ARTICLE

How to Create Zero Trust Architecture

security

architecture

The traditional perimeter model of cybersecurity has a fundamental flaw. once an attacker is inside, they can move freely. This article from our Cyber Security Specialist, Marcello Carboni, explains the Zero Trust architecture model, its core principles, and why never trust, always verify has become the standard approach for organisations operating in today's complex, cloud-first environments.

Avatar picture of the author: Marcello Carboni

Marcello Carboni

Cyber Security Specialist, 8 West Consulting

October 02, 2025

What is Zero Trust?

 

For decades, cyber defence was built around a perimeter model - all the security measures are placed around the perimeter, leaving the internal network wide open. A single weak spot in the perimeter could cause an attacker to move freely inside the corporate network.

 

In 2009 this reality became very apparent. A nation-sponsored cyberattack dubbed "Operation Aurora" exploited a zero-day vulnerability and gained access to corporate networks and proprietary data of multiple organizations. In response to this Google, one of the victims, started to implement a zero trust security model called "BeyondCorp".

 

But what makes the zero trust architecture so secure? It rests on a simple idea:

 

"Never trust, always verify"

 

Every device, user and application must continuously prove their identity and access rights - even within the network - and every communication must be validated and monitored.

 

Zero Trust Principles

 

What are the main principles of a zero trust architecture?

 

  • No Implicit Authorisation - Always verify the identity and security posture of anyone or anything trying to access a resource.
  • Least Privilege Access - Only grant the minimum level of access to a user or device needed to perform their task. Use Just-In-Time and Just-Enough-Access alongside risk-based adaptive policies.
  • Assume Breach - Segment the network into various, smaller networks that are isolated from each other - this will limit the "blast radius" of a security incident. Verify end-to-end encryption, monitor network activity alongside user and entity behaviour.

Zero Trust Today

 

Today the Zero Trust Architecture is particularly relevant - especially as the perimeter architecture is by today's standards completely obsolete. Cloud adoption, mobile devices and third-party integrations create a very complex network topology where all communication must be treated the same: untrusted until verified.

 

Closing Thoughts

 

Zero Trust - unlike the name suggests - doesn't mean "trust no one". It means that trust is no longer a default, instead it must be continuously earned and verified, all while planning for the worst-case scenario. This doesn't just secure the network, it builds resilience.

 

Further Reading

 

Enjoyed this article? Follow Marcello Carboni for more insights and commentary on:

LINKEDIN
Security and Regulatory Compliance Services BOOK A SCOPING CALL
8 West Consulting: chevron icon
ALL POSTS NEXT ARTICLE
8 West Consulting: chevron icon

RELATED CONTENT

The Emergence of Package Hallucination Attacks

ARTICLE

The Emergence of Package Hallucination Attacks
The Rediscovery of Deep Specification: How LLMs will Rewrite the Agile Playbook

ARTICLE

The Rediscovery of Deep Specification: How LLMs will Rewrite the Agile Playbook