Zero Trust
A security model based on "never trust, always verify." No user, device, or system is trusted by default regardless of location. Every access request must be authenticated, authorized, and validated.
Never Trust, Always Verify
The core principle of Zero Trust. Trust is never assumed β it must be continuously earned and verified through authentication, authorization, and contextual evaluation.
Perimeter Security
Traditional security model relying on a strong outer boundary (firewall) while trusting internal traffic. Zero Trust replaces this assumption β internal traffic is not automatically trusted.
Lateral Movement
An attacker's ability to move from one system to another within a network after gaining initial access. Traditional perimeter models allow extensive lateral movement; Zero Trust severely restricts it.
Adaptive Identity
A Zero Trust mechanism that evaluates multiple contextual risk indicators β user's relationship to the organization, geographic location, device type, IP reputation, connection type β to dynamically adjust authentication requirements.
Data Plane
The part of a network device or architecture that processes and forwards actual network traffic (frames, packets). Performs: forwarding, NAT, encryption, trunking. Where data physically moves.
Control Plane
Manages the behavior of the data plane. Defines policies, rules, routing tables, session tables, and NAT tables. Determines how the data plane should handle traffic. Configuration occurs in the control plane.
Policy Enforcement Point (PEP)
The gatekeeper in Zero Trust architecture. All traffic passes through the PEP. It allows, monitors, and terminates connections based on decisions received from the Policy Decision Point. Can be multiple components working together.
Policy Decision Point (PDP)
The decision-making component in Zero Trust. Consists of the Policy Engine (decides) and Policy Administrator (implements). Evaluates access requests and determines grant/deny/revoke.
Policy Engine
Part of the PDP. Evaluates every access request against predefined security policies and contextual data (user identity, device status, threat intel, location). Makes the grant/deny/revoke decision.
Policy Administrator
Part of the PDP. Takes the Policy Engine's decision and implements it. Generates access tokens or credentials, communicates with the PEP, and can escalate authentication requirements if needed.
Security Zone
A logical or physical network segment with defined trust levels. Examples: Trusted (corporate), Untrusted (internet), Internal (data center). Traffic between zones is governed by explicit policies.
Trusted Zone
A network segment granted a higher level of implicit trust, typically for internal corporate users at a verified location. Still subject to Zero Trust verification despite the zone name.
Untrusted Zone
A network segment with no assumed trust, typically the public internet. Traffic from the untrusted zone to a trusted zone is automatically denied or requires strict verification.
Implicit Trust
In security zones, some zone-to-zone relationships have implicit trust (e.g., Trusted β Internal). This does NOT mean no verification β it means the zone relationship allows traffic under verified conditions, unlike Untrusted β Trusted which is denied by default.
Threat Scope Reduction
A Zero Trust goal: limit the number of possible entry points and attack paths. Fewer entry points = smaller attack surface = reduced blast radius if a breach occurs.