Skip to content
English

Zero Trust: The Perimeter Is Now Identity

I begin 2021 with a conviction I have been repeating for months in every conversation with clients and with my own team: the security perimeter, as we knew it, no longer exists. For years we protected organizations as if they were a castle with a moat around it: a firewall at the edge, a VPN to get in, and the reassuring idea that everything "inside" could be trusted. That model broke, and the past year finished burying it. When your people, your applications, and your data live scattered across the cloud, the offices, and every employee's home, where is the edge you were supposed to defend? My answer, and that of much of the industry, is Zero Trust.

The short version: Zero Trust is a security approach built on a simple principle: "never trust, always verify." Instead of trusting a network, every access is verified based on identity, device, and context. It is not a product you buy but a strategy you adopt in phases.

What is Zero Trust, in plain words?

Zero Trust is a security architecture model that eliminates the notion of a "trusted network." Under this approach, no user, device, or application is trusted by default, regardless of whether it sits inside or outside the corporate network. Every access request is treated as if it originated from an open, hostile network, and therefore must be authenticated, authorized, and validated before it is granted.

The phrase that best sums it up is the one I already cited: "never trust, always verify." In practice, this means we stop asking "are you inside my network?" and start asking "who are you, from what device, under what conditions, and to do exactly what?" That question repeats on every access, not just once at the start of the session.

Why did the traditional perimeter die?

The castle-and-moat model worked when almost everything lived inside an owned data center and people worked from the office. That reality faded, for several reasons that now coexist:

  • The cloud. Your critical applications are no longer behind your firewall; they live in third-party services accessed over the internet.
  • Remote work. The past year pushed millions of employees to connect from home, on networks and devices you don't fully control.
  • Mobility. Laptops, phones, and tablets cross the perimeter several times a day.
  • Lateral movement. In the old model, an attacker who managed to get in was "inside" and could move around with relative freedom. The implicit trust of the internal network became the attacker's greatest ally.

The edge did not disappear because someone decided so: it dissolved because work changed. Defending a line that no longer exists is spending effort in the wrong place.

The pillars of Zero Trust

When I guide an organization down this path, I insist that Zero Trust is not a tool but the sum of several pillars that reinforce one another. These are the ones I consider essential:

Identity as the new perimeter

If we can no longer trust the network, identity becomes the central control point. Knowing with certainty who is requesting access is the foundation for everything else. That is why multi-factor authentication (MFA) stops being optional and becomes the bedrock. The user's identity, combined with the device's, defines what each person can see and do.

Microsegmentation

Instead of one large flat network where everything talks to everything, microsegmentation divides the environment into small, isolated zones. That way, if an attacker compromises one segment, they don't gain free access to the rest. Lateral movement—precisely what causes the most damage in an incident—is contained.

Least privilege

Each user and each system should have only the permissions needed for their task, not one more. The principle of least privilege reduces the attack surface: if an account is compromised, the potential damage is limited to the little that account could do.

Continuous verification

Trust is not granted permanently. Access is continuously reassessed based on context: location, device posture, time of day, behavior. If something changes and looks anomalous, a fresh verification is required or access is revoked. The session is never a blank check.

How do you start without stalling operations?

This is the question I get most, and I understand the concern: no one wants to paralyze the business in the name of security. The good news is that Zero Trust is not implemented overnight or through a single giant project. It is adopted in phases, prioritizing what protects the most value. A reasonable path usually looks like this:

  • Phase 1 — Visibility. Before protecting, you have to understand. Identify your users, your devices, your applications, and above all your most sensitive data and how it flows.
  • Phase 2 — Strong identity. Deploy MFA broadly and consolidate identity management. This is usually the highest-impact, lowest-effort step.
  • Phase 3 — Least-privilege access. Review and adjust permissions. Replace broad, permanent access with scoped, justified access.
  • Phase 4 — Segmentation. Begin microsegmenting your most critical workloads and data, not the entire network at once.
  • Phase 5 — Monitoring and continuous verification. Connect telemetry to a monitoring process that evaluates context in real time and responds to anomalies.

Each phase delivers value on its own. You don't have to wait until the end to be more secure: your posture improves with every step.

Where does monitoring fit into all this?

I want to dwell on a point that sometimes takes a back seat. Zero Trust generates many access decisions and many signals: who came in, from where, what they tried to do. All that information only matters if someone observes it, correlates it, and acts. Continuous verification needs eyes. That is why a mature Zero Trust strategy relies on continuous monitoring capabilities, whether with an in-house team or a specialized service such as a SOC that watches and responds around the clock. Without that layer, Zero Trust remains intention rather than practice.

In our cybersecurity practice we address this in an integrated way: the architecture, the identity, and the monitoring operation are designed together, not as loose pieces.

Frequently asked questions

Does Zero Trust mean I no longer need a firewall or VPN?
Not exactly. It means they stop being your only line of defense and that trust is no longer based solely on being connected to the network. Traditional tools can remain in place, but subordinate to identity and context verification.

Is Zero Trust only for large enterprises?
No. The principle of "never trust, always verify" applies to any organization. In fact, starting with identity and MFA is accessible to companies of any size and delivers protection from day one.

How long does it take to implement Zero Trust?
It is not a project with a single end date but a model adopted and matured in phases. The first phases can show visible results in short timeframes; full maturity is a continuous journey.

Does Zero Trust replace the security team?
On the contrary. It empowers them. Technology enforces the policies, but continuous verification and response to anomalies still require human judgment and solid processes.

The first step

If I leave you with one thing from this start-of-year reflection, it is this: don't wait until you have "everything ready" to begin. Zero Trust is built in phases, and the first one—gaining visibility and strengthening identity—already puts you in a much better position. My practical recommendation is to start with an honest assessment of where your organization stands today against these pillars, and from there chart a realistic roadmap.

At SUMāTO we accompany that journey, from the assessment to the operation. If you want to talk about how to take the first step toward a Zero Trust model in your organization, reach us at https://sumatogroup.com/contacto and we'll help you define where to begin.