Resources > Security Terms Glossary > What Is Zero Trust

What is Zero trust?

Watch and Learn 

What is Zero trust?

Since mobile users began connecting via unmanaged devices to business applications over the internet, there’s been growing need for zero trust. When you can’t trust the connection, device, or network, zero trust sounds like a great idea. But in the last few years, there’s been a lot of confusion about what the term actually means.

Zero trust is an ideology, a security model meant to eliminate excessive implicit trust from the enterprise by establishing an initial security posture of default deny. However, at some point trust must be established to allow connectivity, but unlike network-centric methods, this trust must be dynamic, shifting with changes in context based on user, device, location, and app.

The purpose of a zero trust strategy is to eliminate excessive risk. It starts with never granting trust by default, and it requires trust to be contextual and adaptive. The level of privilege or access depends on the established trust, which must be continually monitored and adapted to risk.

Zero trust had to evolve

The concept of zero trust was created 10 years ago. John Kindervag conceived of the idea to prevent enterprise teams from granting too much trust to users and devices accessing the network. This idea included adopting a default-deny security posture. But, due to the technology available at the time, it was created solely in the context of network-centric security. Such security requires users to be placed onto a network and tunnels to be driven through firewalls and DMZs, exposing apps to the internet to make them accessible. It’s taken 10 years to turn the idea of zero trust into reality.

With the adoption of cloud and mobility, IT professionals have come to the realization that network-centric security strategies have become ineffective. Networks and user devices are no longer owned by the enterprises, and over half of employees are accessing apps remotely. By rethinking the network-centric security approach in the cloud-first era, enterprises are opening the door to adopting a true zero trust strategy.

By 2022, 80% of new digital business applications opened up to ecosystem partners will be accessed through zero trust network access (ZTNA).

- Gartner, 2019

Zero trust in a cloud-first world is based on these four key principles:

  • Application access should be adaptive, contextual, and independent of network access
  • Microsegmentation should occur at the application level without network segmentation
  • Applications and network must be invisible to the open internet
  • The internet becomes the new corporate network via encrypted microtunnels

Achieving zero trust requires a new mindset and modern technology

Cybersecurity Insiders found that 72 percent of enterprises are in the midst of implementing identity and access management (IAM) technology. IAM is a prerequisite when looking to achieve zero trust, but a true zero trust strategy doesn’t stop there.

Among those same enterprises, 59 percent are looking to take the next step in creating a holistic zero trust ecosystem by adopting a zero trust network access (ZTNA) service in the coming year.

ZTNA improves flexibility, agility and scalability, enabling digital ecosystems to work without exposing services directly to the internet....

– Gartner, April 2019

ZTNA technology, also known as the software-defined perimeter (SDP), creates an identity- and context-based access boundary around private enterprise applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of authorized entities. Essentially ZTNA enables adaptive and secure private application access by eliminating the perimeter around the network and, instead, creating virtual perimeters around user, device, and app

While identity providers (IDPs) and IAM services focus on authenticating the identity of users, ZTNA consumes this data to create the microsegmented, secure connections between only the authenticated users and the enterprise’s private applications. These apps can run in private, multi-cloud, or hybrid cloud environments.

Cybersecurity Insiders 2019 Zero Trust Adoption Report

Read full report

The Network Architect’s Guide to Adopting ZTNA

Read the Guide

Gartner Market Guide for Zero Trust Network Access

Read Findings

Where your enterprise should start when it comes to zero trust

Gartner says, “By 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of ZTNA.” The majority of enterprises have already adopted some kind of IDP service (Okta, Ping, Azure AD, Active Directory, and so on). The next step is to begin testing the ZTNA services on the market and identifying initial use cases, such as securing partner access to private apps.

To learn more about ZTNA technology, check out the leading ZTNA service, ZPA. Find out how you can take ZPA for a free test drive for 7 days!

Additional resources: