The Next Generation of Zero Trust
How network security has evolved from perimeter defense to cloud-centralized identity — and why the next generation of owner-controlled trust is required to meet the challenges of the new era.
Every major evolution in cybersecurity has followed a shift in infrastructure. Generation 1 protected trusted internal networks with firewalls and VPNs. Generation 2 recognized that the perimeter had dissolved and centralized trust in cloud-managed control planes. Both were genuine advances in their time.
Neither was designed for the environment organizations operate in today — one where infrastructure, devices, supply chains, and AI systems all influence security outcomes, and where the very platforms that manage trust have themselves become high-value targets.
This paper traces that evolution and introduces Generation 3 Zero Trust: a model in which organizations own and control the trust relationships that govern their networks, devices, data, and AI. The shift is not simply stronger authentication. It is ownership and control of trust itself.
Control. Peace of Mind. Security built so trust is owned and controlled by you — delivered and verified by architecture, not promised by policy.
The challenge is no longer just keeping attackers out. It is maintaining control.
Modern organizations operate in environments where users, devices, infrastructure, supply chains, and AI systems all influence security outcomes.
01Cyber Criminal & Nation-State Threats
Criminal and nation-state actors increasingly target infrastructure, devices, and supply chains — not only users and applications. Security must extend beyond traditional perimeter and endpoint models.
02AI Disruption
Organizations are deploying AI systems faster than governance frameworks are evolving. Identity, authorization, and accountability become critical — and AI is being leveraged by bad actors to exponentially increase their ability to discover and exploit vulnerabilities.
03Hardware & Supply Chain Exposure
Trust assumptions now extend beyond software into manufacturing, sourcing, and connected devices. Organizations need visibility into the trust relationships that underpin their environments.
04OT & IoT Expansion
Industrial systems, medical devices, sensors, cameras, and connected infrastructure keep expanding the attack surface while operating outside traditional endpoint security models.
Gen 1: Built around the perimeter
VPNs and Firewalls were designed to defend the perimeter. Organizations trusted everything inside the network and concentrated on keeping attackers out. Firewalls enforced a boundary; VPNs extended it to remote users.
The model worked when users, devices, and applications largely operated inside a single controlled environment. Its organizing assumption was simple — inside means trusted — and for its era, that assumption was reasonable.
But the explosive migration to the cloud demolished that assumption. As applications, data, and users moved outside the building, the perimeter dissolved. The model's deepest weaknesses became structural:
- The gateway is a visible perimeter that attackers can scan, probe, and target from the open internet.
- Access depends on credentials — usernames and passwords that are routinely phished, stolen, or brute-forced.
- A single compromised credential or misconfigured rule can expose the entire network behind it.
- OT and IoT devices sit unprotected — they cannot run VPN agents and remain exposed on the local network.
The flaw is structural. One breach of the gateway — or one phished credential — exposes a flat interior where everything is implicitly trusted, and devices that can't run agents go unprotected.
Gen 2: Trust moved to the cloud
Generation 2 recognized that the perimeter had dissolved. ZTNA and SDN were developed specifically to address the vulnerabilities of VPNs, and they represent a genuine advance.
Enterprise ZTNA and SDN platforms eliminated perimeter-based trust, enforced continuous authentication tied to identity, and enabled fine-grained access control. "Never trust, always verify" replaced implicit interior trust. But for the majority of organizations, ZTNA and SDNs traded one set of problems for another:
- They rely on centralized cloud control planes. Servers, certificate authorities, and identity providers become high-value targets — a compromise of the vendor's infrastructure is a compromise of every customer.
- They are expensive and complex, typically priced and staffed for large-enterprise budgets.
- They are software-only, and cannot protect OT and IoT devices that can't run agents.
- They create metadata exposure — providers can observe connection patterns, timing, and topology even when payload content is encrypted.
Trust still rests with a third party — now the cloud provider rather than the network perimeter. The organization verifies more, but controls less.
Trust moves to the cloud. Every connection is brokered through a control plane the vendor owns and operates — a single, visible point of dependency and a high-value target shared across every customer.
Gen 3: Trust is owned and controlled by the Network Owner.
Faction Networks extend Zero Trust principles beyond networks, users and applications to include infrastructure, OT/IoT devices, data, and AI-enabled operations. It addresses the fundamental challenge of our era: implicit trust no longer is tenable.
