What is zero trust?

Zero trust operates on the principle of “never trust, always verify” rather than granting implicit trust to all users inside a network. This granular security approach helps address the cybersecurity risks posed by remote workers, hybrid cloud services, personally owned devices and other elements of today’s corporate networks.

An increasing number of organizations are adopting zero trust models to improve their security postures as their attack surfaces grow. According to a 2024 TechTarget Enterprise Strategy Group report, more than two-thirds of organizations say that they are implementing zero trust policies across their enterprises.¹

Evolving legal and regulatory requirements are also driving zero trust adoption. For example, a 2021 executive order from US President Joseph Biden directed all US federal agencies to implement a zero trust architecture (ZTA).²

A zero trust approach is important because the traditional model of network security is no longer sufficient. Zero trust strategies are designed for the more complex, highly distributed networks that most organizations use today.

For many years, enterprises have focused on protecting the perimeters of their networks with firewalls and other security controls. Users inside the network perimeter were considered trustworthy and granted free access to applications, data and resources.

Digital transformation eliminated the traditional concept of a network perimeter. Today, corporate networks extend beyond on-premises locations and network segments. The modern enterprise ecosystem includes cloud environments, mobile services, data centers, IoT devices, software-as-a-service (SaaS) apps and remote access for employees, vendors and business partners.

With this extended attack surface, enterprises are more vulnerable to data breaches, ransomware, insider threats and other types of cyberattacks. The network perimeter is no longer a clear, unbroken line and perimeter-based defenses cannot close every gap. Moreover, threat actors that gain access to a network can take advantage of implicit trust to make lateral movements to locate and attack critical resources.

In 2010, analyst John Kindervag of Forrester Research introduced the concept of "zero trust" as a framework for protecting enterprise resources through rigorous access control. Zero trust moves the focus away from the network perimeter and puts security controls around individual resources.

Every endpoint, user and connection request are considered a potential threat. Instead of being given free rein when they pass through the perimeter, users must be authenticated and authorized whenever they connect to a new resource. This continuous validation helps ensure that only legitimate users can access valuable network assets.

In the broadest sense, a zero trust security posture works by continuously verifying and authenticating connections between users, applications, devices and data.

Implementing a zero trust strategy across an organization can be a complex undertaking. It isn’t a matter of installing a single zero trust solution. Zero trust requires planning and executing across a broad range of functional areas, including identity and access policies, security solutions and workflows, automation, operations and network infrastructure.

Many organizations follow specific zero trust frameworks to build zero trust architectures. Established models include Forrester’s Zero Trust framework, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207³ and the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model (ZTMM).⁴

While organizations can choose from various frameworks, most zero trust strategies share these key concepts: the three principles of zero trust, the five pillars of zero trust and zero trust network access (ZTNA).

The technical specifications of different frameworks and models can vary, but they all follow a core set of zero trust principles:

• Continuous monitoring and validation
• The principle of least privilege
• Breach assumption

Zero trust makes all network assets inaccessible by default. Users, devices and workloads must pass continuous, contextual authentication and validation to access any resources and they must pass these checks every time they request a connection.

Dynamic access control policies determine whether to approve requests based on data points such as a user’s privileges, physical location, device health status, threat intelligence and unusual behavior. Connections are continuously monitored and must be periodically reauthenticated to continue the session.

In a zero trust environment, users and devices have least-privilege access to resources. This means that they receive the minimum level of permission required to complete a task or fulfill their role. Those permissions are revoked when the session is over.

Managing permissions in this way limits the ability of threat actors to gain access to other areas of the network.

In a zero trust enterprise, security teams assume that hackers have already breached network resources. Actions that security teams often use to mitigate an ongoing cyberattack become standard operating procedure. These actions include network segmentation to limit the scope of an attack; monitoring every asset, user, device and process across the network; and responding to unusual user or device behaviors in real time.

CISAs Zero Trust Security Model outlines⁴ five pillars that organizations can focus on during a zero trust implementation:

1. Identity
2. Devices
3. Networks
4. Applications and workloads
5. Data

One of the primary technologies for implementing a zero trust strategy is zero trust network access or ZTNA. Like a virtual private network (VPN), ZTNA provides remote access to applications and services. Unlike a VPN, a ZTNA connects users only to the resources they have permission to access rather than connecting them to the whole network.

ZTNA is a key part of the secure access service edge (SASE) model, which enables companies to provide direct, secure, low-latency connections between users and resources.

Because zero trust architecture enforces access control based on identity, it can offer strong protection for hybrid and multicloud environments. Verified cloud workloads are granted access to critical resources, while unauthorized cloud services and applications are denied.

Regardless of source, location or changes to the IT infrastructure, zero trust can consistently safeguard busy cloud environments.

Organizations often need to grant network access to vendors, contractors, service providers and other third parties. Hackers take advantage of this situation to carry out supply chain attacks, in which they use compromised vendor accounts and workloads to break into a company's network.

Zero trust applies continuous, contextual authentication and least-privilege access to every entity, even those outside the network. Even if hackers breach a trusted vendor's account, they cannot access the company's most sensitive resources.

Organizations traditionally rely on virtual private networks (VPNs) to connect remote employees with network resources. But VPNs don't scale easily, nor do they prevent lateral movement.

In a zero trust model, businesses can use zero trust network access (ZTNA) solutions instead. ZTNA verifies employee identities, then grants them access to only the applications, data and services they need to do their jobs.

Because IoT devices connect to the internet, they pose a risk to enterprise security. Hackers often target IoT devices because they can use them to introduce malware to vulnerable network systems.

Zero trust architectures continuously track the location, status and health of every IoT device across an organization. Each device is treated as a potentially malicious entity. As with other elements of a zero trust environment, IoT devices are subject to access controls, authentication and encrypted communications with other network resources.