Zero Trust is not a product, it's a mindset
May 10, 2026 · 6 min read
The problem with the market narrative
Every security vendor on the market now has a "Zero Trust product." Zero Trust firewalls, Zero Trust VPNs, Zero Trust endpoints. The industry has turned an architectural principle into a marketing checkbox.
After implementing real Zero Trust architectures — with overlay networks, cryptographic identity, and granular access policies — I can affirm that Zero Trust is not something you buy, it's something you build.
The three pillars that actually matter
1. Never trust, always verify
This principle sounds obvious, but its implementation is anything but trivial. It means that every service, every microservice, every connection must authenticate and authorize independently. A perimeter firewall is not enough.
In practice, this requires:
- Cryptographic identity for every workload (SPIFFE/SPIRE, mTLS)
- Attribute-based access policies, not network-based
- Continuous verification, not just at the entry point
2. Least privilege access
The principle of least privilege applies to everything: users, services, APIs, and data. Each entity should only have access to what is strictly necessary for its function.
With BlueUP, we implement this through:
- NKeys Ed25519 for service authentication in NATS
- Biscuit tokens with attenuation: each token can be restricted by the recipient
- Dark Services on overlay networks: services have no presence on the public network
3. Assume breach
Zero Trust design assumes the attacker is already inside. This fundamentally changes the architecture:
- Microsegmentation of services
- End-to-end encryption between all components
- Lateral detection: east-west traffic monitoring, not just north-south
Real-world lessons
Uncomfortable reality
The biggest obstacle to implementing Zero Trust is not technology — it's organizational culture. Teams that have operated with VPNs and perimeter firewalls for years need a deep mindset shift.
What works:
- Start with a specific use case, not the entire organization
- Demonstrate quick value with a pilot project
- Measure the attack surface reduction in quantifiable terms
What doesn't work:
- Buying a "Zero Trust product" and expecting it to solve everything
- Implementing Zero Trust without first solving identity management
- Ignoring user experience — if Zero Trust makes work harder, people will find shortcuts
The future is identity
Zero Trust inevitably converges with sovereign digital identity. When every workload, every user, and every device has a verifiable cryptographic identity, networks become irrelevant as a security perimeter.
This is the thesis behind projects like BlueUP Connect and OpenZiti — overlay networks where identity is the perimeter.
Implementing Zero Trust in your organization? Let's talk: arturo@navarro-bores.com.