'Zero Trust' became a marketing slogan, but the underlying principles are real and increasingly testable: identity-based access (not network-based), continuous verification (not session-based), and least-privilege by default. Here's what it actually looks like in code and infra.
Identity-based, not network-based
VPNs assume 'on the network = authorized'. Zero trust assumes the network is hostile. Every request — internal or external — proves identity (mTLS, OIDC token, signed request). VPNs become a single layer of defense, not the boundary.
Per-request authz, not per-session
Authz decision on each request, not at login. Tokens are short-lived (5-15 min). Policy engine (OPA, Cedar) evaluates per-request: who, what, when, where, why. Session in your DB ≠ authorized to do action X.
BeyondCorp / SSO-mediated access
Internal apps behind an identity-aware proxy (Cloudflare Access, Pomerium, Google IAP). User auths to IDP; proxy adds signed headers; app trusts them. Removes 'is on corp network' from the equation.
Service mesh layer
Inside the cluster: mTLS between every service. Service identity in cert SAN. SPIFFE workload identities. Authz policies declarative (Istio AuthorizationPolicy, Linkerd ServerAuthorization).
What it doesn't replace
Patching. Backups. Secrets management. Incident response. Zero trust is a posture, not a product. The threats it doesn't address — vulnerable code, credential phishing of the human, supply chain — still need their own controls.