“So what exactly is this zero trust thing everyone keeps talking about?”
I get this question a lot. Usually from managers, executives, or anyone who has to approve a security budget without a technical background. And most explanations I have seen are terrible. They either drown you in jargon or sand the concept down so far that nothing useful is left.
So here is the metaphor I reach for instead. I have used it to explain zero trust to my parents, to executives, and to that one colleague who still calls the firewall “the internet box.” It works because it starts with something everyone has touched: a hotel key card. We will build up from there, one layer at a time, until you can see how the same idea runs all the way down to mTLS and identity-aware proxies.
The Old Way: The Castle and Moat
Before the hotel, you need the thing it replaces.
Traditional network security works like a medieval castle. You build a big wall (the firewall), dig a moat around it, and put guards at the gate. Anyone outside the wall is untrusted. Anyone who makes it inside is trusted. They can go anywhere, do anything.
This worked reasonably well when:
- Everyone worked in the same building
- All the servers lived in the basement
- “Remote work” meant carrying a laptop home once a year
Then the world changed. People started working from coffee shops. Applications moved to the cloud. The castle walls became meaningless because half your kingdom was now outside them.
The castle model has one fatal flaw. Once someone gets past the gate, they are trusted. An attacker who compromises a single laptop inside the network can move freely. This is how most major breaches actually unfold: someone gets in through phishing, then moves “laterally” through the network because everything inside trusts everything else. The breach is small. The blast radius is the whole castle.
The New Way: The Hotel
Now the simplest version of the better idea.
Imagine a modern hotel. You check in at the front desk and get a key card. That key card:
- Opens your room
- Opens the gym (if your booking includes it)
- Opens the pool area (if your booking includes it)
- Opens the parking garage (if you registered a car)
- Does NOT open other guest rooms
- Does NOT open the staff areas
- Does NOT open the kitchen
Every single door makes its own decision about whether to let you in. The door does not care that you are “inside the hotel.” It cares about one thing: does this specific key card have permission to open this specific door right now?
That is zero trust in one sentence. Every door checks, every time, no matter where you are standing. The rest of this post is just adding detail to that picture.
Why “Zero Trust” Is a Terrible Name
Quick detour, because the name trips people up.
“Zero trust” sounds like you trust nothing and nobody, which would be paranoid and impractical. A more honest label would be “verify everything” or “continuous verification.” We are stuck with the buzzword, so we work with it.
What it actually means in practice:
- Don’t trust based on location (being inside the network)
- Don’t trust based on history (you logged in once, so you are trusted forever)
- Verify every access request, every time
- Grant the minimum permissions needed
Back to the hotel: you are not “untrusted.” You are a verified guest. Your verification grants you specific access to specific resources, and you reverify every single time you open a door.
The Three Principles (Layer One)
Now we add the first real layer. Zero trust has three load-bearing principles, and the hotel covers all three.
1. Verify Explicitly
Every door checks your key card every time. You never get a wristband that says “trusted guest” and lets you walk through anything. The pool checks your card. The gym checks your card. Your room checks your card.
In tech terms: every access request is authenticated and authorized, regardless of where it comes from.
2. Least Privilege Access
Your key card opens only what you need. Booked a basic room? You get your room and the common areas. Booked the executive suite with gym access? You get those too. You never get access to other guest rooms or staff areas.
In tech terms: people and services get the minimum permissions their role requires. An accountant does not need access to source code. A developer does not need access to HR records.
3. Assume Breach
The hotel is designed on the assumption that someone will eventually get a key card they should not have. That is exactly why every door checks independently. If a card gets stolen, it opens only what that card allows. Not the whole hotel.
In tech terms: design as if an attacker is already inside. Limit the blast radius. Segment your networks. Monitor everything. This is the principle I care about most, because it lines up with how I think about every system I run: failure is not an edge case to prevent, it is a default to plan for.
A Day in the Zero Trust Hotel (Layer Two)
The three principles are the theory. Watching them run for a day is where it clicks.
Morning: You wake up and head to the gym. You tap your key card on the door. The door checks: is this guest authorized for gym access, is the booking still valid, is the gym open right now? Yes to all three, so the door opens.
Midday: Back in your room, you want room service. You call, and they ask for your room number AND a security code from your check-in receipt. They do not trust caller ID on its own.
Afternoon: You try the printer in the business center. You authenticate again, key card plus a PIN you set at check-in. Holding the card is not enough for some resources.
Evening: Your booking ends at 6 PM, but your flight is at 8 PM. You ask for a late checkout. The front desk extends your access to 7 PM. At 7:01 PM, your card stops working everywhere. Room, gym, all of it.
That single day demonstrates the whole model: continuous verification, time-bound access, stronger checks for sensitive resources, automatic revocation the moment your access expires.
What Zero Trust Is NOT
A few misconceptions worth clearing up, because they come up in almost every conversation.
Not “no passwords.” You still authenticate. You just do it more intelligently, and often with more than one factor.
Not “VPN everywhere.” A VPN is part of the old castle model. Get past the gate, then you are trusted inside. Zero trust often replaces the VPN entirely with per-resource verification. Google’s BeyondCorp is the canonical example of doing exactly that.
Not just for big companies. The principles scale down. Your home network can run on these ideas too.
Not a product you buy. Vendors will happily sell you “zero trust solutions,” but you cannot install zero trust. It is an approach you build toward.
Not instant. Moving to zero trust takes time. It is a gradual migration, not a switch you flip.
The Full Picture (Where the Metaphor Ends)
Here is where the hotel runs out of road and the real systems take over.
In a real zero trust setup, the “doors” are software. Identity is the new perimeter. Every request carries proof of who or what is making it, and every resource decides independently whether to honor it.
- The key card becomes a cryptographic identity. For services, that often means SPIFFE identities and short-lived certificates instead of a long-lived shared secret.
- The door check becomes mTLS, where both sides prove who they are before a single byte of application data moves.
- “Every door checks independently” becomes microsegmentation. In Kubernetes that is a NetworkPolicy per workload, enforced by a CNI like Cilium, so a compromised pod cannot reach anything it was not explicitly allowed to reach.
- The late checkout that expires at 7:01 PM becomes short-lived credentials issued by something like Vault, so access dies on a timer instead of lingering forever.
Notice that none of this changes the core idea. It is the same hotel, scaled up and made cryptographic. A reader who stops at the hotel still understands the model. A reader who wants the implementation now knows where each piece maps.
This is also why zero trust fits the way I think about sovereignty. When you stop trusting the network and start verifying every request, you are forced to actually understand who talks to what and why. There is no opaque “inside” that you wave through. Every connection becomes something you can inspect, reason about, and revoke. For more on why I refuse to run systems I cannot inspect, see Sovereign Infrastructure.
The Short Version
When someone asks you “what is zero trust?”, try this:
“Traditional security is like a castle. Once you are inside the walls, you are trusted everywhere. Zero trust is like a hotel. You have a key card, but every door still checks whether you are allowed through. Being inside does not mean you have access to everything.”
That is the whole concept. The implementation underneath involves identity providers, microsegmentation, mTLS, and continuous monitoring, but the idea driving all of it stays this simple: every door checks, every time, regardless of where you are standing.
Next time someone in a meeting throws around “zero trust” like a buzzword, you will know exactly what they mean. Better still, you can hand the explanation back in terms anyone in the room can follow.
