What is zero trust, and what frameworks and standards can help implement zero trust security principles into your cybersecurity strategies?

Many IBM clients want to know what exactly zero trust security is and if it’s applicable to them. Understanding the zero trust concept and how it has evolved will help you and many of our clients understand how to best implement it to protect your company’s most valuable assets.

What is zero trust?

Zero trust is a framework that assumes every connection and endpoint are threats, both externally and internally within a company’s network security. It enables companies to build a thorough IT strategy to address the security needs of a hybrid cloud environment. Zero trust implements adaptive and continuous protection, and it provides the ability to proactively manage threats.

In other words, this approach never trusts users, devices or connections for any transactions and will verify all of these for every single transaction. This allows companies to gain security and visibility across their entire business and enforce consistent security policies, resulting in faster detection and response to threats.

The introduction of zero trust

Zero trust began in the “BeyondCorp” initiative developed by Google in 2010. The initiative’s goal was to secure access to resources based on identity and context, moving away from the traditional perimeter-based security model. This strategy allowed Google to provide employees with secure access to corporate applications and data from anywhere, using any device, without the need for a VPN.

In 2014, Forrester Research analyst John Kindervag coined the concept zero trust to describe this new security paradigm in a report titled “The Zero Trust Model of Information Security.” He proposed a new security model that assumes no one—whether inside or outside the organization’s network—can be trusted without verification. The report outlined the zero trust model  based on two primary principles: “Never trust, always verify.”

All users, devices and applications are assumed to be untrusted and must be verified before they are granted access to resources. The principle of least privilege means that every user or device is granted the minimum level of access required to perform their job, and access is only granted on a need-to-know basis.

Since then, the concept of zero trust has continued to gain momentum, with many organizations adopting its architectures to better protect their digital assets from cyber threats. It encompasses various security principles and technologies that are deployed to strengthen security and reduce the risk of security breaches.

Types of zero trust security models

  • Identity-based zero trust: This model is based on the principle of strict identity verification, where every user or device is authenticated and authorized before accessing any resources. It relies on multi-factor authentication, access controls and least-privilege principles.
  • Network-based zero trust: This focuses on securing the network perimeter by segmenting the network into smaller segments. It aims to reduce the attack surface by limiting access to specific resources to authorized users only. This model uses technologies like firewalls, VPNs and intrusion detection and prevention systems.
  • Data-based zero trust: This model aims to protect sensitive data by encrypting it and limiting access to authorized users. It employs data classification and labeling, data loss prevention and encryption technologies to protect data at rest, in transit and in use.
  • Application-based zero trust: This focuses on securing applications and their associated data. It assumes that all applications are untrusted and must be verified before accessing sensitive data. It uses application-level controls—such as runtime protection and containerization—to protect against attacks like code injection and malware.
  • Device-based zero trust: This model secures the devices themselves (e.g., smartphones, laptops and IoT devices). It assumes that devices can be compromised and must be verified before accessing sensitive data. It employs device-level security controls, such as endpoint protection, device encryption and remote wipe capabilities.

These models are designed to work together to create a comprehensive zero trust architecture that can help organizations to reduce their attack surface, improve their security posture and minimize the risk of security breaches. However, it’s important to note that the specific types of zero trust security models and their implementation may vary depending on the organization’s size, industry and specific security needs.

Zero trust has become a popular approach to modern cybersecurity. It has been embraced by many organizations to address the growing threat of cyberattacks and data breaches in today’s complex and interconnected world. As a result, many technology vendors have developed products and services that are specifically designed to support zero trust architectures.

What is the National Institute of Standards and Technology (NIST)?

There are also many frameworks and standards that organizations can use to implement zero trust security principles in their cybersecurity strategies with the guidance of the National Institute of Standards and Technology (NIST).

NIST is a non-regulatory government agency at the U.S Department of Commerce, aimed at helping companies to better understand, manage and reduce cybersecurity risks to protect networks and data. They have published a couple of highly recommended comprehensive guides on zero trust:

NIST SP 800-207, Zero Trust Architecture

NIST SP 800-207, Zero Trust Architecture was the first publication to establish the groundwork for zero trust architecture. It provides the definition of zero trust as a set of guiding principles (instead of specific technologies and implementations) and includes examples of zero trust architectures.

