Zero Trust networking works well as long as you don’t have a traitor inside your network. It is rooted in the principle of “never trust, always verify.” It is designed to address lateral threat movement within the system by leveraging micro-segmentation and granular perimeters enforcement, based on user, data and location.
Use Zero Trust to gain access based on the context for all traffic, across user, device, location and application, plus zoning (segmentation) capabilities for access into internal traffic. To gain traffic access based on context, it needs to go through a firewall and servers environment (applications, services, etc.) with decryption capabilities. The firewall and all servers enable micro-segmentation of perimeters and acts as border control within the organization. While it’s necessary to secure the external perimeter border, it’s even more crucial to gain access to verify traffic as it crosses between the different functions within the network. Adding two-factor authentication and other verification methods will increase the ability to authenticate users correctly. Leverage a Zero Trust approach to identify business processes, users, data, data flows, and associated risks, and set policy rules that can be updated automatically, based on associated risks, with every iteration.
Note, In addition to the micro-segmentation that allows trusting upon verification (do you belong here?), it is best to establish an automated crypto key exchange between every machine on the network based on a recognized (whitelisting) list, no key exchange no interaction. (Best to use OpenBSD, with its OpenSSH, and OpenBSD PF as your netwsork baseline.)
Remember security is not for the passive! It is an ugly world out there, you must me proactive with all your security.