Skip to content

Explain Zero Trust architecture and what changes when you adopt it.

Short answer

Zero Trust drops the assumption that being inside the network makes you trusted. Every request to a resource is authenticated and authorized on its own merits — verifying identity, device health, and context — by a policy decision point, granting least-privilege access per session. There is no trusted internal zone; the network location of a request is just one signal, not a free pass.

The traditional "castle-and-moat" model trusted anything inside the perimeter. But once an attacker phishes a laptop or pivots through a VPN, that implicit trust hands them free lateral movement. Zero Trust discards the perimeter as a trust boundary.

The core principle

"Never trust, always verify." Every access request to a resource is evaluated on its own merits, regardless of where it comes from. Being on the corporate LAN earns you nothing. The system asks, for each request: who is the identity, is it authenticated strongly, is the device healthy and managed, what is being accessed, and does policy allow it right now?

How it's structured (per NIST SP 800-207)

A policy decision point (PDP) evaluates the request against policy using signals from identity providers, device management, and threat intelligence. A policy enforcement point (PEP) sits in front of the resource and either allows or blocks the session based on the PDP's verdict. Access is granted per session and at least privilege — just enough, just for now.

What actually changes when you adopt it

  • Identity becomes the new perimeter. Strong, ideally phishing-resistant authentication is foundational.
  • Device posture matters. A compliant, patched, managed device is a signal that gates access.
  • Microsegmentation limits lateral movement so a compromised host can't roam freely.
  • Continuous evaluation. Trust isn't granted once and forgotten; context can revoke access mid-session.

The honest caveats

Zero Trust is an architecture and strategy, not a product. Vendors sell pieces (ZTNA, identity-aware proxies), but you implement the model. It's also a journey — most organizations migrate incrementally, starting with their most sensitive apps.

What interviewers look for: you frame it as eliminating implicit trust and verifying per-request, you can name the PDP/PEP split, and you resist the "it's a product you buy" trap.

Likely follow-ups

  • What is a policy decision point vs a policy enforcement point?
  • Why is the traditional 'castle-and-moat' model insufficient today?
  • How does device posture factor into a Zero Trust decision?

Sources

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.