Concerned about VPN vulnerabilities? Learn how you can benefit from our VPN migration offer including 60 days free service.

Talk to an expert

What Is Zero Trust?

Zero trust is a security strategy that asserts that no entity—user, app, service, or device—should be trusted by default. Following the principle of least-privileged access, before any connection is allowed, trust is established based on the entity’s context and security posture, and then continually reassessed for every new connection, even if the entity was authenticated before.

7 Elements Of Zero Trust Architecture
Watch

Zero Trust Architecture Explained

Zero trust is a cybersecurity strategy wherein security policy is applied based on context established through least-privileged access controls and strict user authentication—not assumed trust. A well-tuned zero trust architecture leads to simpler network infrastructure, a better user experience, and improved cyberthreat defense.

A zero trust architecture follows the maxim "never trust, always verify." This guiding principle has been in place since John Kindervag, then at Forrester Research, coined the term. A zero trust architecture enforces access policies based on context—including the user's role and location, their device, and the data they are requesting—to block inappropriate access and lateral movement throughout an environment.

Establishing a zero trust architecture requires visibility and control over the environment's users and traffic, including that which is encrypted; monitoring and verification of traffic between parts of the environment; and strong multifactor authentication (MFA) methods beyond passwords, such as biometrics or one-time codes.

Critically, in a zero trust architecture, a resource's network location isn't the biggest factor in its security posture anymore. Instead of rigid network segmentation, your data, workflows, services, and such are protected by software-defined microsegmentation, enabling you to keep them secure anywhere, whether in your data center or in distributed hybrid and multicloud environments.

Removing network location as a position of advantage eliminates excessive implicit trust, replacing it with explicit identity-based trust.

Gartner, Market Guide to Zero Trust Network Access, June 2020

How Does Zero Trust Security Work?

As a core concept, zero trust assumes every component or connection is hostile by default, departing from earlier models based on secure network perimeters. This lack of trust is technologically defined by:

  • The underlying architecture: Traditional models used approved IP addresses, ports, protocols for access controls and remote access VPN for trust validation.
  • An inline approach: This considers all traffic as potentially hostile, even that within the network perimeter. Traffic is blocked until validated by specific attributes such as a fingerprint or identity.
  • Context-aware policies: This stronger security approach remains with the workload regardless of where it communicates—be it a public cloud, hybrid environment, container, or an on-premises network architecture.
  • Multifactor authentication: Validation is based on user, identity, device, and location.
  • Environment-agnostic security: Protection applies regardless of communication environment, promoting secure cross-network communications without need for architectural changes or policy updates.
  • Business-oriented connectivity: A zero trust model uses business policies for connecting users, devices, and applications securely across any network, facilitating secure digital transformation.

Zero trust is being misused as a marketing term. Vendors are applying the term ‘Zero Trust’ to market everything in security, creating significant marketing confusion.

Gartner, 2019

Core Principles of the Zero Trust Model

Zero trust is about more than user identity, segmentation, and secure access. It's a strategy upon which to build a cybersecurity ecosystem. At its core are three tenets:

  1. Terminate every connection: Technologies like firewalls use a “passthrough” approach, inspecting files as they are delivered. If a malicious file is detected, alerts are often too late. An effective zero trust solution terminates every connection to allow an inline proxy architecture to inspect all traffic, including encrypted traffic, in real time—before it reaches its destination—to prevent ransomware, malware, and more.
  2. Protect data using granular context-based policies: Zero trust policies verify access requests and rights based on context, including user identity, device, location, type of content, and the application being requested. Policies are adaptive, so user access privileges are continually reassessed as context changes.
  3. Reduce risk by eliminating the attack surface: With a zero trust approach, users connect directly to the apps and resources they need, never to networks (see ZTNA). Direct user-to-app and app-to-app connections eliminate the risk of lateral movement and prevent compromised devices from infecting other resources. Plus, users and apps are invisible to the internet, so they can’t be discovered or attacked.

Benefits of Choosing a Zero Trust Architecture

Today’s cloud environments make attractive targets for cybercriminals aiming to steal, destroy, or ransom business-critical and sensitive data, such as personally identifiable information (PII), intellectual property (IP), and financial information. ‍‍

While no security strategy is perfect, zero trust is among today's most effective strategies as it:

  • Reduces the attack surface and risk of a data breach
  • Provides granular access control over cloud and container environments
  • Mitigates the impact and severity of successful attacks, reducing cleanup time and cost
  • Supports compliance initiatives

A zero trust security model is the world's most effective means of ensuring cloud security. With the sheer degree of cloud, endpoint, and data sprawl in today’s IT environments, trusting no connection without proper verification is essential. Moreover, the increased visibility will make life much easier for IT and security from the administrator level all the way up to the CISO.

Zero Trust Defense Areas

Applied across your IT ecosystem, zero trust can offer granular protection for your:

  • Applications
  • Data
  • Endpoints
  • Identities
  • Infrastructure
  • Network

Use Cases of Zero Trust

1. Reduce Business and Organizational Risk

Zero trust architecture reduces risk by stopping all applications and services from communicating until they are authenticated in line with predefined trust principles. A zero trust strategy helps you understand how assets in your environment are communicating and, as baselines are established, enables you to eliminate overprovisioned software and services to further mitigate risk.

