ARTICLE
How to Create Zero Trust Architecture
For decades, cyber defence was built around a perimeter model - all the security measures are placed around the perimeter, leaving the internal network wide open. A single weak spot in the perimeter could cause an attacker to move freely inside the corporate network.
Marcello Carboni
Cyber Security Specialist, 8 West Consulting
SHARE ON
June 04, 2026
What is Zero Trust?
For decades, cyber defence was built around a perimeter model - all the security measures are placed around the perimeter, leaving the internal network wide open. A single weak spot in the perimeter could cause an attacker to move freely inside the corporate network.
In 2009 this reality became very apparent. A nation-sponsored cyberattack dubbed "Operation Aurora" exploited a zero-day vulnerability and gained access to corporate networks and proprietary data of multiple organizations. In response to this Google, one of the victims, started to implement a zero trust security model called "BeyondCorp".
But what makes the zero trust architecture so secure? It rests on a simple idea:
"Never trust, always verify"
Every device, user and application must continuously prove their identity and access rights - even within the network - and every communication must be validated and monitored.
Zero Trust Principles
What are the main principles of a zero trust architecture?
- No Implicit Authorisation - Always verify the identity and security posture of anyone or anything trying to access a resource.
- Least Privilege Access - Only grant the minimum level of access to a user or device needed to perform their task. Use Just-In-Time and Just-Enough-Access alongside risk-based adaptive policies.
- Assume Breach - Segment the network into various, smaller networks that are isolated from each other - this will limit the "blast radius" of a security incident. Verify end-to-end encryption, monitor network activity alongside user and entity behaviour.
Zero Trust Today
Today the Zero Trust Architecture is particularly relevant - especially as the perimeter architecture is by today's standards completely obsolete. Cloud adoption, mobile devices and third-party integrations create a very complex network topology where all communication must be treated the same: untrusted until verified.
Closing Thoughts
Zero Trust - unlike the name suggests - doesn't mean "trust no one". It means that trust is no longer a default, instead it must be continuously earned and verified, all while planning for the worst-case scenario. This doesn't just secure the network, it builds resilience.
Further Reading
- BeyondCorp and the long tail of Zero Trust | USENIX
- Department of Defense Zero Trust Reference Architecture
Author: Marcello Carboni, Cyber Security Specialist, 8 West Consulting
https://www.linkedin.com/in/marcello-carboni-b01228186/
