Back to Insights
zero trustgraph theorynetwork securitymicro-segmentation3r frameworkleast privilege

Zero Trust Is a Topology Change, Not an Identity Layer

Every vendor is selling Zero Trust. None of them are selling graph databases. That's the problem. You can't determine 'necessary edges' without mapping your current graph—and no identity proxy solves that.

Levente Simon

Levente Simon

Creator of Dethernety

January 23, 2026·8 min read
Zero Trust Is a Topology Change, Not an Identity Layer

Zero Trust is Just Graph Theory with a Marketing Budget

Every vendor is selling Zero Trust. None of them are selling graph databases. That's the problem.

Zero Trust implementation is finally accepted, budget approved, the vendors are lined up. You're doing the right thing.

You're also probably doing it wrong.

What Zero Trust Actually Is

Strip away the marketing and Zero Trust is a topology change:

Default state:  Edge(A, B) = DENIED
Allowed state:  Edge(A, B) = ALLOWED only if Policy(A, B) = VERIFIED

That's it. No implicit connectivity. Every edge must be explicitly defined and continuously verified.

The promise: blast radius containment through topology restriction. A compromised node inherits only its own edges, not the entire graph.

The standard Zero Trust pillars (Identity, Device, Network, Application, Data) map directly to graph concepts. Devices, applications, and data are nodes. The network is the graph: edges and topology. Identity is the verification layer that controls edge traversal.

Where the industry went sideways

Vendors sell Zero Trust as an identity layer. "Verify the user, verify the device, grant access." This answers "Who is requesting access?" but ignores a harder question: What access should exist in the first place?

Robust identity governance manages the keys. Graph theory determines where the doors are, and which ones should be bricked up.

Zero Trust requires three steps:

  1. Remove all implicit edges (default deny)
  2. Add back only necessary edges
  3. Continuously verify those edges

You are just about to buy tools for Step 3. And Step 2 is where your project will stall.

You cannot determine "necessary edges" without knowing:

  • What edges currently exist (your actual topology)
  • What business functions depend on those edges
  • Which edges can be removed without breaking operations

This is a graph mapping problem. No identity proxy solves it.

Without a model of your current graph, you're writing policies based on what you think the dependencies are. The result? You break production (removed a necessary edge) or leave gaps (missed an implicit edge attackers will find).

And that's before asking whether your nodes can even participate in explicit verification.

The Node Problem

Zero Trust isn't an overlay that you can just slap to your network. It requires nodes that participate.

A database that accepts any connection from the "trusted" subnet can't do Zero Trust. An application that doesn't validate tokens can't do Zero Trust. A service that speaks unencrypted protocols can't do Zero Trust. Data that hasn't been classified can't do Zero Trust, you don't know what protection it needs.

These are your Device, Application, and Data pillars: the Nodes. If they can't participate in verification, no identity proxy in front of them changes that. You've just recreated perimeter security with a different boundary, the architecture behind it is still flat trust.

Before you buy the identity proxy, ask: can your nodes actually verify every request? If they can't, you're adding a gate in front of systems that still assume implicit trust.

This doesn't mean every node needs to participate. The same 3R economics apply here: hardening every system is as irrational as segmenting every edge. You need to know which nodes sit on critical paths. Which, again, requires a graph.

Service mesh can solve this by offloading the 'Node Readiness' to the infrastructure. It is often architecturally smarter to let a sidecar handle mTLS and auth rather than bloating every microservice with security code.

But recognize the trade-off: You are trading development complexity for operational complexity. You haven't removed the cost; you've moved it to the platform team.

Your Zero Trust vendor probably won't mention this (and may not even understand it). Most importantly, the mesh is just an enforcement engine. It is a very efficient guard, but it still needs to be told who to let in. It requires a map. Deploying Istio without a dependency graph is just building a more expensive, more complex flat network

Vendors sell proxies. Zero Trust requires architects.

Least Privilege, Formally

"Least Privilege" gets thrown around without precision. The mathematical definition:

$$\text{Least Privilege} = \min(\text{Reachability}) \text{ subject to: Business Function}$$

Find the smallest edge set that allows the business to operate.

