Zero trust is an architecture, not a product you can buy. A practical path from perimeter security to identity-aware access.
Zero trust has been thoroughly marketed into meaninglessness. Stripped of the hype, it is a simple principle: never trust the network, always verify identity and device, and grant least privilege per request.
You cannot buy zero trust. You implement it — incrementally — by moving access decisions from the network perimeter to identity-aware policy enforced close to each resource.
The pragmatic path starts with strong identity and phishing-resistant MFA, then gates applications behind identity-aware proxies, and finally encodes access policy as code so it is reviewable and auditable.
# Decisions move from the network perimeter to identity-aware policy,# enforced close to each resource — reviewable and auditable.package authz default allow := false allow if { input.user.mfa == "phishing_resistant" input.device.compliant == true input.resource.classification != "restricted" input.action in data.roles[input.user.role].permits}