What is zero trust?
Explore IBM's zero trust solution Subscribe to security topic updates
Illustration with collage of pictograms of clouds, mobile phone, fingerprint, check mark
What is zero trust?

Zero trust is a framework that assumes a complex network’s security is always at risk to external and internal threats. It helps organizations strategize a thorough approach to counter those threats.

A zero trust security model verifies and authorizes every connection, such as when a user connects to an application or software to a data set by way of an application programming interface (API). It ensures that the interaction meets the conditional requirements of the organization’s security policies. A zero trust security strategy also authenticates and authorizes every device, network flow and connection based on dynamic policies, using context from as many data sources as possible.

Cost of a Data Breach

Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.

Related content

Register for the X-Force Threat Intelligence Index

Why use a zero trust model?

Traditionally, the IT industry has relied on perimeter security strategies to protect its most valuable resources like user data and intellectual property. These security strategies involved using firewalls and other network-based tools to inspect and validate users going into and out of the network. However, digital transformation and the move to hybrid cloud infrastructure are changing the way industries do business. Relying on a network perimeter is no longer sufficient.

Many organizations are also adjusting their business models. They're offering customers new digital experiences that they need and want while also enabling a global and disparate workforce. Recent events have only accelerated this digital transformation journey.

Suddenly, organizations have thousands of individuals connecting from home computers outside of an IT department's control. Users, data and resources are spread across the globe, making it difficult to connect them quickly and securely. And without a traditional on-premises infrastructure for protection, employees' home environments are more vulnerable to compromise, which can also put the business at risk.

Complicating things further, many enterprises are currently operating with a patchwork of security solutions and tools with poor integration. And as a result, security teams are spending more time on manual tasks. They lack the context and insights needed to reduce their organization's attack surface effectively. A rise in data breaches and an increase in global regulations have made protecting networks difficult. For context, the average cost of a data breach is over USD 4 million in lost business and fines.

Applications, users and devices need fast and secure access to data, so much that an entire industry of security tools and architectures has been built to protect it. Zero trust addresses the security needs of this data-driven hybrid cloud environment. It provides organizations with adaptive and continuous protection for users, data and assets, plus the ability to manage threats proactively. In other words, this practice of "never trust and always verify" aims to wrap security around every user, device and connection for every single transaction.

Applying a zero trust framework can also help defenders gain insights across their security business. They can enforce security policies consistently and detect and respond to threats faster and in a precise way. However, it also produces several corollary benefits, such as:

  • Enhanced network performance due to reduced traffic on subnets.
  • Improved ability to address network errors.
  • More simplified logging and monitoring process due to the granularity.
  • Quicker breach detection times.
Learn more about the zero trust framework
How zero trust works

Developed by John Kindervag in 2010 while a principal analyst at Forrester Research, a zero trust architecture is a broad framework that promises effective protection of an organization’s most valuable assets. It works by assuming that every connection and endpoint is considered a threat.

The framework protects against threats, whether external or internal, even for those connections already inside. In a nutshell, a zero trust network:

  • Logs and inspects all corporate network traffic.
  • Limits and controls access to the network.
  • Verifies and secures network resources.

To expand, the zero trust security model ensures that data and resources are inaccessible by default. Users can only access them on a limited basis under the right circumstances, known as least-privilege access.

To successfully implement a zero trust architecture, organizations need to connect information from across each security domain. Security teams across the company must agree on priorities and align on access policies. They must secure all connections across the business, from data to users and devices to applications, workloads and networks. This architecture requires a well-planned strategy and roadmap to implement and integrate security tools to achieve specific business-focused outcomes. To make a zero trust model work, adopters must:

  • Make an organization-wide commitment.
  • Catalog all IT and data assets and assign access rights based on roles.
  • Lock down some common vulnerabilities.
  • Classify data for a data-centric approach (link resides outside ibm.com).
  • Segment networks to prevent lateral movement (link resides outside ibm.com), a culprit in data breaches.
  • Isolate and protect workloads during virtual machine and cloud server cross-movement.

It might seem like a limiting process from an outside perspective. But a zero trust model's successful implementation can help bring context and insight into a rapidly evolving attack surface to the security team and improve the user experience.

Read more: Zero trust, an IBM CISO perspective
Zero trust minimum requirements

Zero trust requires a broad portfolio of security capabilities and experience, including identity, data, devices and workloads, analytics and visibility, automation and orchestration, and network and endpoint.