This is a constrained optimization problem requiring:

  1. Objective: Minimize total reachability (attack surface)
  2. Constraints: Business functions remain operational
  3. Variables: The set of edges (permissions, paths, trust relationships)
  4. Current state: Your existing graph topology

Without knowing the current graph, you're minimizing a function you haven't defined over a domain you haven't mapped.

Example: Finance needs payment system access.

  • Without graph analysis: "Finance users get access to finance apps."
  • With graph analysis: "Finance users access payment UI (Node A) → payment API (Node B) → transaction DB (Node C). Required edges: User→A, A→B, B→C. Nothing else."

The second is Least Privilege. The first is… well, hope.

Why You Can't Micro-Segment Everything

The tempting answer to the Node Problem: if nodes can't participate, segment them into oblivion. Contain what you can't fix.

But the same 3R economics that limit node hardening also limit segmentation. Full micro-segmentation doesn't scale. Apply the 3R Framework (Revenue, Resources, Risk):

Resources: Every edge requires policy definition, testing, monitoring, maintenance. Edge count scales with users × services × environments × data.

Risk reduction curve:

  • First 20% of edges secured → 80% of critical attack paths closed
  • Last 60% → marginal reduction (non-critical paths)

3R conclusion: Full micro-segmentation is economically irrational. You stop when the cost of the next control exceeds its risk reduction.

Securing the edge between Marketing's printer and the cafeteria menu display is bad economics. High maintenance cost, near-zero risk reduction.

The optimal strategy:

Zero Trust on critical paths + Monitoring on everything else

But to know which paths are critical, you need a graph. Without it, you overspend (securing the printer) or underspend (missing the crown jewels).

And even perfect segmentation isn't Zero Trust. Segmentation controls which nodes can talk. It doesn't verify who is talking or what they're allowed to do. You could try to bolt identity onto the network layer—identity-aware proxies, NAC, more patchwork—but that's questionable feasibility and adds directly to your 3R Resources cost. Real verification still requires nodes that participate.

What Zero Trust Actually Requires

  1. Ensure node readiness: Can each node authenticate, authorize, and encrypt?
  2. Map the current graph: This is not a passive scan; it is digital archaeology. In practice, you are doing graph-aware threat hunting: uncovering shadow IT, forgotten APIs, and undocumented dependencies. This is the hardest work, and your product vendor will not do it for you.
  3. Calculate reachability: From each entry point, what can an attacker reach?
  4. Define target state: Minimum edge set (optimization)
  5. Implement policy: Remove implicit edges, add explicit ones
  6. Iterate with 3R analysis: Did resource cost match risk reduction?

Steps 1-3 are graph analysis. The identity proxy everyone buys only helps with Step 4. And Step 0 is the prerequisite everyone skips.

Implementing Zero Trust without graph analysis is installing locks without knowing where the doors are.

Bottom Line

Zero Trust is not a product. It's not an identity layer.

Zero Trust is the removal of implicit edges from your dependency graph.

To implement it:

  1. Ensure your nodes can participate (or budget for service mesh)
  2. Map your current graph
  3. Model required edges
  4. Optimize with 3R Analysis
  5. Implement with policy tools

The industry sells Step 5 without Steps 1-4. That's why Zero Trust initiatives stall: organizations buy tools but can't define the target state—and haven't asked whether their nodes can even participate.

Identity proxies have their place, especially in multi-cloud environments where they unify access control. But they're an implementation tool, not the architecture. Without the prerequisites, you have defense in depth, but you don't have Zero Trust.

The real Zero Trust stack isn't "Identity + Network + Endpoint."

It's: Node Readiness → Graph Analysis → Optimization → Implementation. But first and foremost: architectural knowledge.

Want to see your actual graph? Modern threat modeling platforms use graph databases to map topology, calculate reachability, and identify the minimum edge set for true Zero Trust.

This article originally published on Medium.

Levente Simon

Levente Simon

Principal Consultant specializing in technology strategy, architecture, and leadership. 25+ years building and leading across Europe.

LinkedIn Twitter

Found this useful? Share it with your network.

Discuss this topic →

Related Insights

zero trustnetwork security

The Firewall Is Not Your Foundation

The firewall-first mindset creates fragile networks that collapse on breach. Designing firewall-last forces you to build self-defending nodes, prune unnecessary connections, and treat the perimeter as defense in depth—not a structural dependency.