Zero Trust — Security Model for a New Era

The classic security perimeter — firewall at the network edge, VPN inside, and trusting everything within — is dead. Zero Trust architecture flips the paradigm: trust no one, always verify, minimize privileges. And 2020 showed why this is necessary right now.

Why the Perimeter Stopped Working¶

The traditional “castle and moat” model assumed a clear boundary. Inside the castle you’re safe, outside is the enemy. But in 2020 the castle crumbled — employees work from home, applications run in the cloud, data lives in SaaS platforms. Where is the perimeter now?

Statistics speak clearly: 80% of data breaches in 2020 involved compromised credentials. An attacker doesn’t need to break through the firewall — a phishing email and one password is enough. Once “inside,” the classic model gives them free lateral movement across the entire network.

Three Pillars of Zero Trust¶

Zero Trust isn’t a product you can buy. It’s an architectural framework built on three pillars:

• Verify explicitly: Authenticate and authorize every access based on all available data points — identity, location, device, service, data classification, anomalies
• Least privilege access: Minimum permissions needed for the given task. Just-in-time and just-enough access, risk-based adaptive policies
• Assume breach: Design the system as if it’s already compromised. Minimize blast radius, segment access, encrypt end-to-end, use analytics for detection

Identity as the New Perimeter¶

When the network perimeter disappears, identity becomes the fundamental control point. In practice, this means a central identity provider — typically Azure Active Directory — as the single source of truth for authentication and authorization.

Conditional Access policies are the core of implementation. It’s not just about “does the user have a valid password,” but contextual decision-making:

• Are they logging in from a corporate or personal device?
• Is the device compliant according to Intune policies?
• What geographic location are they logging in from?
• What’s the user’s current risk score (Azure AD Identity Protection)?
• Are they accessing a routine or sensitive application?

Based on these signals, the system decides: allow, require MFA, restrict access (browser only, no downloads), or block completely.

Network Micro-segmentation¶

A flat network is an attacker’s dream. Once they get on one machine, they see everything. Micro-segmentation stops this movement — every workload, every application has its own security zone.

In Azure, we solve this with a combination of Network Security Groups, Azure Firewall, and Private Endpoints. Databases don’t have public IP addresses. Application servers communicate with the database through private links. And between individual tiers stand rules that allow only explicitly defined flows.

For one client in the banking sector, we implemented micro-segmentation gradually — we started by identifying communication flows using NSG flow logs and Azure Traffic Analytics. Only when we had a map of real communication did we start closing ports. Result: from 340 open flows, 47 legitimate ones remained.

Device Trust and Endpoint Management¶

Zero Trust without device control makes no sense. Microsoft Intune (now Endpoint Manager) allows you to define compliance policies — devices must have current OS, BitLocker enabled, active antimalware and current definitions.

Non-compliant devices don’t get access to corporate data. Or more precisely — they get limited access. They can open email in a browser but can’t download attachments or sync offline. Granular control instead of binary allow/deny.

Application Proxy Instead of VPN¶

One of the most practical steps toward Zero Trust: Azure AD Application Proxy. Instead of giving a user VPN access to the entire network for one internal web application, you publish that application through proxy.

The user authenticates through Azure AD, passes conditional access policies and gets access to just that one application. No network access to other systems. No VPN client. Works from any device with a browser.

For one client in public administration, we published 12 internal applications this way. Result: complete VPN elimination for 80% of users and dramatic simplification of external collaborator onboarding.

Monitoring and Threat Detection¶

“Assume breach” means detection is as important as prevention. In Zero Trust architecture, you log everything and correlate:

• Azure Sentinel as cloud-native SIEM — log aggregation from Azure AD, Office 365, firewall, endpoint protection
• UEBA (User and Entity Behavior Analytics): anomaly detection in user behavior — unusual login patterns, massive data downloads, access at unusual times
• Automated response: playbooks in Azure Sentinel that automatically react — block account, require password reset, isolate device

Gradual Implementation — Not Big Bang¶

Most common mistake: trying to implement Zero Trust all at once. In practice, we recommend a phased approach:

1. Phase 1 — Identity: MFA for everyone, conditional access, SSO for key applications (4-6 weeks)
2. Phase 2 — Devices: Intune enrollment, compliance policies, conditional access on device compliance (6-8 weeks)
3. Phase 3 — Applications: Application Proxy for internal sites, elimination of unnecessary VPN access (8-12 weeks)
4. Phase 4 — Network: Micro-segmentation, Private Endpoints, NSG hardening (ongoing)
5. Phase 5 — Data: Data classification, Azure Information Protection, DLP policies (ongoing)

Zero Trust Isn’t a Destination, It’s a Journey¶

No organization is “done” with Zero Trust. It’s a continuous process of improving security posture. But every step — from MFA through conditional access to micro-segmentation — significantly reduces risk. And 2020 showed that the first step can’t wait.