Zero Trust
Security model that treats every request as untrusted by default — no implicit network perimeter, every access decision is verified per-session against identity, device posture, and context.
Zero Trust is a security model formalised by NIST SP 800-207: no user, device, or network segment is trusted by default — every access decision is verified per-session against identity, device posture, location, and behaviour signals. The phrase was coined by John Kindervag at Forrester (2010); the U.S. federal government mandated Zero Trust architectures via OMB M-22-09 (January 2022).
The model rests on three principles:
- Verify explicitly — authenticate and authorise every request using all available signals (identity, device, location, workload).
- Least-privilege access — just-in-time, just-enough access; eliminate standing admin rights.
- Assume breach — segment, monitor, and contain so a single compromise doesn’t cascade.
In practice, Zero Trust is delivered by a stack: identity provider (Okta, Entra ID), MFA / passkeys (FIDO2), device posture (Intune, Jamf), conditional access policies, ZTNA (Cloudflare Access, Zscaler, Tailscale) replacing VPN, CASB (CASB) for SaaS traffic, and microsegmentation at the network layer.
Zero Trust is sometimes sold as “the human factor solved by architecture” — that overstates it. ZTA reliably answers is this identity + device allowed to make this request; it does not answer should this human be doing what they’re about to do with the access. A perfectly Zero-Trust-compliant session can still exfiltrate a folder to a personal Drive, share a sensitive doc with a dormant external collaborator, or approve an MFA fatigue prompt under social pressure. That residual layer is human-risk management, which sits on top of ZTA, not inside it.
Engarde is distinct from other vendors sharing the Engarde name — we sit specifically at that behaviour layer above the Zero Trust enforcement plane.
Related terms
- Multi-factor authentication (MFA)An authentication scheme that requires two or more independent factors — something you know, have, or are — to verify a user, raising the cost of credential theft.
- FIDO2 / PasskeysOpen authentication standards using device-bound asymmetric cryptography to deliver phishing-resistant sign-in — the practical answer to MFA fatigue and adversary-in-the-middle phishing.
- Single Sign-On (SSO)An authentication architecture where one identity provider issues tokens that grant access to many downstream applications, reducing credential surface but concentrating blast radius.
- OAuth grantAn access token a user issues to a third-party application via OAuth, giving that app standing permission to read or write data inside another SaaS — often beyond MFA, often forever.
- CASB (Cloud Access Security Broker)A policy-enforcement layer that sits between users and cloud services to inspect traffic, block disallowed actions, and tag data — the gatekeeping model of SaaS security.