[ssteo]

In the fifth paragraph, "No longer does the company rely on a network perimeter, but rather exposes internal systems to the public internet.". This is terribly misleading!

Zero trust model is often explained incorrectly and misunderstood as allowing internal services like OpenSSH directly exposed to public all the time. In actual, it also works similar to VPN having perimeter security but in a dynamic way. There should be a proxy separate from actual service for authentication and only authentication service is exposed to public traffic all time, while internal resource only accepts inbound traffic from IP address of user who has authenticated successfully and this is orchestrated in real-time by the authentication service. The traffic from same user to internal service is also denied the moment they log off, think of it like a dynamic iptables system. Another emphasis of zero trust model is to authenticate requests even when it's coming from the same internal subnet. Too many articles are misleading people that zero trust model is to take away perimeter security entirely.

Note: Exposing any internal services like SSH, message queues or databases directly to public is not the right approach, because they can get compromised when there's any RCE vulnerability.