I begin 2021 with a conviction I have been repeating for months in every conversation with clients and with my own team: the security perimeter, as we knew it, no longer exists. For years we protected organizations as if they were a castle with a moat around it: a firewall at the edge, a VPN to get in, and the reassuring idea that everything "inside" could be trusted. That model broke, and the past year finished burying it. When your people, your applications, and your data live scattered across the cloud, the offices, and every employee's home, where is the edge you were supposed to defend? My answer, and that of much of the industry, is Zero Trust.
The short version: Zero Trust is a security approach built on a simple principle: "never trust, always verify." Instead of trusting a network, every access is verified based on identity, device, and context. It is not a product you buy but a strategy you adopt in phases.
Zero Trust is a security architecture model that eliminates the notion of a "trusted network." Under this approach, no user, device, or application is trusted by default, regardless of whether it sits inside or outside the corporate network. Every access request is treated as if it originated from an open, hostile network, and therefore must be authenticated, authorized, and validated before it is granted.
The phrase that best sums it up is the one I already cited: "never trust, always verify." In practice, this means we stop asking "are you inside my network?" and start asking "who are you, from what device, under what conditions, and to do exactly what?" That question repeats on every access, not just once at the start of the session.
The castle-and-moat model worked when almost everything lived inside an owned data center and people worked from the office. That reality faded, for several reasons that now coexist:
The edge did not disappear because someone decided so: it dissolved because work changed. Defending a line that no longer exists is spending effort in the wrong place.
When I guide an organization down this path, I insist that Zero Trust is not a tool but the sum of several pillars that reinforce one another. These are the ones I consider essential:
If we can no longer trust the network, identity becomes the central control point. Knowing with certainty who is requesting access is the foundation for everything else. That is why multi-factor authentication (MFA) stops being optional and becomes the bedrock. The user's identity, combined with the device's, defines what each person can see and do.
Instead of one large flat network where everything talks to everything, microsegmentation divides the environment into small, isolated zones. That way, if an attacker compromises one segment, they don't gain free access to the rest. Lateral movement—precisely what causes the most damage in an incident—is contained.
Each user and each system should have only the permissions needed for their task, not one more. The principle of least privilege reduces the attack surface: if an account is compromised, the potential damage is limited to the little that account could do.
Trust is not granted permanently. Access is continuously reassessed based on context: location, device posture, time of day, behavior. If something changes and looks anomalous, a fresh verification is required or access is revoked. The session is never a blank check.
This is the question I get most, and I understand the concern: no one wants to paralyze the business in the name of security. The good news is that Zero Trust is not implemented overnight or through a single giant project. It is adopted in phases, prioritizing what protects the most value. A reasonable path usually looks like this:
Each phase delivers value on its own. You don't have to wait until the end to be more secure: your posture improves with every step.
I want to dwell on a point that sometimes takes a back seat. Zero Trust generates many access decisions and many signals: who came in, from where, what they tried to do. All that information only matters if someone observes it, correlates it, and acts. Continuous verification needs eyes. That is why a mature Zero Trust strategy relies on continuous monitoring capabilities, whether with an in-house team or a specialized service such as a SOC that watches and responds around the clock. Without that layer, Zero Trust remains intention rather than practice.
In our cybersecurity practice we address this in an integrated way: the architecture, the identity, and the monitoring operation are designed together, not as loose pieces.
Does Zero Trust mean I no longer need a firewall or VPN?
Not exactly. It means they stop being your only line of defense and that trust is no longer based solely on being connected to the network. Traditional tools can remain in place, but subordinate to identity and context verification.
Is Zero Trust only for large enterprises?
No. The principle of "never trust, always verify" applies to any organization. In fact, starting with identity and MFA is accessible to companies of any size and delivers protection from day one.
How long does it take to implement Zero Trust?
It is not a project with a single end date but a model adopted and matured in phases. The first phases can show visible results in short timeframes; full maturity is a continuous journey.
Does Zero Trust replace the security team?
On the contrary. It empowers them. Technology enforces the policies, but continuous verification and response to anomalies still require human judgment and solid processes.
If I leave you with one thing from this start-of-year reflection, it is this: don't wait until you have "everything ready" to begin. Zero Trust is built in phases, and the first one—gaining visibility and strengthening identity—already puts you in a much better position. My practical recommendation is to start with an honest assessment of where your organization stands today against these pillars, and from there chart a realistic roadmap.
At SUMāTO we accompany that journey, from the assessment to the operation. If you want to talk about how to take the first step toward a Zero Trust model in your organization, reach us at https://sumatogroup.com/contacto and we'll help you define where to begin.