When I think of "zero trust" I think concepts like zksnarks where all the information is already out there (go ahead and let your org leak, in fact you can even deliberately publish it) but protected in such a way that only legitimate uses can decipher / make use of it.
What they're talking about here sounds more like things that ought to be obvious but the industry got lazy about.
Firewall and VPN is the obvious part, and that's the industry standard.
Zero-trust means that Access Control is more finely-grained, down to the machine/user level. In this approach we don't trust any machine/user inside the organization as well.
I think its goes beyond this, its doing authentication-before-connect using strong identity so that we can have 'zero trust' of the network, whether internet/WAN (e.g., closed inbound ports), LAN or even host OS.
