/ What Is Zero Trust?
What Is Zero Trust?
Zero trust is a security strategy that asserts that no entity—user, app, service, or device—should be trusted by default. Following the principle of least-privileged access, before any connection is allowed, trust is established based on the entity’s context and security posture, and then continually reassessed for every new connection, even if the entity was authenticated before.
Zero Trust Architecture Explained
Zero trust is a cybersecurity strategy wherein security policy is applied based on context established through least-privileged access controls and strict user authentication—not assumed trust. A well-tuned zero trust architecture leads to simpler network infrastructure, a better user experience, and improved cyberthreat defense.
A zero trust architecture follows the maxim "never trust, always verify." This guiding principle has been in place since John Kindervag, then at Forrester Research, coined the term. A zero trust architecture enforces access policies based on context—including the user's role and location, their device, and the data they are requesting—to block inappropriate access and lateral movement throughout an environment.
Establishing a zero trust architecture requires visibility and control over the environment's users and traffic, including that which is encrypted; monitoring and verification of traffic between parts of the environment; and strong multifactor authentication (MFA) methods beyond passwords, such as biometrics or one-time codes.
Critically, in a zero trust architecture, a resource's network location isn't the biggest factor in its security posture anymore. Instead of rigid network segmentation, your data, workflows, services, and such are protected by software-defined microsegmentation, enabling you to keep them secure anywhere, whether in your data center or in distributed hybrid and multicloud environments.
How Does Zero Trust Security Work?
As a core concept, zero trust assumes every component or connection is hostile by default, departing from earlier models based on secure network perimeters. This lack of trust is technologically defined by:
- The underlying architecture: Traditional models used approved IP addresses, ports, protocols for access controls and remote access VPN for trust validation.
- An inline approach: This considers all traffic as potentially hostile, even that within the network perimeter. Traffic is blocked until validated by specific attributes such as a fingerprint or identity.
- Context-aware policies: This stronger security approach remains with the workload regardless of where it communicates—be it a public cloud, hybrid environment, container, or an on-premises network architecture.
- Multifactor authentication: Validation is based on user, identity, device, and location.
- Environment-agnostic security: Protection applies regardless of communication environment, promoting secure cross-network communications without need for architectural changes or policy updates.
- Business-oriented connectivity: A zero trust model uses business policies for connecting users, devices, and applications securely across any network, facilitating secure digital transformation.
What are the Core Principles of the Zero Trust Model?
Zero trust is about more than user identity, segmentation, and secure access. It's a strategy upon which to build a cybersecurity ecosystem. At its core are three tenets:
- Terminate every connection: Technologies like firewalls use a “passthrough” approach, inspecting files as they are delivered. If a malicious file is detected, alerts are often too late. An effective zero trust solution terminates every connection to allow an inline proxy architecture to inspect all traffic, including encrypted traffic, in real time—before it reaches its destination—to prevent ransomware, malware, and more.
- Protect data using granular context-based policies: Zero trust policies verify access requests and rights based on context, including user identity, device, location, type of content, and the application being requested. Policies are adaptive, so user access privileges are continually reassessed as context changes.
- Reduce risk by eliminating the attack surface: With a zero trust approach, users connect directly to the apps and resources they need, never to networks (see ZTNA). Direct user-to-app and app-to-app connections eliminate the risk of lateral movement and prevent compromised devices from infecting other resources. Plus, users and apps are invisible to the internet, so they can’t be discovered or attacked.
What are the Benefits of Zero Trust?
Today’s cloud environments make attractive targets for cybercriminals aiming to steal, destroy, or ransom business-critical and sensitive data, such as personally identifiable information (PII), intellectual property (IP), and financial information.
