The Five Pillars of Zero Trust

A Framework for Thinking About Modern Security

Zero Trust has become one of the most widely used and widely misunderstood concepts in cybersecurity.

We see it manifest as a Product Category, VPN Replacement (the version I dislike most), and slogans like – “Never Trust, Always Verify”.

Zero Trust isn’t a product, a feature, or a deployment model. It’s a structural shift in how organizations evaluate risk. Zero Trust reframes a single question at its code:

On what basis do we decide something should be trusted?

Model enterprises have become less centralized. Users, and the resources they need to work have become even more separate. Even amid current “return to office” initiatives, the use of Cloud IaaS and SaaS is quite prominent blurring the lines of the trusted and untrusted network.

In response organizations are attempt to extend the castle and moat into the cloud often compromising on speed, security, cost and ultimately risk.

Trust can no longer be anchored to network boundaries, perimeter ACLs, or implied containers. It must be continuously evaluated across multiple dimensions at the moment of access.

The birthplace of structured Zero Trust – NIST – offers a definition of those dimensions in the form of the Five Pillars of Zero Trust:

• Identity

• Devices

• Network

• Applications

• Data

Not as silos. Not as projects. But as intersecting perspectives that shape every access decision.

CISA further expands this model by emphasizing the operational foundation required to make the pillars cohesive.

CISA: https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf

Identity – The Centre of Gravity

The collapse of the traditional perimeter didn’t eliminate the need for a control plane. It shifted it.

Identity has become that control plane.

When a request is made, whether by a user, a service account, or an API, the first variable is identity. The strategic issue isn’t simply authentication. It’s confidence. How certain are we that the entity making the request is who (or what) it claims to be?

And just as importantly, how quickly can that confidence degrade?

Credential compromise is no longer an edge case; it is the dominant breach vector.

Identity assurance, privilege design, and lifecycle governance now sits at the heart of security strategy - not at its edge.

Devices – The Silent Risk Multiplier

An authenticated identity operating from a compromised device introduces ambiguity.

Endpoints are not static. Their posture changes. Their integrity fluctuates. Their risk profile shifts in real time. Zero Trust treats device state not as an afterthought, but as a live signal.

The strategic implication is subtle but important: access should not be granted solely because a login succeeded – as traditional VPN models assume. It should reflect the current condition of the environment from which the request originates.

This is where many implementations quietly fail, identity is verified, but the endpoint context and evolution are ignored.

Network – Transport Without Assumption

For decades, security architecture equated location with legitimacy. Inside meant trusted. Outside meant hostile.

Cloud adoption, remote work, and SaaS erased that distinction. The network still moves packets, but it no longer defines trust.

In a Zero Trust model, the transport layer becomes policy-driven rather than perimeter-driven. Segmentation matters not because of topology, but because of blast radius. Encryption matters not because it is fashionable, but because interception is assumed.

Trust is no longer inherited from adjacency.

Applications | Workloads | Resources – Where Authorization Becomes Real

Applications, workloads, and resources are where business value lives. They are also where assumptions accumulate. Concepts like “least privilege” are often declared but not meaningfully enforced at the workload itself.

Applications have historically been designed under the belief that anything reaching them had already been vetted by the network. That belief lingers in surprising places.

Zero Trust shifts enforcement closer to the workload. It assumes every request, even one that originated from a “trusted” source, requires contextual authorization.

This is less about adding controls and more about rethinking enforcement boundaries.

Data – The Objective, Not the Afterthought

All security architecture ultimately converges on one purpose: protecting data. Yet many organizations struggle to articulate which data is most critical, where it resides, or how it moves.

Without that clarity, Zero Trust becomes abstract.

Data sensitivity should influence access decisions. Context should influence exposure tolerance. Visibility should shape policy.

When data is invisible, strategy becomes guesswork.

The Underlay – What Makes the Pillars Work

The pillars operate in an ecosystem of interdependence, supported by an operational foundation that enables strategic outcomes:

·         Governance: The intent behind Zero Trust - how identity, access, data sensitivity, and risk decisions are owned, reviewed, and enforced consistently across the organization.

·         Visibility & Analytics: Zero Trust depends on context; visibility and analytics transform raw telemetry across identities, devices, networks, applications, and data into actionable, risk-informed decisions.

·         Automation & Orchestration: Contextual trust decisions must occur continuously and at scale - automation and orchestration make Zero Trust enforceable rather than aspirational.

The Intersection

Individually, each pillar addresses a different dimension of trust. Collectively, they form a decision model.

Every access event, human or machine, sits at the intersection of identity, device state, transport conditions, workload enforcement, and data sensitivity.

The strength of a Zero Trust strategy isn’t measured by how advanced each pillar is in isolation. It’s measured by how cohesively they inform one another.