The history of zero trust security: its evolution and frameworks

According to Okta’s report, zero trust is now mainstream, and its adoption has doubled recently. This means many organizations already have a zero trust strategy in place. This isn’t a surprise, given the constant growth of data breaches and the updated NIST and CISA guidelines. 

Understanding the history of zero trust can help you build your own cybersecurity strategy. It shows why the old models failed and how the concept of zero trust evolved from a radical idea into a global standard that effectively reduces the attack surface. Let’s trace that revolution together.

The pre-zero trust era: a moat-and-castle approach

For decades, IT security relied on a model called perimeter-based security. This model used firewalls and other technologies to build a strong external defense, the "moat," around an organization's entire IT environment, the "castle."

This "castle-and-moat" strategy had one critical flaw: it extended trust by default to all users and devices inside the perimeter. Once you were "in the castle," you were considered safe. This resulted in extensive, and sometimes even unlimited, access to all systems and data within the network, creating massive vulnerabilities.

This entire model is now obsolete. With the rise of cloud computing, mobile devices, and remote work, users and data were everywhere. A traditional network perimeter stopped working. The "moat" was no longer a reliable defense, and an architecture built on "trust-by-default" couldn't handle the new reality. The stage was set for a new way to think about secure access: the zero trust concept.

Early seeds of the zero trust concept

The concept of zero trust didn't just appear overnight. It was a slow burn, with a few key ideas laying the groundwork for a new way of thinking.

In 2004, security expert Paul Simmonds gave a presentation at the Jericho Forum, where he coined the term "deperimeterization." He said that the "castle-and-moat" strategy was no longer sustainable. His point was that most exploits will easily bypass perimeter security, so building a harder wall was a losing battle. Simmonds also argued that a new security model to protect data was needed. 

A year later, in 2005, the US Department of Defense had similar ideas. They explored a "Black Core" zero trust architecture, an initiative to secure individual transactions by encrypting data as it moved through the network. These early zero trust initiatives were a clear sign that the old model's days were numbered.

The birth of the term: John Kindervag and Forrester Research

So, who coined the term “zero trust”? It was John Kindervag, who was then working at Forrester Research. In 2009, he presented the idea that an organization should not trust anything, inside or outside its perimeters. He argued that trust itself was a vulnerability. 

Why is it called “zero trust”?

John Kindervag grew weary of the old "trust but verify" motto, a Russian proverb Ronald Reagan popularized. Kindervag argued that most security teams "trust a lot but verify very little."

He also noted that, when Reagan used the phrase with the Soviets, it was a total joke because neither side trusted the other at all. So, he challenged the security world with a new, simpler rule: never trust, always verify.

Kindervag’s zero trust principles are the core of every ZT architecture today:

Secure all resources regardless of location

This principle demands that all resources be accessed securely, with the same strong encryption and protection, no matter where the user or data is.

Adopt a least-privilege strategy and enforce strict access control

This is the idea that users should only have access to the absolute minimum amount of data necessary to do their jobs. Enforcing strict, role-based access control is fundamental.

Inspect and log all network traffic to verify activity

Verification isn't a one-time login. This means continuously monitoring and logging all traffic to identify anomalous behavior or suspicious activity in real time.

Becoming mainstream: Google’s BeyondCorp initiative

The zero trust concept got its first big, real-world test in 2011 with Google’s BeyondCorp, the company’s own zero trust architecture.

Google's goal was to let employees work remotely and completely eliminate the need for a traditional VPN.

It's important to understand that BeyondCorp isn't a single product you can buy. It's a zero trust framework built on a set of tools and best practices. By proving this model could work at a massive scale, Google gave the zero trust security movement a big boost in credibility. 

Today, Google Cloud offers services that help other organizations achieve a security model similar to BeyondCorp’s.

Zero trust and BYOD: the role of device trust in zero trust architecture

You'll often hear that a zero trust architecture facilitates Bring Your Own Device (BYOD) policies, letting employees use their own devices for work. This is a risky mistake. While a strong password or login user authentication is great, it can't protect your company's data if the device is infected with a virus.

Google's own zero trust model, BeyondCorp, explicitly rejects the idea that unmanaged devices are compatible with a secure zero trust environment. It states that only secure, managed devices are allowed to access company apps. This principle, known as device trust, requires organizations to verify the device, rather than the user, before granting access. A hacked device makes the user's login security useless.

So, while zero trust architecture tools can help you manage a strict BYOD policy, they don't replace the need to ensure every device is secure and properly managed.

Zero trust security today

So, where does that leave the zero trust concept today?

It's now the industry standard. The real turning point came when the National Institute of Standards and Technology (NIST) formalized it.

NIST published its famous guide, SP 800-207, “Zero Trust Architecture.” The most important thing to know is that this isn't a rigid, one-size-fits-all set of rules. Instead, NIST defined zero trust security as a conceptual approach: a set of core principles and goals for building a modern zero trust architecture.

This official zero trust framework, along with models like Google's BeyondCorp, all operate on one simple rule: "never trust, always verify."

In practice, the zero trust approach follows these rules:

• Strict authentication for every single access request: This way, only verified users and devices gain entry.

• Least privilege access: This means that individuals only get access to the resources they absolutely need.

• Network segmentation: This contains attackers. If they breach one part of your network, they're stopped from moving freely to the rest. 

• Continuous verification of users and devices: Security posture is checked repeatedly, not just at the initial login.

The goal of this zero-trust strategy is twofold: to prevent unauthorized access from the start and to limit the blast radius if a breach ever does happen.

Implement your zero trust strategy with NordPass

A full zero trust strategy can feel like a massive project. But it all starts with one, manageable step: controlling access.

NordPass Business is a critical tool for your zero trust architecture that can help you:

• Secure all credentials: Store every password, passkey, and credit card in an XChaCha20-encrypted vault.

• Enforce company-wide policies: Use the Admin Panel to set and enforce strong password rules that no one can bypass.

• Manage access with precision: Securely share items and folders with specific individuals or groups, not the entire company.

• Verify user identity: Integrate with your existing multi-factor authentication (MFA) and single sign-on (SSO) providers to streamline logins.

A robust zero trust architecture isn't built with a single product, but it's impossible to build without first mastering credential and access management. Start with the foundation. Secure your organization's access with NordPass Business.