Registration for Nomios Next is now live! Sign up for the cybersecurity event of 2026. More info

Contact us
Placeholder for Airport gates planesAirport gates planes
Zero Trust

Zero trust is not a product. It is a decision about how you think about security.

Zero trust has become one of the most searched and most misunderstood terms in cybersecurity. Strip away the marketing and what remains is a genuinely important architectural shift — one that more organisations need to understand and act on.

Ask ten vendors what zero trust means and you will get ten different answers, most of them shaped by whatever product they are trying to sell. That has made the term harder to work with — loaded with vendor positioning, stripped of precision, and treated with understandable scepticism by security professionals who have seen too many trends repackaged as revolutions.

Which is a shame, because the underlying idea is sound and increasingly necessary. Zero trust is worth taking seriously — just not in the form that most marketing material presents it.

What zero trust actually means

The core principle of zero trust is simple: do not grant access based on network location. The traditional security model assumed that anything inside the corporate network perimeter could be trusted — a reasonable assumption when employees worked in offices, applications ran in on-premise data centres, and the network boundary was relatively well-defined. That assumption no longer holds.

Cloud applications, remote work, third-party access, mobile devices, and increasingly complex supply chains have dissolved the perimeter. The network boundary that once provided a meaningful security control is now porous by design. Treating everything inside it as trusted, and everything outside it as untrusted, is not a security model — it is a comfortable fiction.

Zero trust replaces that assumption with a different one: trust nothing by default, verify everything explicitly, and grant the minimum access required to perform a specific function. Identity becomes the new perimeter. Every access request — from a user, a device, an application, or a service — is evaluated in context before access is granted, regardless of where the request originates.

"The perimeter did not disappear overnight. It eroded gradually, one cloud application, one remote worker, one third-party integration at a time. Most organisations are only now reckoning with what that means for how they control access."

Why it matters now

Zero trust has been discussed as a concept since John Kindervag introduced the term at Forrester in 2010. The reason it has gained significant operational momentum in recent years is not that the idea is new — it is that the conditions making it necessary have become unavoidable.

The shift to cloud and hybrid working accelerated during the pandemic and has not reversed. Regulatory frameworks including NIS2 and DORA are pushing organisations toward more explicit access controls and stronger identity governance. And the attack patterns that zero trust is specifically designed to mitigate — lateral movement following initial compromise, credential-based attacks, insider threats — have become the dominant techniques in serious breaches.

When an attacker gains a foothold in a perimeter-based environment, the internal network provides them with a significant degree of freedom. They can move laterally, escalate privileges, and access systems that were never intended to be reachable from the initial point of compromise — because the internal network was implicitly trusted. Zero trust architecture removes that freedom by enforcing access controls at every layer, not just at the edge.

The journey, not the destination

One of the most persistent misconceptions about zero trust is that it is something you implement — a project with a start date, an end date, and a point at which you can declare yourself done. It is not. Zero trust is an architectural direction, and most organisations will travel along that path for years, making progress incrementally across different domains.

That framing is actually useful. It means there is no prerequisite for starting. You do not need to have solved identity before you address network segmentation, or vice versa. You can make meaningful progress in one domain while others remain works in progress. The organisations that have made the most ground on zero trust are typically those that picked a domain where the risk was highest or the quick wins were clearest, demonstrated value, and expanded from there.

Identity and access management

For most organisations, identity is the most impactful starting point. Implementing multi-factor authentication, enforcing least-privilege access, and introducing conditional access policies — granting access based on the risk profile of a request rather than simply whether the user has valid credentials — delivers material security improvement without requiring a complete infrastructure overhaul.

Network segmentation and SASE

Network architecture is the other major domain. Zero trust network access (ZTNA) replaces broad VPN access — where a connected user can often reach large portions of the internal network — with application-specific access granted on a per-session basis. Combined with the broader SASE framework, which integrates network security and connectivity into a cloud-delivered architecture, this approach aligns well with the hybrid and multi-cloud environments most organisations now run.

Nomios has worked with organisations across Europe on SASE and zero trust network architecture — helping them navigate a vendor landscape that is genuinely complex, and design implementations that reflect their specific environment rather than a generic reference architecture.

Device trust and endpoint security

Zero trust extends to the devices from which access is requested. A valid credential from an unmanaged, compromised, or non-compliant device is not the same as a valid credential from a healthy, managed endpoint. Device posture assessment — evaluating whether a device meets defined security requirements before granting access — is an increasingly standard component of mature zero trust implementations.

Getting started without getting lost

The breadth of zero trust can make it feel overwhelming to begin. The vendor landscape does not help — every major security vendor has rebranded significant portions of their portfolio under the zero trust label, making it difficult to separate genuine architectural thinking from product positioning.

The most useful starting point is usually a structured assessment of where your current environment stands against zero trust principles — not to produce a gap report that sits on a shelf, but to identify the two or three areas where investment will deliver the greatest reduction in actual risk. From that foundation, a phased roadmap can be built that is realistic, measurable, and connected to business outcomes rather than technology for its own sake.

Nomios consulting supports organisations at this stage — bringing vendor-neutral perspective to a space where vendor-neutral advice is genuinely hard to find. The goal is not to sell a particular architecture or a particular product, but to help organisations make progress on zero trust in a way that reflects their actual environment, their risk priorities, and their operational constraints.

Get in touch

Where does your organisation stand on zero trust?

Most organisations are somewhere on the journey — further along in some areas than others. A structured assessment is usually the clearest way to understand where to focus next.

Placeholder for Portrait of guy smiling eyes closedPortrait of guy smiling eyes closed
Updates

Latest news and blog posts

Placeholder for Quantum Safe NetworkingQuantum Safe Networking
Nokia

Quantum Security Network security

Why quantum-safe networking needs to be on your 2026 agenda

Find out why quantum-safe networking should be on every IT leader's 2026 agenda and what practical steps to take now on encryption, key governance, and post-quantum cryptography readiness.

Vincent de Knegt
Placeholder for Vincent de KnegtVincent de Knegt

Vincent de Knegt

4 min. read
Placeholder for Accelerate25 blog heroAccelerate25 blog hero
Fortinet

SASE

FortiOS 8.0: Secure Networking in the AI Era

At Fortinet Accelerate 2026 in Las Vegas, Fortinet introduced FortiOS 8.0, the latest release of the operating system powering the Fortinet Security Fabric.

Michel Adelaar
Placeholder for Michel AdelaarMichel Adelaar

Michel Adelaar

2 min. read
Placeholder for HPE Juniper SRX400HPE Juniper SRX400
HPE

NGFW

Security from Core to Edge: HPE Juniper Networks Introduces the SRX400 Series

One of the most concrete announcements is the HPE Juniper Networking SRX400 series: a compact next-generation firewall that brings carrier-grade security to the edge of the network.

Richard Landman
Placeholder for Richard landman 1024x1024Richard landman 1024x1024

Richard Landman

3 min. read
 See all updates