Zero Trust Security
A security model that eliminates implicit trust based on network location, requiring continuous verification of every user, device, and access request regardless of where it originates.
Also known as: zero-trust architecture, ZTA, never trust always verify
Last reviewed: 10 June 2026
Traditional security assumed that anyone inside the corporate network was trusted and only external connections needed scrutiny — a model that breaks down when an attacker gains internal access through compromised credentials or a phishing attack. Zero trust inverts this assumption: no user, device, or application is trusted by default, even if it is inside the network perimeter. Every access request is authenticated, authorised, and continuously evaluated.
Key principles include strong identity verification for all users, device health checks, least-privilege access (each entity accesses only what it specifically needs), micro-segmentation (dividing networks into small zones so a compromised machine cannot reach unrelated resources), and comprehensive logging to detect anomalies.
For consumers, the direct relevance of zero trust is limited to understanding why organisations they deal with may require step-up authentication for sensitive actions and may frequently re-verify identity. More broadly, zero trust principles — verifying before trusting, limiting what any single access grants — are sound personal security habits: multi-factor authentication, separate email addresses per purpose, and reviewing app permissions all reflect zero-trust thinking at the individual level.