the ongoing discipline that zero trust requires. Because zero trust is not a one-time project — it is a continuous practice that needs consistent governance to work.