Key takeaways
Zero trust means no user, device, or service is trusted by default, inside or outside the network perimeter. Every request gets verified on its own merits, every time. For cloud environments this replaces the old model of a secure internal network with a model where identity, device posture, and context decide access on every single call.
Most startups can implement the core of zero trust in 90 days using tools they already have in AWS, Azure, or GCP, without buying a dedicated platform.
Zero trust gets thrown around as a buzzword so often that most people have stopped asking what it actually means. Vendors slap it on every product slide. Security teams nod along in meetings without a shared definition. Somewhere in that noise, a genuinely useful idea gets lost.
Here is the useful idea, stripped of the marketing. Stop trusting things just because they are inside your network. Verify every request, every time, based on who is asking, what device they are using, and what they are trying to do.
That is it. Everything else is implementation detail. This post is the plain-language version we walk clients through before we touch a single configuration. What zero trust actually replaces, why the cloud makes it necessary rather than optional, and how to build the core of it without buying a dedicated platform on day one.
What does zero trust actually mean in practice?
Zero trust is a security model where no user, device, or service is trusted by default, regardless of whether it sits inside or outside the traditional network perimeter. Every access request is verified based on identity, device posture, and context at the moment of the request, not granted once and assumed valid forever. NIST formalised this in Special Publication 800-207, defining zero trust as an approach that eliminates implicit trust and continuously validates every stage of a digital interaction.
The old model, often called perimeter security or castle-and-moat, assumed that anything inside the network was safe and anything outside was dangerous. Build a strong wall (firewall), guard the gate (VPN), and trust everyone who makes it through.
That model made sense when applications lived in one data centre and employees worked from one office. It stopped making sense the moment companies moved to the cloud, adopted remote work, and started connecting dozens of third-party services to their core systems. The wall stopped meaning anything because there was no longer a single perimeter to defend.
Zero trust replaces the wall with a checkpoint at every door. Every request, whether it comes from inside the office network or from a laptop in a coffee shop, goes through the same verification. Nothing gets a free pass because of where it is coming from.
Why does the cloud make zero trust necessary instead of optional?
Cloud environments make zero trust necessary because there is no single network perimeter left to defend. Workloads span multiple cloud providers, employees connect from anywhere, third-party APIs integrate directly into production systems, and infrastructure changes daily through automation. The traditional security model of a trusted internal network simply does not exist anymore. Recent industry data shows that 80 percent of security breaches now involve compromised identities rather than network-level exploits, which is exactly the attack surface zero trust is designed to close.
Three cloud-specific realities that broke the old perimeter model:
- Multi-cloud and hybrid environments. A typical startup today runs workloads across AWS, a SaaS tool that touches production data, a CI/CD pipeline hosted elsewhere, and an on-premises legacy system nobody wants to migrate yet. There is no single network boundary that contains all of that.
- Remote and distributed teams. The office network used to be the trust boundary. Now half the engineering team works from home, a co-working space, or a different country entirely. VPN access from anywhere is functionally the same as no perimeter.
- API-first architecture. Modern applications are built from dozens of services talking to each other and to external APIs. Each of those connections is a potential access point. Trusting internal traffic by default means trusting every microservice, every third-party integration, and every automated script equally, which is precisely the assumption attackers exploit when they compromise one weak link.
What are the core principles that any real zero trust implementation follows?
Every credible zero trust implementation rests on five core principles. These apply regardless of which cloud provider or vendor tools you use.
- Verify explicitly. Every access decision uses multiple signals together: user identity, device health, location, time of request, and the sensitivity of the resource being accessed. A login from a managed corporate laptop during business hours looks different from the same credentials logging in from an unrecognised device at 3am. Zero trust systems weigh all of these signals, not just the password.
- Least-privilege access. Every identity, human or machine, gets only the permissions needed for its specific task, scoped as narrowly as possible and often granted only for the duration of the task. This is the same principle IAM hygiene depends on, applied consistently across the entire environment.
- Assume breach. Zero trust architecture is designed on the assumption that an attacker has already compromised something. The question shifts from "how do we keep attackers out" to "how do we limit what they can do once they are in."
- Micro-segmentation. Instead of one flat network where anything can talk to anything, the environment gets divided into small segments with explicit rules for what can communicate with what. A compromised web server should not be able to directly reach the payments database just because they happen to sit in the same VPC.
- Continuous monitoring. Access is not verified once at login and then trusted for the rest of the session. Zero trust systems continuously evaluate context throughout a session and can revoke access mid-session if something changes.
Perimeter security vs zero trust: how do the two models actually differ?
The clearest way to understand zero trust is to compare it directly against the perimeter model it replaces. The table below shows the same six scenarios evaluated under each model.
| Scenario | Perimeter model | Zero trust model |
|---|---|---|
| Employee connects from home | VPN grants full network access | Identity and device verified per request |
| Service A calls Service B internally | Trusted because same VPC | Verified via mTLS and service identity |
| Compromised credential used | Full access until manually revoked | Continuous checks limit blast radius |
| Third-party API integration | Broad API key with wide access | Scoped token, narrow permissions, short-lived |
| New device joins the network | Trusted once connected to VPN | Device posture checked before any access |
| Contractor with temporary access | Standing VPN credentials | Time-boxed, scoped, automatically expiring |
Notice the pattern across every row. Perimeter security asks one question, at one point in time: are you inside the network? Zero trust asks a fuller question, continuously: who are you, what are you using, what are you trying to do, and does that match what we would expect right now?
How do you actually implement zero trust in AWS, Azure, or GCP?
