What Is Zero Trust?

Zero trust is a framework for securing organizations in the cloud and mobile world that asserts that no user or application should be trusted by default. Following a key zero trust principle, least-privileged access, trust is established based on context (e.g., user identity and location, the security posture of the endpoint, the app or service being requested) with policy checks at each step.

7 Elements Of Zero Trust Architecture

Zero Trust Architecture Explained

Zero trust is a cybersecurity strategy wherein security policy is applied based on context established through least-privileged access controls and strict user authentication—not assumed trust. A well-tuned zero trust architecture leads to simpler network infrastructure, a better user experience, and improved cyberthreat defense.

A zero trust architecture follows the maxim "never trust, always verify." This guiding principle has been in place since John Kindervag, then at Forrester Research, coined the term. A zero trust architecture enforces access policies based on context—including the user's role and location, their device, and the data they are requesting—to block inappropriate access and lateral movement throughout an environment.

Establishing a zero trust architecture requires visibility and control over the environment's users and traffic, including that which is encrypted; monitoring and verification of traffic between parts of the environment; and strong multifactor authentication (MFA) methods beyond passwords, such as biometrics or one-time codes.

Critically, in a zero trust architecture, a resource's network location isn't the biggest factor in its security posture anymore. Instead of rigid network segmentation, your data, workflows, services, and such are protected by software-defined microsegmentation, enabling you to keep them secure anywhere, whether in your data center or in distributed hybrid and multicloud environments.

How to Implement Zero Trust

Implementing zero trust is about enacting secure transformation. Today, more organizations know why they should pursue a zero trust architecture, but many still aren’t sure where to start—and every security provider seems to have their own definition of zero trust security. True zero trust doesn’t happen in an instant. It’s a journey that begins with empowering and securing your workforce.

Learn more in our dedicated article: How Do You Implement Zero Trust?

Removing network location as a position of advantage eliminates excessive implicit trust, replacing it with explicit identity-based trust.

Gartner, Market Guide to Zero Trust Network Access, June 2020

How Does Zero Trust Security Work?

The core concept of zero trust is simple: assume everything is hostile by default. It's a major departure from the network security model built on the centralized data center and secure network perimeter—a model in use since the 1990s. These network architectures rely on approved IP addresses, ports, and protocols to establish access controls and validate what's trusted inside the network, generally including anybody connecting via remote access VPN.

In contrast, a zero trust approach treats all traffic, even if it's already inside the perimeter, as hostile. For example, workloads are blocked from communicating until they are validated by a set of attributes, such as a fingerprint or identity. Identity-based validation policies result in stronger security that travels with the workload wherever it communicates—in a public cloud, a hybrid environment, a container, or an on-premises network architecture.

Because protection is environment-agnostic, zero trust secures applications and services even if they communicate across network environments, requiring no architectural changes or policy updates. Zero trust securely connects users, devices, and applications using business policies over any network, enabling safe digital transformation.

Zero trust is being misused as a marketing term. Vendors are applying the term ‘Zero Trust’ to market everything in security, creating significant marketing confusion.

Gartner, 2019

Core Principles of the Zero Trust Model

Zero trust is about more than user identity, segmentation, and secure access. It's a strategy upon which to build a cybersecurity ecosystem. At its core are three tenets:

  1. Terminate every connection: Technologies like firewalls use a “passthrough” approach, inspecting files as they are delivered. If a malicious file is detected, alerts are often too late. An effective zero trust solution terminates every connection to allow an inline proxy architecture to inspect all traffic, including encrypted traffic, in real time—before it reaches its destination—to prevent ransomware, malware, and more.
  2. Protect data using granular context-based policies: Zero trust policies verify access requests and rights based on context, including user identity, device, location, type of content, and the application being requested. Policies are adaptive, so user access privileges are continually reassessed as context changes.
  3. Reduce risk by eliminating the attack surface: With a zero trust approach, users connect directly to the apps and resources they need, never to networks (see ZTNA). Direct user-to-app and app-to-app connections eliminate the risk of lateral movement and prevent compromised devices from infecting other resources. Plus, users and apps are invisible to the internet, so they can’t be discovered or attacked.

Benefits of Choosing a Zero Trust Architecture

Today’s cloud environments make attractive targets for cybercriminals aiming to steal, destroy, or ransom business-critical and sensitive data, such as personally identifiable information (PII), intellectual property (IP), and financial information. ‍‍

While no security strategy is perfect, zero trust is among today's most effective strategies as it:

  • Reduces the attack surface and risk of a data breach
  • Provides granular access control over cloud and container environments
  • Mitigates the impact and severity of successful attacks, reducing cleanup time and cost
  • Supports compliance initiatives

A zero trust security model is the world's most effective means of ensuring cloud security. With the sheer degree of cloud, endpoint, and data sprawl in today’s IT environments, trusting no connection without proper verification is essential. Moreover, the increased visibility will make life much easier for IT and security from the administrator level all the way up to the CISO.

Zero Trust Defense Areas

Applied across your IT ecosystem, zero trust can offer granular protection for your:

  • Applications
  • Data
  • Endpoints
  • Identities
  • Infrastructure
  • Network

Use Cases of Zero Trust

1. Reduce Business and Organizational Risk

Zero trust solutions stop all applications and services from communicating until they are verified by their identity attributes—immutable properties that meet predefined trust principles, such as authentication and authorization requirements.‍

Zero trust, therefore, reduces risk because it uncovers what’s on the network and how those assets are communicating. As baselines are established, a zero trust strategy further reduces risk by eliminating overprovisioned software and services as well as continuously checking the “credentials” of every communicating asset.