Define and govern zero trust security policies managing access across all users and privileged accounts with single sign-on (SSO), multi-factor authentication and lifecycle management.


Protect critical data by using zero trust security practices. Discover, classify and manage data access according to risk.

Devices and workloads

Defend the organization with zero trust security practices—from applications secured by design to monitoring and managing endpoints.

Analytics and visibility

Monitor and enforce zero trust security policies with intelligent analytics. View and monitor the behavior of all users, resources and data connections within the business.

Automation and orchestration

Rapidly solve and iterate on security issues that occur as part of a zero trust practice with orchestrated actions and common playbooks.

Network and endpoint

Apply proven skills, expertise and modern solutions to protect a network, infrastructure and endpoints from today's cybersecurity threats.

Focus on context for an effective zero trust model

A zero trust model requires context (link resides outside ibm.com) to be effective. Therefore, security teams must collect and use information from across the business to create the context necessary for quick decisions about each connection's trustworthiness.

When executed continuously, this model helps organizations speed the process of securely authorizing connections. It enables the right user under the right conditions to gain the right access to the right data.

There are 4 zero trust principles that establish a governance model for sharing context between security tools to protect users' connections, data and resources.

Define the context

Understand users, data and resources to create coordinated security policies aligned with the business. This process requires discovering and classifying resources based on risk, defining granular resource boundaries and separating users according to roles and duties.

Verify and enforce

Protect the organization by quickly and consistently validating context and enforcing policies. This detail requires actively monitoring and validating all access requests against those conditions defined in the company’s policies to grant the right access quickly and consistently to the right resources.

Resolve incidents

Resolve security violations with minimal impact to business by taking targeted actions. This job requires preparation and taking targeted actions, such as revoking access for individual users or devices, adjusting network segmentation, quarantining users, wiping devices, creating an incident ticket or generating compliance reports.

Analyze and improve

Continually improve the security posture by adjusting policies and practices to make faster, more informed decisions. This operation requires continuously evaluating and adjusting the policies, authorization actions and remediation tactics to tighten each resource's perimeter.

Zero trust network access (ZTNA)

Like a virtual private network (VPN), zero trust network access (ZTNA) provides secure remote access to applications and services. Unlike a VPN, a ZTNA is based on defined access control policies, denying access by default and providing user access to services when explicitly granted.

ZTNA establishes secure access after it authenticates a user through a secure, encrypted tunnel. It allows users to see only applications and services they have permission to access.

The ZTNA protection method prevents lateral attacker movement, a vulnerability that cybercriminals use to scan and pivot to other services. With ZTNA, organizations can implement location and device-specific access control policies, preventing possibly compromised devices from connecting to its services.

Zero trust security solutions

Get security wrapped around every user, every device and every connection—every time.

Explore zero trust security solutions
Network security solutions

Protect your network infrastructure against advanced threats and malware.

Explore network security solutions
Data security solutions

Protect enterprise data across multiple environments, meet privacy regulations and simplify operational complexity.

Explore data security solutions
Storage for data resilience

Protect your organization against ransomware, hardware failures, natural disasters, cyberattacks and other threats with AI technology.

Explore storage solutions
Resources IBM Security® Framing and Discovery Workshop

This no-cost, virtual or in-person, 3-hour design thinking session with senior IBM security architects and consultants helps you understand your cybersecurity landscape and prioritize initiatives.

X-Force® Threat Intelligence Index

Threat intelligence offers CISOs, security teams and business leaders actionable insights to help understand how threat actors are waging attacks and how to proactively protect their organization.

What is cybersecurity?

Cybersecurity, also known as information technology (IT) security, is the practice of protecting critical systems and sensitive information from digital attacks.

What is IAM?

Identity and access management, or IAM, is the security discipline that makes it possible for the right entities (people or things) to use the right resources (applications or data) when they need to.

Case study: IBM Office of the CIO

The IBM Office of the CIO turned to IBM Security® Verify for next-generation digital authentication across its workforce and clients.

Getting started with zero trust security

To better understand how organizations are implementing zero trust security, the IBM Institute for Business Value (IBV) partnered with Oxford Economics to survey more than 1,000 operations and security executives from organizations in 15 industries across the globe.

Take the next step

IBM Security Verify is a leading IAM platform that provides AI-powered capabilities for managing your workforce and customer needs. Unify identity silos, reduce the risk of identity-based attacks and provide modern authentication, including passwordless capabilities.

Explore Verify Try Verify for 90 days