Zero Trust in Practice: Why the Perimeter Was Never Enough

The day the firewall stopped being enough

In late 2013, attackers didn't break into Target. They walked in through the side door. Using credentials stolen from a third-party HVAC vendor, they moved through a network protected by firewalls, monitoring tools and a dedicated cybersecurity team, and eventually planted malware across 40 million customer card accounts.

Seven years later, the SolarWinds breach revealed the same issue, just at a much larger scale. Attackers quietly compromised a routine software update for a widely used network monitoring platform. Eighteen thousand organizations installed the backdoor voluntarily. Nine federal agencies and approximately 100 private companies were actively breached before anyone noticed. The discovery came not from a government security program, but from a cybersecurity firm that found it while investigating its own intrusion.

The problem on both occasions was that the architecture was built on the assumption that trust can be inherited from the location.

The castle-and-moat model, and why it cracked

The perimeter model worked well when organizations had fixed offices, on-premise servers and known user devices. Then three things broke it:

• Cloud adoption dissolved the boundary.
• Mobile workforces stretched the VPN beyond what it was ever designed for.
• Then, attackers stopped trying to breach the wall. They just stole the keys.

According to IBM's 2024 Cost of a Data Breach Report, stolen credentials are now the most common initial breach vector, with attacks taking an average of nearly 10 months to identify and contain. A single trusted credential, once compromised, becomes a key that can unlock any door inside the company’s infrastructure.

"Never trust, always verify"

The formal reframing arrived in 2010. Forrester analyst John Kindervag published "No More Chewy Centers", a deliberately provocative challenge to the cybersecurity status quo. His argument? The industry was trusting a great deal and verifying very little, and that complacency was a design flaw, not a policy gap. His prescription was straightforward: verify every access request regardless of where it originates, enforce least-privilege strictly, and inspect all traffic always.

Around the same time, Google was learning the same lesson the hard way. After suffering the 2009 Operation Aurora breach, a sophisticated nation-state intrusion targeting its source code, Google built BeyondCorp: an internal architecture where no user or device was trusted by default, even on the corporate network. Access decisions moved from where you are to who you are and whether your device is healthy. It was the first major real-world implementation of Kindervag's theory.

The framework gained official weight in 2020, when NIST published SP 800-207, the first federal standard defining Zero Trust Architecture in practice. Two years later, the U.S. Office of Management and Budget mandated the adoption of Zero Trust principles for all federal agencies by 2024.

How does Zero Trust reshape the network layer?

Zero Trust at the network layer is a structural shift built on three principles.

• Microsegmentation replaces the flat interior with isolated zones, so that a compromised foothold stays contained, not a launchpad.
• Continuous verification means access is evaluated at every request, not just at login. Identity replaces network location as the control plane.
• Least-privilege access ensures that even compromised credentials have a limited blast radius.

These principles don't eliminate breach attempts. They assume attacks will happen and engineer the network so that compromise is contained, detected faster, and stripped of leverage.

Business takeaways

IBM's research found that organizations deploying cybersecurity AI and automation alongside Zero Trust principles incurred an average of $2.2 million less in breach costs than those that didn't. As a result, every business must understand that Zero Trust is not a product you install. It is a mindset, a posture you adopt, starting from an honest premise: the perimeter is already gone.

Insights by Orfeas Polychronidis, Neurosoft Network Deployment Services Team Leader, Winner of the NSE Technical Mastery award by Fortinet.

Do you need consulting from a Neurosoft expert? Contact us!