Instead of centralizing trust in a vendor's control plane, Generation 3 returns it to the owner. The organization creates and controls its own trust relationships and encryption keys, and the platform routes encrypted traffic without the ability to read it. Its defining properties:
- Zero Knowledge Architecture — the data plane is owner-keyed, so Faction routes your traffic but cannot read it. Faction can't see what you protect.
- Owner-controlled trust — keys and trust relationships are created and governed by the organization, not the vendor.
- No Anonymous. Every device authenticates with a certificate from the network owner — no anonymous or unsigned connections are accepted.
- Invisible by default — no discoverable gateway, port, or attack surface to scan from the internet.
- Hardware-native protection — Pods and Portals extend Zero Trust to OT and IoT devices that cannot run software agents.
- Identity-bound AI governance — every agent is cryptographically bound to a verified identity and accountable beneath the application layer.
Together these properties remove the weaknesses of the first two generations: no perimeter to breach, no public control plane to compromise, and no anonymous foothold inside.
Trust controlled by you, not by us. The owner possesses the encryption keys for the Faction data plane. Faction does not and therefore cannot yield access to your network's traffic.
The three generations, side by side
Architecture, network visibility, authentication, device coverage, data — and, ultimately, who holds the keys. Here is how the three generations compare across the dimensions that decide an organization's security posture.
| Capability | Gen 1 — VPNs & Firewalls | Gen 2 — Cloud ZTNA / SDN | Gen 3 — Faction |
|---|---|---|---|
| Architecture | Perimeter gateway | Cloud control plane | Zero Knowledge · no public control plane |
| Network visibility | Exposed, scannable | Cloud broker visible | Invisible by default |
| Authentication | Credentials (phishable) | Cloud IAM + 2FA | Out-of-band cryptographic key |
| Certificate authority | Public internet CA | Public internet CA | The network owner is the CA |
| Encryption keys | Gateway-managed | Vendor / cloud-held | Created & held by the owner |
| OT / IoT devices | Unprotected | Software only | Pods, Portals, Modules |
| AI agent control | None | Cloud IAM (vulnerable) | Identity-bound governance |
| Data encryption | In transit only | In transit only | In transit and at rest |
| Cloud Vulnerability | High | Better, but still centralized | Zero — owner holds the keys |
Who controls trust?
Each generation answered the question its era presented. Generation 3 answers one the first two could not — not how do we keep attackers out, or how do we verify identity, but who controls trust. For modern infrastructure, the answer must be the owner.
When trust is owned and controlled by the organization, security stops depending on the integrity of a third party — it becomes an architectural property, not a vendor policy. That is Generation 3: not a feature bolted onto the old model, but a different architecture, built from cryptographic identity and zero-knowledge foundations up.
One platform, four domains
One platform applies owner-controlled trust across the four domains where modern organizations carry the most risk.
Networking
Secure networking built around owner-controlled trust and reduced dependence on centralized control infrastructure. The network is invisible from the internet and reachable only from inside.
OT & IoT
Protection for the devices traditional, software-only models struggle to secure — extended through Pods, Portals, and embedded capabilities regardless of operating system, age, or capability.
Data
Encryption and trust governed by the organization rather than third-party vendors. Data is protected in transit and at rest, with keys that never leave the owner's devices.
AI
Identity-bound governance, accountability, and policy enforcement for AI-enabled operations — every agent cryptographically bound to a verified human identity.
How it works
- Deploy alongside or Factionize existing infrastructure. No rip-and-replace.
- Create owner-controlled trust. Trust relationships and encryption keys originate with the organization, not the vendor.
- Authenticate with cryptographic identity. Users and devices are verified out-of-band, impervious to phishing and credential theft.
- Extend protection to OT & IoT. Reach the devices software-only models can't, using Pods, Portals, and embedded capabilities.
- Keep operating on your terms. Trust does not depend on a vendor's cloud staying available.
- Human Identity Verification and Authorization. When needed, escalate to native device biometrics or iValt 5-Factor Verification to keep a human in the loop — confirming a responsible person authorized the access or action. Especially important for AI agents.
Own and control your trust.
Keep your peace of mind.
Faction Networks is the Generation 3 Zero Trust platform — direct control over the trust relationships that govern your networks, devices, data, and AI. We provide the architecture. You retain control.