Many network security architectures assume anything inside a firewall is good and anything outside is bad until the traffic has been verified. In a zero-trust environment, however, the architecture makes no assumptions -- everything must be verified.
As an example, Transportation Security Administration workers at an American airport check your ticket and ID and then give you access to the rest of the airport. A boarding pass is required to get on a plane, but that pass could be handed off to anyone else. With zero-trust, any time you try to access a restaurant, lounge, seating area, store or aircraft, you'd be forced to show your ticket and ID again. Nobody would ever trust that you are a traveler just because you have a suitcase.
You can see an implementation of a zero-trust model in the software-defined perimeter, where a controller is used as an overlay to coordinate which hosts can communicate with each other. By separating the control from the data plane -- similar to software-defined networking -- the security model can more easily scale as complexity increases.
Within a VPN, there is typically an implied trust that any data coming through the controlled endpoints of the tunnel is OK. But the issue is that once bad actors gain unauthorized access to a remote endpoint, they can use a VPN's protected tunnel to make their way to the main headquarter's resources. By employing zero trust with VPN endpoints and by governing VPN traffic, every packet coming over the connection will be vetted and never assumed to be safe
Through virtual LANs and access control lists, companies can create security zones -- but those are more generalized, coarse-grained zones when it comes to securing traffic. Microsegmentation is a security strategy that applies policies for individual workloads.
This becomes even more critical in cloud and virtualized environments, as a single server could have dozens of virtual machines (VMs) and dozens of workloads. Providing a fine-grained security profile at the application level increases security, making it harder to access data by moving from one VM to another.
Ultimately, zero trust is difficult to implement because every security aspect has to be explicitly spelled out for each application with no assumptions. But when done properly, a zero-trust model can provide a greater level of security by exposing the gaps in a security model.