It was originally focused on network segmentation but has now come to include other aspects of user focused security management.
Below is a hybrid set of concepts that tries to cover all the current approaches. Please comment below so we can iterate and add more to this over time.
- Assign unique, non-reusable identifiers to all subjects , objects  and network devices 
- Authenticate every subject
- Authenticate every device
- Inspect, verify and validate every object access request
- Log every object access request
- Authentication should contain 2 of something you have, something you are, something you know
- Successful authentication should result in a revocable credential 
- Credentials should be scoped and follow least privilege 
- Credentials should be bound to a user, device, transaction tuple 
- Network communications should be encrypted 
- Assume all services, API’s and applications are accessible from the Internet 
- Segment processes and network traffic in logical and operational groups
 – Users of systems, including employees, partners, customers and other user-interactive service accounts
 – API’s, services, web applications and unique data sources
 – User devices (such as laptops, mobiles, tablets, virtual machines), service devices (such as printers, faxes) and network management devices (such as switches, routers)
 – Such as a cookie, tokenId or access token which is cryptographically secure. Revocable shouldn't necessarily be limited to being time bound. Eg revocation/black lists etc.
 – Credential exchange may be required where access traverses network or object segmentation. For example an issued credential for subject 1 to access object 1, may require object 1 to contact object 2 to fulfil the request. The credential presented to object 2 may differ to that presented to object 1.
 – Token binding approach such as signature based access tokens or TLS binding
 – Using for example standards based protocols such as TLS 1.3 or similar. Eg Google's ALTS.
 – Assume perimeter based networking (either software defined or network defined) is incomplete and trust cannot be placed simply on the origin of a request
The below is a list of companies referencing “zero trust” public documentation:
- Akamai - https://www.akamai.com/uk/en/solutions/zero-trust-security-model.jsp
- Palo Alto - https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture
- Centrify - https://www.centrify.com/zero-trust-security/
- Cisco - https://blogs.cisco.com/security/why-has-forresters-zero-trust-cybersecurity-framework-become-such-a-hot-topic
- Microsoft - https://cloudblogs.microsoft.com/microsoftsecure/2018/06/14/building-zero-trust-networks-with-microsoft-365/
- ScaleFT - https://www.scaleft.com/zero-trust-security/
- zscaler - https://www.zscaler.com/blogs/corporate/google-leveraging-zero-trust-security-model-and-so-can-you
- Okta - https://www.okta.com/resources/whitepaper-zero-trust-with-okta-modern-approach-to-secure-access/
- ForgeRock - https://www.forgerock.com/blog/zero-trust-importance-identity-centered-security-program
- Duo Security - https://duo.com/blog/to-trust-or-zero-trust
- Google’s Beyond Corp - https://beyondcorp.com/
- Fortinet - https://www.fortinet.com/demand/gated/Forrester-Market-Overview-NetworkSegmentation-Gateways.html