2. Gain Access Control over Cloud and Container Environments

Access management and loss of visibility are security practitioners’ greatest fears about moving to the cloud. Despite enhancements in cloud service provider (CSP) security, workload security remains a shared responsibility between your organization and the CSP. That said, there's only so much you can affect inside the CSP’s cloud.‍

With a zero trust security architecture, security policies are applied based on the identity of communicating workloads and tied directly to the workloads themselves. This keeps security as close as possible to the assets that need protection, unaffected by network constructs like IP addresses, ports, and protocols. Protection travels with the workload and remains constant even as the environment changes.

3. Reduce the Risk of a Data Breach

Following the principle of least privilege, every entity is assumed hostile. Every request is inspected, users and devices are authenticated, and permissions are assessed before "trust" is granted. This "trust" is then continually reassessed as context changes, such as the user's location or the data being accessed.

Even if a compromised device or other vulnerability allows entry into a network or cloud instance, an untrusted attacker cannot access or steal data. Additionally, the Zero Trust Model creates a “single secure segment” with no means of lateral movement, so attackers have nowhere to go.

4. Support Compliance Initiatives

Zero trust shields all user and workload connections from the internet, so they can't be exposed or exploited. This invisibility makes it easier to demonstrate compliance with privacy standards and regulations (e.g., PCI DSS, NIST 800-207), and results in fewer findings during audits.

Implementing zero trust microsegmentation enables you to create perimeters around certain types of sensitive data (e.g., payment card data, data backups) using fine-grained controls to separate regulated and non-regulated data. During audits, or in the event of a data breach, microsegmentation provides superior visibility and control compared to the overprivileged access of many flat network architectures.

a diagram showing zero trust architecture

How to Get Started with Zero Trust

When designing a zero trust architecture, your security and IT teams should first focus on answering two questions:

  1. What are you trying to protect?
  2. From whom are you trying to protect it?

This strategy will inform the way you design your architecture. Following that, the most effective approach is to layer technologies and processes on top of your strategy, not the other way around.

In its zero trust network access (ZTNA) framework, Gartner recommends leveraging zero trust delivered as a service. You can also take a phased approach, starting with either your most critical assets or a test case of non-critical assets, before implementing zero trust more broadly. Whatever your starting point, an optimal zero trust solution will offer you immediate returns in risk reduction and security control.

Why Choose Zscaler as Your Zero Trust Solution?

Zscaler is the only cybersecurity vendor that offers a zero trust platform born in the cloud and designed for cloud organizations. What’s more, Zscaler is consistently nominated as a leader in the industry’s most prestigious analyst reports and rankings, and we have the backing of our innovative partners and customers to prove it.

All of this is made possible by our flagship platform: the Zscaler Zero Trust Exchange.

a diagram showing zero trust architecture

The Zscaler Zero Trust Exchange

The Zscaler Zero Trust Exchange™ is a cloud native platform built on zero trust. Based on the principle of least privilege, it establishes trust through context, such as a user’s location, their device’s security posture, the content being exchanged, and the application being requested. Once trust is established, your employees get fast, reliable connections—wherever they are—without ever being placed directly on your network.

The Zero Trust Exchange operates across 150 data centers worldwide, ensuring that the service is close to your users, colocated with the cloud providers and applications they are accessing. It guarantees the shortest path between your users and their destinations, providing comprehensive security and an amazing user experience.

Suggested Resources


Why Do You Use Zero Trust?

You should adopt zero trust because legacy security models, which assume anything inside the network is trustworthy by default, don't work in the age of cloud and mobility. Zero trust requires verification from all entities, whatever their device or location, before access is granted. A proactive approach such as this minimizes the potential impact of breaches by limiting lateral movement within the network, reducing the risk of insider threats, and enhancing overall security posture.

Why Is Zero Trust Security Important?

Zero trust security is so important because it provides a solution to the shortcomings of traditional perimeter-based security in our hyperconnected digital world. Based on the premise that threats can come from anywhere—from outside a network as well as inside—zero trust enforces strict least-privileged access controls and continuous verification to help prevent breaches, reduce the blast radius of successful attacks, and hold up a strong security posture to face sophisticated, evolving threats.

Does Zero Trust Replace VPN?

Zero trust network access (ZTNA), an extension of the principle of zero trust, is the ideal VPN alternative. Today, private application access is shifting away from network-centric approaches to a user- and app-centric approach, leading to the increased popularity of zero trust and the adoption of ZTNA services. ZTNA enables secure access to private applications by establishing connectivity from user-to-application on a dynamic identity- and context-aware basis, providing reduced complexity, stronger security, and a smoother user experience compared to VPN.

Zero Trust and SASE

Zero trust and the secure access service edge (SASE) framework complement each other: zero trust maintains strict access controls and continuous verification, while SASE unifies network security and wide-area networking in a cloud-based service, delivering identity management, role-based access, encryption, threat prevention, and a consistent user experience. Effectively, zero trust provides the access framework while SASE offers the infrastructure and services to support it.