The company relies on 'once you're on the VPN, you're trusted.' What architectural shift do you propose?
Short answer
Network-location trust means a single foothold inside grants broad lateral access — one phished VPN credential and the attacker is 'inside.' Zero trust removes implicit trust: every access is authenticated, authorized, and continuously evaluated on identity and device posture, with least privilege and segmentation (NIST SP 800-207). A second VPN or a wider VPN just extends the same flat-trust problem to more places, and trusting the LAN instead of the VPN repeats the original mistake.
"Once you're on the VPN, you're trusted" is the classic perimeter model: a hard outer shell and a soft, flat interior. It made sense when employees, servers, and data all sat in one building. It fails badly once attackers, remote work, cloud, and SaaS blur the perimeter.
Why the perimeter model breaks
The fatal property is implicit trust based on network location. Authentication happens once, at the VPN edge. After that, the user — or whoever stole their VPN credential — is treated as trusted across a flat internal network. A single phished credential, a compromised laptop, or a malicious insider then has broad lateral movement: scan, pivot, and reach systems that should have been off-limits. The VPN authenticated connection, not every request.
The shift: zero trust
Zero trust (NIST SP 800-207) discards implicit trust. Its core principle: never trust, always verify — every access request to every resource is authenticated and authorized on its own merits, based on identity, device posture, and context, and continuously re-evaluated. Combine it with least privilege (users reach only what they need) and microsegmentation (compromise of one workload doesn't open the rest). Access becomes a per-resource decision, not a one-time network admission.
Why the wrong answers are wrong
"Add a second VPN for redundancy" improves availability but leaves the trust model untouched — twice the flat-trust surface. "Widen the VPN to all employees permanently" scales the exact problem to everyone, increasing the blast radius of any stolen credential. "Trust the LAN but not the VPN" simply relocates the same flawed assumption: it still grants trust by location, just a different location, and an attacker on the LAN inherits that trust.
What an interviewer is probing
They want to hear that you target the trust model, not the plumbing. A strong architect names identity- and posture-based per-request authorization, least privilege, and segmentation, and can sketch a realistic migration — start with critical apps behind an identity-aware proxy, phase out flat VPN access — rather than buying more of the thing that already failed.
Likely follow-ups
- What signals would you use to make a per-request access decision in a zero-trust model?
- How do you migrate from a flat VPN to zero trust without breaking the business overnight?
- Where does microsegmentation fit alongside identity-based access?