Start with identity. If you can strongly verify who is making a request, you can make better access decisions. mTLS between services is a practical first step.
Strong answers cover: principle of least privilege, network microsegmentation, identity-based access (not IP-based), mutual TLS, continuous verification (not just at authentication), device trust, and monitoring for anomalies. Best candidates discuss the practical challenges of implementing zero trust in existing environments and the migration path.
Senior security-minded SRE question. Zero trust is increasingly expected. Candidates who rely solely on network perimeter security are operating in an outdated model.