While no security strategy is perfect, zero trust is among today's most effective strategies as it:
- Reduces the attack surface and risk of a data breach
- Provides granular access control over cloud and container environments
- Mitigates the impact and severity of successful attacks, reducing cleanup time and cost
- Supports compliance initiatives
A zero trust security model is the world's most effective means of ensuring cloud security. With the sheer degree of cloud, endpoint, and data sprawl in today’s IT environments, trusting no connection without proper verification is essential. Moreover, the increased visibility will make life much easier for IT and security from the administrator level all the way up to the CISO.
Zero Trust Defense Areas
Applied across your IT ecosystem, zero trust can offer granular protection for your:
- Applications
- Data
- Endpoints
- Identities
- Infrastructure
- Network
Use Cases of Zero Trust
1. Reduce Business and Organizational Risk
Zero trust architecture reduces risk by stopping all applications and services from communicating until they are authenticated in line with predefined trust principles. A zero trust strategy helps you understand how assets in your environment are communicating and, as baselines are established, enables you to eliminate overprovisioned software and services to further mitigate risk.
2. Gain Access Control over Cloud and Container Environments
Zero trust security policies are applied based on workload identity, unaffected by IP addresses, ports, and protocols. Protection is tied directly to the workloads themselves and remains constant even as the environment changes, significantly easing the access management, visibility, and general workload security challenges associated with cloud services providers and containers.
3. Reduce the Risk of a Data Breach
Zero trust architecture inspects every request, authenticates every user and device, and assesses all permissions before granting access, and then continually reassesses trust as context changes. Additionally, zero trust models create one-to-one secure connections, with no means of lateral movement. Thus, even if an attacker gains entry to your environment, they can’t access or steal data if they can’t establish trust.
4. Support Compliance Initiatives
Zero trust renders all user and workload connections invisible from the open internet, simplifying compliance with PCI DSS, NIST 800-207, and more while supporting smoother audits. Zero trust microsegmentation enables you to create perimeters around certain types of sensitive data using fine-grained controls to separate regulated and non-regulated data. During audits, or in the event of a data breach, microsegmentation provides superior visibility and control compared to flat network architectures.
How to Get Started with Zero Trust
When designing a zero trust architecture, your security and IT teams should first focus on answering two questions:
- What are you trying to protect?
- From whom are you trying to protect it?
This strategy will inform the way you design your architecture. Following that, the most effective approach is to layer technologies and processes on top of your strategy, not the other way around.
In its zero trust network access (ZTNA) framework, Gartner recommends leveraging zero trust delivered as a service. You can also take a phased approach, starting with either your most critical assets or a test case of non-critical assets, before implementing zero trust more broadly. Whatever your starting point, an optimal zero trust solution will offer you immediate returns in risk reduction and security control.
How to Implement Zero Trust Security?
Implementing zero trust is about enacting secure transformation. Today, more organizations know why they should pursue a zero trust architecture, but many still aren’t sure where to start—and every security provider seems to have their own definition of zero trust security. True zero trust doesn’t happen in an instant. It’s a journey that begins with empowering and securing your workforce.
Learn more in our dedicated article: How Do You Implement Zero Trust?
Why Choose Zscaler as Your Zero Trust Solution?
Zscaler is the only cybersecurity vendor that offers a zero trust platform born in the cloud and designed for cloud organizations. What’s more, Zscaler is consistently nominated as a leader in the industry’s most prestigious analyst reports and rankings, and we have the backing of our innovative partners and customers to prove it.
All of this is made possible by our flagship platform: the Zscaler Zero Trust Exchange.
The Zscaler Zero Trust Exchange
The Zscaler Zero Trust Exchange™ is a cloud native platform built on zero trust. Based on the principle of least privilege, it establishes trust through context, such as a user’s location, their device’s security posture, the content being exchanged, and the application being requested. Once trust is established, your employees get fast, reliable connections—wherever they are—without ever being placed directly on your network.
The Zero Trust Exchange operates across more than 150 data centers worldwide, ensuring that the service is close to your users, collocated with the cloud providers and applications they are accessing. It guarantees the shortest path between your users and their destinations, providing comprehensive security and an amazing user experience.