Implementing zero trust in a major cloud provider does not require buying a dedicated platform on day one. AWS, Azure, and GCP each provide native building blocks. Most startups can implement 70 to 80 percent of a working zero trust model using tools already included in their cloud subscription.
The practical build order for a small team:
- Start with identity. Move every human off long-lived credentials and onto IAM Identity Center, Azure AD, or Google Identity with mandatory MFA.
- Segment the network. Move from one flat VPC to separate subnets for public-facing services, application logic, and data stores, with tight security groups.
- Add service identity for internal traffic. Use IAM roles, service accounts, or mutual TLS so services verify each other's identity before processing requests.
- Scope every API key and token narrowly. Replace broad, long-lived API keys for third-party integrations with scoped, short-lived tokens.
- Turn on continuous monitoring. CloudTrail, GuardDuty, and VPC Flow Logs together give you the visibility needed to detect abnormal behavior.
None of these five steps require a dedicated zero trust vendor. They require configuration discipline and a few weeks of focused work.
What role does device posture play in a real zero trust setup?
Device posture checks verify that the device requesting access meets your security baseline before granting that access, regardless of who is logging in. A verified user on a compromised or outdated device is still a risk.
This is the piece most startups skip entirely, usually because it feels operationally heavy. It does not have to be.
A minimum viable version looks like this: Require company laptops to be enrolled in a basic mobile device management tool. Require disk encryption and an up-to-date operating system before a device can authenticate to production systems. Block access from personal, unmanaged devices to anything touching customer data or production infrastructure.
Where do most companies get zero trust wrong?
The five most common zero trust implementation mistakes are more about process than technology:
- Treating it as a product. Buying a zero trust product without doing the underlying identity and segmentation work ends up with an expensive dashboard layered on top of the same trust assumptions.
- Trying to do everything at once. A full rollout touching every system simultaneously creates friction. The teams that succeed phase the rollout, starting with high-risk systems.
- Ignoring service-to-service traffic. A zero trust model that only covers human access is half a zero trust model. Lateral movement happens internally between services.
- Skipping device posture. Deferred long enough, it never happens, leaving a permanent gap where a compromised device with valid credentials sails through untouched.
- No change management. Rolling out strict policies without preparing the team creates friction, and engineers will find a workaround. That workaround usually becomes a permanent hole.
How do you build zero trust in 90 days without stalling the team?
A practical 90-day zero trust rollout runs in three phases:
- Month one: covers identity. Move to IAM Identity Center, enforce MFA everywhere, eliminate long-lived credentials.
- Month two: covers network and service identity. Segment the VPC, scope security groups tightly, add service-to-service authentication for internal traffic.
- Month three: covers monitoring and device posture. Turn on continuous logging and alerting, roll out basic device management, and run a tabletop exercise.
Start with your highest-value target (production data access). Give every policy change an exception path to avoid unauthorized workarounds. Measure before and after to prove the architecture is working.
Should you build zero trust in-house or bring in help?
Teams with a security-minded engineer and existing familiarity with their cloud provider's IAM system can build the core of zero trust in-house over a 90-day sprint. Teams facing a compliance deadline usually benefit from outside help to move faster and avoid common implementation mistakes.
Honest disclosure. Arclogiq builds zero trust architecture for fintech, NBFC, and SaaS clients as part of our broader AWS and cloud security work. We start with the identity foundation, move through network segmentation, and layer in continuous monitoring, using native cloud tools before recommending any additional platform spend. If you are staring down an audit finding that references zero trust, we will tell you honestly when native tools are enough and you do not need us at all.
Three things to do this week
Pick three concrete actions to finish in the next seven days:
- List every standing VPN or network-level access grant your team currently has and identify which ones could be replaced with per-request identity verification instead.
- Check whether your internal service-to-service traffic is verified at all, or simply trusted because it originates inside the same VPC.
- Confirm whether any personal, unmanaged devices currently have access to production systems or customer data.
Most teams find the answer to the second question uncomfortable. That discomfort is useful. It tells you exactly where to start.
Frequently asked questions
Is zero trust the same as a VPN?
No. A VPN grants broad network access once a user authenticates, after which traffic is generally trusted. Zero trust verifies every individual request continuously, regardless of whether the user is connected through a VPN, a direct connection, or any other method. Many organisations use VPNs as one input signal within a zero trust model, but a VPN alone is the opposite of zero trust.
Does zero trust require buying new security tools?
Not necessarily. The core of a zero trust architecture, including identity federation, MFA, network segmentation, and continuous logging, can be built using native tools already included in AWS, Azure, and Google Cloud subscriptions. Most startups can implement 70 to 80 percent of a working model without any additional platform purchase.
How long does a zero trust implementation typically take?
A functional core implementation covering identity, basic network segmentation, and continuous monitoring typically takes 90 days for a small to mid-size startup working with existing native cloud tools. Full maturity, including comprehensive device posture management and service mesh coverage, often takes 6 to 12 months.
Is zero trust required for SOC 2 or PCI DSS compliance?
Neither SOC 2 nor PCI DSS explicitly mandates a framework called zero trust by name, but both require controls that zero trust architecture naturally satisfies, including strong access controls, continuous monitoring, and the principle of least privilege.
What is the difference between zero trust and defence in depth?
Defence in depth is the broader strategy of layering multiple independent security controls so that a failure in one layer does not compromise the whole system. Zero trust is a specific architectural approach within that broader strategy, focused on eliminating implicit trust and verifying every access request individually. Zero trust is one of the strongest layers within a defence in depth strategy, but the two terms are not interchangeable.