What is zero trust?

Zero trust is a security model based on the principle that no user or device should be trusted by default. Instead of assuming anything inside the network is safe, zero trust requires continuous and explicit verification of all users and devices, regardless of their location. Rather than focusing on where someone is logging in from, zero trust focuses on who they are and whether they should have access. Access to systems and data is tightly controlled, granted only to those who need it and only for as long as necessary.

The core principles of zero trust

Zero trust is based on three core principles:

Assume breach. Assumes that any user on your network (human or machine) could be compromised at any time.
Verify explicitly. All humans and machines must prove they are who they claim to be before accessing your organization's network, including all systems, apps and data.
Ensure least privilege. Once logged into the network, users should have the minimum amount of network access necessary to perform their jobs, and no more.

How zero trust works

Zero trust assumes that every connection, user and device could be a potential threat. Therefore, access must be continuously verified at every point. Here's how it works:

1. No implicit trust, anywhere

In a zero-trust environment, no user or device is trusted by default, regardless of whether they are inside or outside the corporate network. Every access request is treated as if it originates from an open, untrusted network. This means authentication and authorization are enforced before and during access to any resource.

2. Continuous verification

Once a user is authenticated, that doesn't mean they have unrestricted access. Zero trust uses continuous verification, meaning users must repeatedly prove their identity and device security posture as they navigate through the system. This is often done through:

Multi-Factor Authentication (MFA)
Device health checks
Contextual access (e.g., location, time of day, role)

3. Least-privilege access

Users and applications are granted the minimum level of access needed to perform their tasks. This principle, known as least-privilege access, reduces the attack surface and limits damage in case of compromise. Role-Based Access Controls (RBAC) and attribute-based policies enforce these rules dynamically.

4. Microsegmentation

Rather than having one flat, open network, zero trust segments the network into smaller zones, each with its own access controls. This process, known as microsegmentation, ensures that even if one segment is breached, the cybercriminal cannot move laterally to others.

5. Visibility and analytics

Zero trust also relies on comprehensive monitoring and logging. Every access request and action is logged and analyzed to detect anomalies, uncover threats and enforce compliance.

Benefits of zero trust

Zero trust offers a wide range of benefits, which is why it's becoming the go-to security model for modern organizations.

Greater visibility for IT and security teams: Zero trust gives administrators full visibility into users, systems and devices across the data environment. They can see who's connecting to the network, from where and what they're accessing.
Secure and flexible access for users: Because zero trust enables people, apps and services to communicate securely, even across different networks, users get more freedom and flexibility. They can connect securely from their homes or other remote locations, even if they’re using their own devices.
Stronger protection against attacks: Zero trust reduces the risk of data breaches by requiring continuous authentication and device verification. RBAC and Privileged Access Management (PAM) minimize the risk of privilege escalation if a breach does occur.
Easier compliance and fewer audit issues: Zero trust supports regulatory compliance by enforcing strict access controls and segmenting sensitive data. RBAC and network segmentation/microsegmentation support compliance initiatives and result in fewer findings during compliance audits

How to implement zero trust

One of the biggest challenges to implementing a zero-trust security strategy is that there are no universal implementation standards. Many organizations turn to the seven-step process laid out in NIST Special Publication 800-207:

1. Identify users

This encompasses both human users and non-human identities, such as service accounts. NIST notes that privileged users, including IT administrators and developers, need special scrutiny, as these users may have unrestricted access to digital resources. In a zero-trust framework, even privileged accounts should be least privilege, and account activity must be monitored and logged.

2. Identify and manage all assets connected to the network

Identifying and managing all assets that connect to the organizational network is key to a successful zero-trust implementation. This includes:

Laptops, mobile devices, IoT devices and other hardware components.
Digital artifacts, such as applications and digital certificates.
Devices not owned by the organization but that can connect to its network infrastructure or access network resources.

NIST admits that a comprehensive asset inventory may not be possible, so organizations should also ensure they can "quickly identify, categorize, and assess newly discovered assets that are on enterprise-owned infrastructure."

In addition to cataloging assets, this step includes configuration management and monitoring, as the ability to observe the current state of an asset is part of the zero-trust authentication process.

3. Identify key processes, assess their risks and identify zero-trust “candidates”

Identify, rank and evaluate the risks of your organization’s business processes and dataflows, including their importance to your organization’s mission. This will help inform which processes are good initial candidates for a zero-trust deployment. NIST recommends starting with processes that depend on cloud-based resources and/or are used by remote workers, as these will generate the most immediate security improvements.

4. Formulate zero-trust policies for “candidates”

This is a continuation of Step 3. After identifying an asset or workflow to migrate to zero trust, identify all upstream and downstream resources that the asset or workflow uses or affects. This helps finalize initial zero-trust migration "candidates" and ensures that least privilege and other policies applied to them achieve maximum security without hindering workflow.

5. Identify and select toolsets/solutions

There are many zero-trust-compatible solutions on the market, but not all of them are suitable for your specific data environment and business needs. NIST recommends considering the following when choosing zero-trust tools:

Does the solution require that components be installed on the client asset? This could limit business processes.
Does the solution work in cases where business process resources exist on premises? Some solutions assume that requested resources reside in the cloud (so-called north-south traffic) and not within an enterprise perimeter (east-west traffic). This poses a problem in hybrid cloud environments, where legacy line-of-business apps that perform critical functions may be run on-premises because migrating them to the cloud isn’t feasible.
Does the solution provide a means to log interactions for analysis? Zero-trust access decisions depend heavily on the collection and use of data related to process flow.
Does the solution provide broad support for different applications, services and protocols? Some solutions may support a broad range of protocols (SSH, web, etc.) and transports (IPv4 and IPv6), but others may work only with web or email.
Does the solution require changes to existing workflows? Some solutions may require additional steps to perform a given workflow, which could require the organization to make changes to the workflow.

6. Commence initial deployment and monitoring

NIST recommends that enterprises consider initially implementing zero trust in “monitoring mode” so that IT and security teams can ensure that policies and processes are effective and feasible. Additionally, once baseline user and network activity are established, security teams will be better able to identify anomalous behavior down the road.

7. Expand your zero-trust architecture

After the initial rollout of zero trust, it's time to migrate the next set of candidates. This step is continuous: whenever changes occur to the organization's data environment or workflows, the zero trust architecture must be reevaluated and adjusted accordingly.