Identity after the perimeter: what zero trust is and why founders need to understand it
The corporate perimeter has ceased to exist. A breakdown of what this means for security and what practical steps follow from this logic.
A few years ago, corporate security was built on a simple idea: inside the network - trust it; outside - do not. Put a firewall on the perimeter, and everything inside is considered safe.
That model stopped working. Not gradually - abruptly. Employees work from home, on personal devices, through cloud services. Corporate data lives in SaaS applications that physically sit on providers' servers. The perimeter itself became virtual and blurred.
The concept of zero trust emerged as the answer.
What this means in practice
Zero trust is not a product you can buy or a technology you can switch on. It is a principle: no request is trusted automatically, regardless of where it came from. Every access to a resource requires verification: who is asking, from which device, in what context.
Three core elements:
Identity verification for every request. Instead of "logged in this morning - inside the network all day" - every access to a sensitive resource is verified. Often with additional context: is this the usual location, usual time, usual device?
Minimal privileges. Every user and every system gets access only to what they need for their specific task. Not "access to the internal network" - "access to this specific application with these specific permissions."
Assumed breach. The system is designed on the assumption that a security breach will happen at some point. This means: segmentation, logging, anomaly detection - to minimise damage when it occurs.
Why this matters now specifically
Attacks in 2021 and 2022 showed a consistent pattern: attackers obtain one set of credentials (through phishing, a leak, or credential stuffing), then move freely through the corporate network because everything "inside" is trusted.
This is called lateral movement. It is what allows attackers to travel from a compromised accountant's account to backup systems and financial databases.
Zero trust breaks this chain: even if one account is compromised, the attacker does not automatically get access to everything else.
Where to start
Full zero trust implementation is a multi-year project for large organisations. For a mid-size company there are more grounded entry points.
Multi-factor authentication for all corporate services. This is the single measure that most effectively blocks attacks through compromised passwords. According to Microsoft's data, MFA blocks over 99% of such attacks.
Single sign-on (SSO) with centralised access management. Instead of separate passwords for each service - a single identity that is easy to revoke on resignation or incident.
Minimal privilege policy for administrative accounts. Start with privileged accounts - they are the most dangerous when compromised.
Three questions to check yourself
- If an employee resigned today - in how many hours would their access to all corporate systems be revoked?
- Do you use multi-factor authentication for access to critical systems?
- Do you know which employees have administrative access to your key systems right now?
This is not a comprehensive audit. But three confident "yes" answers already puts you significantly above the average protection level among companies of comparable size.