2. Gain Access Control over Cloud and Container Environments

Zero trust security policies are applied based on workload identity, unaffected by IP addresses, ports, and protocols. Protection is tied directly to the workloads themselves and remains constant even as the environment changes, significantly easing the access management, visibility, and general workload security challenges associated with cloud services providers and containers.

3. Reduce the Risk of a Data Breach

Zero trust architecture inspects every request, authenticates every user and device, and assesses all permissions before granting access, and then continually reassesses trust as context changes. Additionally, zero trust models create one-to-one secure connections, with no means of lateral movement. Thus, even if an attacker gains entry to your environment, they can’t access or steal data if they can’t establish trust.

4. Support Compliance Initiatives

Zero trust renders all user and workload connections invisible from the open internet, simplifying compliance with PCI DSS, NIST 800-207, and more while supporting smoother audits. Zero trust microsegmentation enables you to create perimeters around certain types of sensitive data using fine-grained controls to separate regulated and non-regulated data. During audits, or in the event of a data breach, microsegmentation provides superior visibility and control compared to flat network architectures.

a diagram showing zero trust architecture

How to Get Started with Zero Trust

When designing a zero trust architecture, your security and IT teams should first focus on answering two questions:

  1. What are you trying to protect?
  2. From whom are you trying to protect it?

This strategy will inform the way you design your architecture. Following that, the most effective approach is to layer technologies and processes on top of your strategy, not the other way around.

In its zero trust network access (ZTNA) framework, Gartner recommends leveraging zero trust delivered as a service. You can also take a phased approach, starting with either your most critical assets or a test case of non-critical assets, before implementing zero trust more broadly. Whatever your starting point, an optimal zero trust solution will offer you immediate returns in risk reduction and security control.

How to Implement Zero Trust

Implementing zero trust is about enacting secure transformation. Today, more organizations know why they should pursue a zero trust architecture, but many still aren’t sure where to start—and every security provider seems to have their own definition of zero trust security. True zero trust doesn’t happen in an instant. It’s a journey that begins with empowering and securing your workforce.

Learn more in our dedicated article: How Do You Implement Zero Trust?

Why Choose Zscaler as Your Zero Trust Solution?

Zscaler is the only cybersecurity vendor that offers a zero trust platform born in the cloud and designed for cloud organizations. What’s more, Zscaler is consistently nominated as a leader in the industry’s most prestigious analyst reports and rankings, and we have the backing of our innovative partners and customers to prove it.

All of this is made possible by our flagship platform: the Zscaler Zero Trust Exchange.

a diagram showing zero trust architecture

The Zscaler Zero Trust Exchange

The Zscaler Zero Trust Exchange™ is a cloud native platform built on zero trust. Based on the principle of least privilege, it establishes trust through context, such as a user’s location, their device’s security posture, the content being exchanged, and the application being requested. Once trust is established, your employees get fast, reliable connections—wherever they are—without ever being placed directly on your network.

The Zero Trust Exchange operates across more than 150 data centers worldwide, ensuring that the service is close to your users, collocated with the cloud providers and applications they are accessing. It guarantees the shortest path between your users and their destinations, providing comprehensive security and an amazing user experience.

Suggested Resources

FAQs

Why Zero Trust?

You should adopt zero trust because legacy security models, which assume anything inside the network is trustworthy by default, don't work in the age of cloud and mobility. Zero trust requires verification from all entities, whatever their device or location, before access is granted. A proactive approach such as this minimizes the potential impact of breaches by limiting lateral movement within the network, reducing the risk of insider threats, and enhancing overall security posture.

Why Is Zero Trust Security Important?

Zero trust security is so important because it provides a solution to the shortcomings of traditional perimeter-based security in our hyperconnected digital world. Based on the premise that threats can come from anywhere—from outside a network as well as inside—zero trust enforces strict least-privileged access controls and continuous verification to help prevent breaches, reduce the blast radius of successful attacks, and hold up a strong security posture to face sophisticated, evolving threats.

What Are the Goals of Zero Trust?

The goals of zero trust are to enhance security, protect sensitive data, and mitigate cyber risk. To accomplish this, zero trust architectures verify and validate every entity accessing the network, implement strict access controls based on user identity and context, continuously monitor network activity for potential security risks, and encrypt sensitive data to prevent unauthorized access.

Does Zero Trust Replace VPN?

Zero trust network access (ZTNA), an extension of the principle of zero trust, is the ideal VPN alternative. Today, private application access is shifting away from network-centric approaches to a user- and app-centric approach, leading to the increased popularity of zero trust and the adoption of ZTNA services. ZTNA enables secure access to private applications by establishing connectivity from user-to-application on a dynamic identity- and context-aware basis, providing reduced complexity, stronger security, and a smoother user experience compared to VPN.

Zero Trust and SASE

Zero trust and the secure access service edge (SASE) framework complement each other: zero trust maintains strict access controls and continuous verification, while SASE unifies network security and wide-area networking in a cloud-based service, delivering identity management, role-based access, encryption, threat prevention, and a consistent user experience. Effectively, zero trust provides the access framework while SASE offers the infrastructure and services to support it.

Zero Trust vs. VPN

With a traditional VPN, users are authenticated once then placed on the network, granting them access to any and all resources. To make matters worse, VPNs require that user traffic be backhauled through a corporate data center, slowing down internet performance. Zero trust, on the other hand, connects users directly to private applications, improving both security and experience.