Matt Coppinger
← Writing

Zero Trust at the Endpoint: A Practical Guide

SecurityEnterpriseArchitectureZero Trust

Zero trust is one of the most talked-about concepts in enterprise security - and one of the most misunderstood. It gets thrown around in vendor pitches and boardroom slides, but when it comes to actually implementing it, most organisations struggle to move beyond the buzzword.

This is a practical guide. What zero trust actually is, why the traditional model is broken, and how you implement it across the layers that matter: device, identity, network, and application.

What Is Zero Trust?

At its core, zero trust is a security model built on one principle: never trust, always verify.

In the traditional perimeter model, everything inside the corporate network was trusted by default. You authenticated once at the VPN or firewall, and then you had broad access to internal resources. The assumption was that if you were "inside," you were safe.

That assumption is broken. Remote work, cloud services, BYOD, and increasingly sophisticated attacks mean there is no meaningful perimeter anymore. An attacker who compromises a single device or credential is already "inside." A perimeter model gives them the keys to everything.

Zero trust flips this. Every access request - regardless of where it comes from - must be verified. Trust is never assumed, never permanent, and never binary. It's continuously evaluated based on multiple signals.

The Four Pillars

Zero trust isn't a single technology. It's a framework that spans four interconnected layers:

1. Device Trust

Before a device accesses any corporate resource, you need to know: is this device managed? Is it compliant? Is it compromised?

Device trust means continuously assessing posture - not just at enrolment, but at every access request. A laptop that was compliant yesterday might have a disabled firewall, an outdated OS, or a jailbroken status today.

In practice, this is where Unified Endpoint Management (UEM) earns its keep. Platforms like Workspace ONE UEM can enforce security baselines across your fleet:

  • OS version and patch level - block access from devices running unpatched operating systems
  • Encryption status - ensure FileVault (macOS) or BitLocker (Windows) is enabled
  • Firewall and antivirus state - verify endpoint protection is active, not just installed
  • Jailbreak/root detection - identify tampered devices that can't be trusted
  • Security baseline compliance - deploy and monitor 200+ configuration standards using tools like WOMBAT to align with CIS, NIST, or DISA STIG frameworks

The key is continuous assessment. A compliant device at 9am might drift by lunchtime. Your zero trust architecture needs to detect that drift and respond - either remediating automatically or adjusting access accordingly.

2. Identity Trust

Device trust tells you the machine is clean. Identity trust tells you the person is who they claim to be - and that they should have access to what they're requesting.

This goes well beyond a username and password:

  • Multi-factor authentication (MFA) - required for every access attempt, not just initial login
  • Conditional access policies - grant or deny access based on context: device compliance, location, risk score, time of day
  • Single sign-on (SSO) with continuous evaluation - authenticate once, but re-evaluate trust signals throughout the session
  • Risk-based authentication - step up authentication requirements when something looks unusual (new device, new location, impossible travel)

Workspace ONE Access (or similar identity providers) can tie device compliance directly into conditional access decisions. A user on a compliant, managed device gets seamless SSO. The same user on an unmanaged device gets MFA plus restricted access. The same user on a non-compliant device gets blocked entirely.

This is the power of combining identity and device trust - access decisions based on the full picture, not just credentials.

3. Network Trust

Traditional VPNs are one of the biggest zero trust anti-patterns. A full-tunnel VPN puts the authenticated user onto the corporate network with broad access - exactly the "trusted insider" model that zero trust is designed to eliminate.

The zero trust approach to network access is per-app VPN (also called micro-tunnelling):

  • Instead of tunnelling all device traffic through the corporate network, you tunnel only the traffic for specific approved applications
  • Each application gets its own encrypted tunnel to its specific backend resource
  • The user never sits "on the network" - they have access to individual services, nothing more

Workspace ONE Tunnel is a practical example. It enables per-app VPN on both managed and unmanaged devices, routing only sanctioned application traffic through the corporate gateway. A user's browser, personal apps, and other traffic never touch the corporate network.

This dramatically reduces the blast radius of a compromise. Even if an attacker gains access to a device, they can't use the VPN tunnel to pivot across the network - because there is no network-wide tunnel to exploit.

Other network-level zero trust controls include:

  • Micro-segmentation - isolating workloads and resources so lateral movement is limited even within the data centre
  • Software-defined perimeter (SDP) - making resources invisible to unauthenticated users; you can't attack what you can't see
  • DNS-layer security - blocking connections to known malicious domains before they reach the endpoint

4. Application Trust

The final layer is ensuring that only approved, verified applications can access corporate data:

  • Application whitelisting - only sanctioned apps can connect to corporate services
  • App-level authentication - individual applications authenticate independently, not just the device or user session
  • Data loss prevention (DLP) - control what data can be copied, shared, or exported from managed applications
  • Managed app configuration - push security policies into the application itself (e.g., disabling copy/paste between managed and unmanaged apps)

Workspace ONE UEM can enforce app-level policies: managed applications get access to corporate data through per-app VPN tunnels, while unmanaged applications on the same device are completely isolated from corporate resources. Open-in restrictions prevent data from leaking between managed and personal apps.

How It All Works Together

The real power of zero trust is in the combination. Here's what a typical access flow looks like:

  1. User opens a corporate app on their device
  2. Device posture is checked - OS version, encryption, compliance status, security baseline
  3. Identity is verified - MFA, SSO token, risk score
  4. Conditional access evaluates - Is the device compliant? Is the user authorised for this resource? Is the context normal?
  5. Per-app VPN tunnel opens - only for this specific application, to this specific backend
  6. Access is granted - with appropriate restrictions based on the trust level (e.g., read-only if posture is marginal)
  7. Continuous monitoring - if device compliance changes mid-session, access is re-evaluated in real time

No broad network access. No permanent trust. Every request evaluated on its merits.

Practical Implementation Tips

Zero trust is a journey, not a switch. You don't implement it overnight. Here's how to approach it practically:

Start with what you have. If you're running a UEM platform, you already have device compliance, app management, and probably some form of conditional access. That's a foundation - build on it rather than ripping everything out.

Pick a high-value use case first. Don't try to zero-trust everything at once. Start with your most sensitive applications - email, finance systems, code repositories - and implement device + identity + per-app VPN for those. Expand from there.

Replace full-tunnel VPN early. This is often the single biggest security win. Moving from a full-tunnel VPN to per-app VPN reduces your attack surface immediately and visibly.

Automate remediation, don't just block. When a device falls out of compliance, the first response should be to fix it - push the missing update, re-enable the firewall, rotate the certificate. Only block access as a last resort. Users who get blocked without explanation will find workarounds, and those workarounds will be worse than the original risk.

Communicate with users. Zero trust changes the user experience. Be transparent about why access was restricted and what the user needs to do. A self-service compliance portal - showing users exactly what's non-compliant and how to fix it - dramatically reduces support tickets and user frustration.

The Endpoint Is the Foundation

You can have the best identity provider, the most sophisticated network segmentation, and the tightest application policies - but if you can't verify that the device itself is secure, your entire zero trust architecture is built on sand.

That's why endpoint management isn't just an IT operations concern. It's a security architecture decision. Tools like Workspace ONE UEM - extended with security baseline tooling like WOMBAT - provide the device trust layer that makes everything else work.

Zero trust isn't a product you buy. It's a model you build, layer by layer, using the tools and policies that make sense for your environment. Start practical, stay consistent, and never assume trust.