Zero Trust means: no implicit trust from network location. Every request, internal or external, is authenticated, authorized, encrypted. Replaces the old 'castle-and-moat' (trust the LAN, defend the perimeter) with 'verify always, regardless of where the request came from'.
The core principles
Verify explicitly: every request authenticated. Least privilege: minimal access scoped to the task. Assume breach: design as if attackers are already inside. Encrypt everywhere: data in transit AND at rest, including inside your VPC.
Identity-driven access
Every workload has an identity (SPIFFE ID, IAM role, service account). Every resource has a policy (who can access). Authorization decisions check identity vs policy, not source IP. This decouples access from network topology.
Network as enforcement, not boundary
Network policies enforce who can talk to whom (Calico, Cilium NetworkPolicy in K8s). But the network is no longer the security boundary — identity is. Network policy provides defense-in-depth.
Migration from perimeter trust
You can't go zero-trust overnight. Phased approach: 1) inventory all services + identities, 2) mTLS internal traffic (mesh), 3) replace IP-based access lists with identity-based, 4) remove implicit-trust networks (VPNs, jump boxes), 5) add continuous verification (re-auth periodically).
Tools
BeyondCorp (Google's reference), Tailscale (consumer-grade zero-trust VPN), Cloudflare Access (HTTP-app gateway), Istio (mesh-level mTLS), HashiCorp Boundary (admin access). Pick what fits your scale; the concepts transfer.