What is Zero Trust Architecture?
Zero Trust is a security model based on the principle 'never trust, always verify.' Unlike traditional perimeter-based security, Zero Trust assumes no entity — inside or outside the network — should be trusted by default.
The Core Principle: Never Trust, Always Verify
Traditional security models relied on a castle-and-moat approach: everything inside the network was trusted, and the focus was on keeping attackers out. Once inside, attackers could move laterally with little resistance.
Zero Trust flips this model. Every access request is fully authenticated, authorized, and encrypted regardless of where it originates. There is no implicit trust — even if the request comes from inside the corporate network or from a previously verified device.
- No implicit trust — verify every access request, every time
- Assume breach — design systems as if attackers are already inside
- Least privilege access — grant the minimum access needed, for the minimum time needed
- Continuous validation — re-evaluate trust for every session, not just at login
Microsegmentation
Microsegmentation divides the network into small, isolated zones, each requiring separate authentication. Even if an attacker compromises one segment, they cannot move laterally to others without re-authentication.
For example, instead of one flat network where any device can reach any other, microsegmentation creates isolated workloads: the web server can only talk to the application server, which can only talk to the database. A breach of the web server cannot reach the database directly.
- Creates isolated security zones for each workload or application
- Prevents lateral movement by requiring authentication at each boundary
- Often implemented with next-generation firewalls and software-defined networking
- Granular policies control traffic between workloads, not just at the perimeter
Control Plane vs Data Plane
Zero Trust separates the control plane (the decision-making layer) from the data plane (the forwarding layer). When a device requests access, the control plane evaluates the policy and makes an access decision. The data plane then enforces that decision.
This separation allows centralized policy management while distributed enforcement. For example, a Zero Trust overlay network uses a central controller to authenticate and authorize traffic, while individual gateways forward only authorized traffic.
- Control plane: makes access decisions based on identity, device health, and policy
- Data plane: forwards traffic only when the control plane grants access
- Separation improves scalability and security by centralizing policy management
Zero Trust on the Security+ Exam
The SY0-701 exam places significant emphasis on Zero Trust as part of objective 1.2 (Fundamental Security Concepts) and 3.1 (Security Architecture Models). You should understand how Zero Trust differs from traditional perimeter security, the role of microsegmentation, and the control/data plane separation.
Key terms: Policy Enforcement Point (PEP), Policy Decision Point (PDP), microsegmentation, and implicit trust zones.
Exam Tip
Zero Trust is heavily tested on SY0-701. Remember: it's not a product but a framework. The three key concepts are: (1) no implicit trust, (2) microsegmentation, (3) least privilege. Know the control plane vs data plane distinction.