NIST SP 800-207 emphasizes the importance of continuous monitoring and adaptive, risk-based decision-making. They recommend implementing a zero trust architecture with the Seven Pillars of Zero Trust (traditionally known as the Seven Tenets of Zero Trust)

Seven Pillars of Zero Trust

  1. All data sources and computing services are considered resources.
  2. All communication is secured regardless of network location.
  3. Access to individual enterprise resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service and the requesting asset—and may include other behavioral and environmental attributes.
  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

Overall, NIST SP 800-207 promotes an overall approach to zero trust that is based on the principles of least privilege, micro-segmentation and continuous monitoring, encouraging organizations to implement a layered security approach that incorporates multiple technologies and controls to protect against threats.

NIST SP 1800-35B, Implementing a Zero Trust Architecture

NIST SP 1800-35B, Implementing a Zero Trust Architecture is the other highly recommended publication from NIST and is comprised of two main topics:

  1. IT security challenges for private and public sectors.
  2. “How-to” guidance to implement a zero trust architecture in enterprise environments and workflows with standard-based approaches, using commercially available technology.

The publication correlates IT security challenges (applicable to private and public sectors) to the principles and components of a zero trust architecture so that organizations can first properly self-diagnose their needs. They can then adopt the principles and components of a zero trust architecture to meet the needs of their organization. Therefore, NIST SP 1800-35B does not identify specific types of zero trust models.

Maintaining continuity between architecture(s) and framework(s) as zero trust evolves

NIST leverages iterative development for the four zero trust architectures they have implemented, allowing them ease and flexibility to make incremental improvements and have continuity with the zero trust framework as it evolves over time.

The four zero trust architectures implemented by NIST are as follows:

  1. Device agent/gateway-based deployment.
  2. Enclave-based deployment.
  3. Resource portal-based deployment.
  4. Device application sandboxing.

NIST has strategic partnerships with many technology organizations (like IBM) that collaborate to stay ahead of these changes and emerging threats.

The collaboration allows IBM prioritize development to ensure technology solutions align with the seven tenets and principles of zero trust, securing and protecting IBM clients’ systems and data.

Learn more

Learn more about the importance of zero trust in IBM’s 2022 Cost of a Data Breach Report or directly connect with one of IBM’s zero trust experts.

Additional resources


More from Security

Closing the breach window, from data to action

6 min read - Accelerate threat detection and response (TDR) using AI-powered centralized log management and security observability It is not news to most that cyberattacks have become easier to launch and harder to stop as attackers have gotten smarter and faster. For those defending against cyberthreats, things continue to get more complicated. The list of challenges is long: cloud attack surface sprawl, complex application environments, information overload from disparate tools, noise from false positives and low-risk events, just to name a few. The…

Spear phishing vs. phishing: what’s the difference?

5 min read - The simple answer: spear phishing is a special type of phishing attack. Phishing is any cyberattack that uses malicious email messages, text messages, or voice calls to trick people into sharing sensitive data (e.g., credit card numbers or social security numbers), downloading malware, visiting malicious websites, sending money to the wrong people, or otherwise themselves, their associates or their employers. Phishing is the most common cybercrime attack vector, or method; 300,479 phishing attacks were reported to the FBI in 2022.…

IBM Tech Now: September 18, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 84 On this episode, we're covering the following topics: The IBM Security X-Force Cloud Threat Landscape Report The introduction of IBM Intelligent Remediation Stay plugged in You can check out the IBM Blog Announcements…

Data breach prevention: 5 ways attack surface management helps mitigate the risks of costly data breaches

5 min read - Organizations are wrestling with a pressing concern: the speed at which they respond to and contain data breaches falls short of the escalating security threats they face. An effective attack surface management (ASM) solution can change this. According to the Cost of a Data Breach 2023 Report by IBM, the average cost of a data breach reached a record high of USD 4.45 million this year. What’s more, it took 277 days to identify and contain a data breach. With…