Skip to content
NINTECH
← All insights
Cyber Security

Zero Trust, in practice: beyond the buzzword

6 July 2026 · 8 min read · Nintech Security

Cyber Security

Zero Trust has been buzzworded to the point of meaninglessness, which is a shame, because the underlying idea is one of the few genuinely useful shifts in security architecture of the last fifteen years. The idea is simple: stop treating network location as proof of identity. A packet arriving from the corporate LAN deserves exactly as much trust as one arriving from a coffee shop in Lisbon — which is to say, none, until the caller proves who they are and policy says they are allowed in.

The perimeter died; most architectures haven't noticed

The classic model — hard shell, soft interior — assumed that everything inside the firewall was trustworthy. That assumption stopped holding years ago. Staff work from anywhere, workloads run in three clouds and a colo, SaaS holds the crown jewels, and contractors and CI runners hold credentials that would make a 2010-era attacker weep. Once an attacker phishes a single VPN credential or compromises one internal box, the flat network behind the perimeter is an open buffet. Nearly every major breach post-mortem of the last decade includes the phrase 'lateral movement', and lateral movement is precisely what the perimeter model fails to prevent.

The replacement is not 'no trust' but 'no implicit trust'. Every request to every service carries a verified identity — of the user, the device, and the workload — and an access decision is made per request against explicit policy. Google's BeyondCorp, which moved corporate applications onto the public internet behind identity-aware proxies, remains the best-documented existence proof that this works at scale. The important detail is that BeyondCorp took years and touched identity, device inventory, and application access — it was not a product purchase.

mTLS and microsegmentation are the mechanics, not the goal

For service-to-service traffic, the workhorse is mutual TLS: both ends present certificates, so every connection is authenticated and encrypted, and 'which workload is calling me' becomes a cryptographic fact rather than an IP-based guess. In practice this means short-lived certificates issued automatically from workload identity — SPIFFE/SPIRE, a service mesh like Istio or Linkerd, or cloud-native equivalents — because manually managed long-lived certs recreate the credential-sprawl problem you were trying to solve. IP allowlists, by contrast, break the moment you have NAT, autoscaling, or an attacker who has landed on an allowed host.

Microsegmentation is the complementary control: instead of one flat network, each service can talk only to the services it has a declared, reviewed reason to talk to. Kubernetes NetworkPolicies, cloud security groups per workload, or mesh-level authorisation policies all get you there. The honest caveat is operational: segmentation done badly generates outages and exception sprawl, and teams quietly punch 'allow all' holes to ship. Start from observed traffic flows — most meshes and cloud flow logs can tell you who actually talks to whom — and encode that reality as policy before tightening, rather than designing an aspirational matrix nobody follows.

You cannot buy Zero Trust off a shelf

The most common failure mode is procurement-shaped: an organisation buys a 'Zero Trust platform', deploys it in front of the VPN, and declares victory while the internal network remains flat and every service still trusts every packet that reaches it. Vendors sell useful components — identity providers, device posture agents, identity-aware proxies, meshes — but Zero Trust is an architectural property of your systems, not a feature of any one of them. A ZTNA gateway in front of a network where any authenticated user can reach every internal service has changed the front door and nothing else; the blast radius of one stolen session is unchanged.

The tell is where policy lives. If access decisions are still 'is this person on the VPN', you have relabelled the perimeter. If the answer to 'who can reach the payroll database and from what device posture' is a specific, auditable policy evaluated on every request, you are actually doing the thing. NIST SP 800-207 is worth reading precisely because it describes an architecture and a set of tenets, not a product category.

Roll out incrementally and measure blast radius

The workable sequence starts with identity, because everything else depends on it: a single identity provider, MFA (preferably phishing-resistant WebAuthn/passkeys), and device signals feeding access decisions. Then pick one high-value application — the internal admin panel, the data warehouse — and move it behind an identity-aware proxy with per-request policy. One app forces you to solve the real problems (SSO integration, device inventory, break-glass access, on-call ergonomics) at a size where mistakes are cheap, and gives you a template to repeat. Trying to convert the whole estate in one programme is how Zero Trust initiatives die in year two.

Measure progress as blast-radius reduction, because that is the property you are buying. Useful metrics: the number of services reachable from an arbitrary compromised workstation or pod (obtainable by actually testing — run the scan); the count of long-lived static credentials in circulation versus short-lived issued ones; the percentage of internal service-to-service connections carrying authenticated identity; and time-to-revoke when a credential is reported stolen. If those numbers are moving, the programme is working. If the only number moving is licence spend, it is not.

Working on something like this? Talk to an engineer.

Zero Trust, in practice: beyond the buzzword — Nintech