For years, the dominant cybersecurity paradigm was perimeter-centric. Firewalls and access lists sat between networks to inspect and filter traffic based on predefined rules. VPNs built encrypted tunnels through public networks to extend security controls to endpoints and remote users. Network zones like VLANs and subnets logically segmented networks to create coarse control for east/west traffic. DMZs buffered public and private networks. IDSs and IPSs watched networks for pernicious actions. Security and access policies were mostly location-based and only changed when a new threat or network pattern prompted a ticket. 

These tools were expected to keep threats outside the perimeter while users were granted implicit trust to access resources because they were inside. However, the connectedness and complexity of a modern enterprise IT environment has outstripped the protective abilities of this perimeter model. 

It was invalidated by employee hybrid work locations, API integrations, credential theft, cloud services and SaaS apps outside enterprise network boundaries, inspection-limiting encryption, and ubiquitous Internet-connected business services. Connecting to the internet and allowing entry points meant that private networks could no longer be trusted as secure. It became too easy for attackers to get in and too easy to move laterally. The perimeter model, largely anchored on location, became ineffective. 

This challenge led to Zero Trust and modern security. The original ideas were introduced as academic theoretical concepts in the 90s, then popularized in the 2000s, and built out at enterprise scale by Google in the 2010s. They are not exact specifications or a specific technology. They function as a set of principles. 

Broadly, this means: avoid trust based on network location, assume the network has been breached, ensure every request is verified, give out the minimum access possible, and use enforcement points to apply policy. This where modern security architecture and zero trust gets interesting.