What is it?
Key to adopting zero-trust architecture is the notion that inherent trust is removed from the internal network. Simply because people are connected to a network doesn't mean you should be able access everything on that network.
It’s common in breaches to see an attacker gain access to a network and then move through the rest of the system because everything, from that point on the network, is trusted. If you remove trust from the network, you must gain confidence in your users, device, and services. To achieve this, you must build trust in the users’ identity (through authentication), device health, and the services they access (authorization).
For zero trust to be effective, each person connected to a service is authenticated, and the device, user, and connection authorized against rules and policies. These policies assess the amount of confidence you have in a user and their device, regardless of where the connection request comes from, and grant access to resources accordingly.