Zero Trust Security Model Explained: Principles and Implementation

Why Zero Trust Emerged

Traditional security assumed a hard perimeter (firewall) separating trusted internal from untrusted external. Inside the perimeter, traffic was largely trusted; controls were minimal. This worked when employees, data and applications all lived inside the corporate network.

It stopped working when employees went remote, applications went to SaaS, data went to the cloud, and the perimeter dissolved. A compromised endpoint inside the perimeter had near-free movement to crown jewels. Major breaches (Target 2013, Sony 2014, OPM 2015, SolarWinds 2020) all involved attackers who established a foothold inside the perimeter and then moved freely. The perimeter approach was a victim of its own success: the perimeter was so dominant that defenders forgot to defend inside it.

Zero Trust started at Google after Operation Aurora (2009-2010) with the BeyondCorp project. The premise: assume the internal network is hostile, verify every request as if it came from outside, base trust on identity plus device posture plus contextual signals plus continuous evaluation, not on network location.

Core Principles (NIST SP 800-207)

These are principles, not products. Different vendors implement them with different architectures, integrations and deployment models. The implementation pattern is what determines whether a deployment is genuinely Zero Trust or marketing veneer over the same perimeter posture.

• All data sources and computing services are considered resources
• All communication is secured regardless of network location
• Access to individual enterprise resources is granted on a per-session basis
• Access is determined by dynamic policy (identity, application, requesting asset state plus behavioural and environmental attributes)
• The enterprise monitors and measures the integrity and security posture of all owned and associated assets
• All resource authentication and authorization are dynamic and strictly enforced before access is allowed
• The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture

Identity as the New Perimeter

Identity is the foundational layer of Zero Trust. The implementation pattern starts with a single Identity Provider (Microsoft Entra ID, Okta, Google Workspace, Ping Identity, JumpCloud, OneLogin) federating every application and SaaS in the enterprise. Multi-factor authentication is enforced everywhere through Conditional Access policies. Privileged Identity Management converts standing admin access into just-in-time activation. Identity Protection or equivalent applies risk-based controls at sign-in.

The result: leavers lose access in minutes (one offboarding action at the IdP), joiners receive correct access automatically (role-group assignment cascades through SAML / OIDC), MFA bypass becomes hard (Conditional Access requires it on every meaningful request), and privileged actions are time-boxed (PIM activation for a specific window with named justification). Indian enterprises that get identity right also unlock SOC 2, ISO 27001 and DPDP control evidence quickly.

Microsegmentation and East-West Controls

Traditional networks allow free east-west traffic inside a segment. A compromised workstation reaches the file server, the print server, the dev database, the test environment, the production database from the same flat network. Microsegmentation gates each of these conversations explicitly: workstation can reach file server (yes), workstation can reach production database (no), production database can reach Internet (no), production database can reach KMS service (yes).

Implementation approaches: hypervisor-level segmentation (VMware NSX, Azure Firewall, AWS Security Groups at fine grain), agent-based segmentation (Illumio, Akamai Guardicore, Cisco Secure Workload, ColorTokens, Zscaler Workload Segmentation), identity-aware proxies for application access (Cloudflare Access, Google BeyondCorp Enterprise, Microsoft Entra Private Access), and CNI-level segmentation for Kubernetes (Cilium, Calico).

For most Indian enterprises starting Zero Trust, the highest-ROI microsegmentation move is gating production data systems from everything that does not need them. A few firewall rules and a workload segmentation tool with explicit allow-lists cut blast radius for the next ransomware substantially.

ZTNA Replaces VPN

Traditional VPN establishes a network-level tunnel: once connected, the remote user is on the corporate network and can reach anything the network allows. ZTNA (Zero Trust Network Access) replaces this with per-application brokered access: the user authenticates to a broker, the broker verifies identity, device posture, contextual signals, then proxies a specific application connection. The user never sees the corporate network; they see only the applications they are authorised to use, on a per-session basis.

Major ZTNA platforms: Cloudflare Access, Zscaler Private Access (ZPA), Netskope NPA, Palo Alto Prisma Access, Cisco Duo plus AnyConnect, Google BeyondCorp Enterprise, Microsoft Entra Private Access. Open-source: Cloudflare Tunnel (free), Pomerium, Teleport, OpenZiti.

For Indian enterprises with hybrid workforce, ZTNA is one of the most impactful Zero Trust upgrades. Faster than VPN (cloud-edge brokering), more secure (no network access without per-app authorisation), and operationally simpler (no VPN client mass-rollout headaches). Migration typically takes 8 to 16 weeks for mid-size enterprises.

Implementation Roadmap (12 to 24 months)

Zero Trust is a journey, not a project. A realistic roadmap for an Indian mid-size enterprise:

Months 0 to 6: Identity Foundation

Single IdP federating every app and SaaS, MFA enforcement everywhere via Conditional Access, PIM for privileged roles, password manager rollout, offboarding workflow tied to IdP, application of access reviews quarterly. Most of the access-control wins land here.

Months 6 to 12: Network and Access

ZTNA rollout for remote access, microsegmentation for the most sensitive workloads (production data systems, finance, HR), east-west monitoring for the rest of the estate, network telemetry feeding the SIEM, and removal of legacy flat-trust paths.

Months 12 to 18: Data and Workload

Data classification, DLP across cloud storage, encryption with customer-managed keys for sensitive data, workload identity (federated workload-to-cloud authentication without long-lived keys), and CSPM for continuous configuration enforcement.

Months 18 to 24: Continuous Improvement

Risk-based authentication tuning, anomaly detection on identity behaviour (UEBA), automated response on high-risk signals, expansion of microsegmentation to remaining workloads, vendor and supply-chain integration patterns. Programme transitions from project to operational discipline.

Indian Enterprise Adoption Context

Indian Zero Trust adoption has accelerated since 2022. Drivers: RBI cloud guidance and digital lending rules that effectively require Zero Trust principles for regulated entities, customer security questionnaires from international parents asking explicit Zero Trust posture questions, post-pandemic remote and hybrid work that exposed VPN limitations, and rising ransomware incidents that demonstrated the cost of flat networks.

Common adoption pattern at Indian enterprises: identity foundation in year 1 (often coinciding with Microsoft 365 plus Entra ID rollout), ZTNA in year 2 (often coinciding with cloud migration of key apps), microsegmentation in year 3 (often driven by ransomware incident at a peer organisation). Codesecure helps Indian enterprises design and execute the Zero Trust journey at the right pace for their stage, regulatory profile and budget.