Updated: 20 June 2024
Contributors: Gregg Lindemulder, Matthew Kosinski
Zero trust is a security strategy for modern multicloud networks. Instead of focusing on the network perimeter, a zero trust security model enforces security policies for each individual connection between users, devices, applications and data.
Zero trust operates on the principle of “never trust, always verify” rather than granting implicit trust to all users inside a network. This granular security approach helps address the cybersecurity risks posed by remote workers, hybrid cloud services, personally-owned devices and other elements of today’s corporate networks.
An increasing number of organizations are adopting zero trust models to improve their security postures as their attack surfaces grow. According to a 2024 TechTarget Enterprise Strategy Group report, more than two-thirds of organizations say they are implementing zero trust policies across their enterprises.1
Evolving legal and regulatory requirements are also driving zero trust adoption. For example, a 2021 executive order from US President Joseph Biden directed all US federal agencies to implement a zero trust architecture (ZTA).2
Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.
Register for the X-Force® Threat Intelligence Index
A zero trust approach is important because the traditional model of network security is no longer sufficient. Zero trust strategies are designed for the more complex, highly distributed networks that most organizations use today.
For many years, enterprises focused on protecting the perimeters of their networks with firewalls and other security controls. Users inside the network perimeter were considered trustworthy and granted free access to applications, data and resources.
Digital transformation eliminated the traditional concept of a network perimeter. Today, corporate networks extend beyond on-premises locations and network segments. The modern enterprise ecosystem includes cloud environments, mobile services, data centers, IoT devices, software-as-a-service (SaaS) apps and remote access for employees, vendors and business partners.
With this extended attack surface, enterprises are more vulnerable to data breaches, ransomware, insider threats and other types of cyberattacks. The network perimeter is no longer a clear, unbroken line, and perimeter-based defenses cannot close every gap. Moreover, threat actors that gain access to a network can take advantage of implicit trust to make lateral movements to locate and attack critical resources.
In 2010, analyst John Kindervag of Forrester Research introduced the concept of "zero trust" as a framework for protecting enterprise resources through rigorous access control. Zero trust moves the focus away from the network perimeter and puts security controls around individual resources.
Every endpoint, user and connection request is considered a potential threat. Instead of being given free rein when they pass through the perimeter, users must be authenticated and authorized whenever they connect to a new resource. This continuous validation helps ensure that only legitimate users can access valuable network assets.
In the broadest sense, a zero trust security posture works by continuously verifying and authenticating connections between users, applications, devices and data.
Implementing a zero trust strategy across an organization can be a complex undertaking. It isn’t a matter of installing a single zero trust solution. Zero trust requires planning and executing across a broad range of functional areas, including identity and access policies, security solutions and workflows, automation, operations and network infrastructure.
Many organizations follow specific zero trust frameworks to build zero trust architectures. Established models include Forrester’s Zero Trust framework, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-2073 and the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model (ZTMM).4
While organizations can choose from various frameworks, most zero trust strategies share these key concepts: the three principles of zero trust, the five pillars of zero trust and zero trust network access (ZTNA).
The technical specifications of different frameworks and models can vary, but they all follow a core set of zero trust principles:
- Continuous monitoring and validation
- The principle of least privilege
- Assume breach
Zero trust makes all network assets inaccessible by default. Users, devices and workloads must pass continuous, contextual authentication and validation to access any resources, and they must pass these checks every time they request a connection.
Dynamic access control policies determine whether to approve requests based on data points such as a user’s privileges, physical location, device health status, threat intelligence and unusual behavior. Connections are continuously monitored and must be periodically reauthenticated to continue the session.
In a zero trust environment, users and devices have least-privilege access to resources. This means they receive the minimum level of permission required to complete a task or fulfill their role. Those permissions are revoked when the session is over.
Managing permissions in this way limits the ability of threat actors to gain access to other areas of the network.
In a zero trust enterprise, security teams assume that hackers have already breached network resources. Actions that security teams often use to mitigate an ongoing cyberattack become standard operating procedure. These actions include network segmentation to limit the scope of an attack; monitoring every asset, user, device and process across the network; and responding to unusual user or device behaviors in real time.
CISA’s Zero Trust Security Model outlines4 five pillars that organizations can focus on during a zero trust implementation:
- Identity
- Devices
- Networks
- Applications and workloads
- Data
Authenticating user identities and granting those users access only to approved enterprise resources is a fundamental capability of zero trust security.
Common tools that organizations use for this purpose include identity and access management (IAM) systems, single sign-on (SSO) solutions and multifactor authentication (MFA).
Every device that connects to a network resource should be fully compliant with the zero trust policies and security controls of the organization. This includes workstations, mobile phones, servers, laptops, IoT devices, printers and others.
Zero trust organizations maintain complete and current inventories of all authorized endpoint devices. Unauthorized devices are denied network access.
Organizations move from traditional network segmentation to microsegmentation in a zero trust environment. Resources and workloads are separated into smaller, more secure zones, which help organizations better contain breaches and prevent lateral movement. Threat actors cannot even see resources they are not authorized to use.
Organizations might also deploy other network threat prevention methods, such as encrypting network traffic and monitoring user and entity behaviors.
As with every other element in a zero trust security model, applications and application programming interfaces (APIs) do not have implicit trust.
Instead of providing one-time, static access to applications, organizations move to dynamic authorization that requires continual revalidation for persistent access. Organizations continuously monitor applications that talk to each other for unusual behavior.
Under a zero trust model, organizations categorize their data so they can apply targeted access control and data security policies to safeguard information.
Data in transit, in use and at rest is protected by encryption and dynamic authorization. Organizations continuously monitor data processing for unusual activity that might indicate data breaches or exfiltration of sensitive data.
One of the primary technologies for implementing a zero trust strategy is zero trust network access or ZTNA. Like a virtual private network (VPN), ZTNA provides remote access to applications and services. Unlike a VPN, a ZTNA connects users only to the resources they have permission to access rather than connecting them to the whole network.
ZTNA is a key part of the secure access service edge (SASE) model, which enables companies to provide direct, secure, low-latency connections between users and resources.
Because zero trust architecture enforces access control based on identity, it can offer strong protection for hybrid and multicloud environments. Verified cloud workloads are granted access to critical resources, while unauthorized cloud services and applications are denied.
Regardless of source, location or changes to the IT infrastructure, zero trust can consistently safeguard busy cloud environments.
Organizations often need to grant network access to vendors, contractors, service providers and other third parties. Hackers take advantage of this situation to carry out supply chain attacks, in which they use compromised vendor accounts and workloads to break into a company's network.
Zero trust applies continuous, contextual authentication and least-privilege access to every entity, even those outside the network. Even if hackers breach a trusted vendor's account, they cannot access the company's most sensitive resources.
Organizations traditionally rely on virtual private networks (VPNs) to connect remote employees with network resources. But VPNs don't scale easily, nor do they prevent lateral movement.
In a zero trust model, businesses can use zero trust network access (ZTNA) solutions instead. ZTNA verifies employee identities, then grants them access to only the applications, data and services they need to do their jobs.
Because IoT devices connect to the internet, they pose a risk to enterprise security. Hackers often target IoT devices because they can use them to introduce malware to vulnerable network systems.
Zero trust architectures continuously track the location, status and health of every IoT device across an organization. Each device is treated as a potentially malicious entity. As with other elements of a zero trust environment, IoT devices are subject to access controls, authentication and encrypted communications with other network resources.
Protect and manage customer, workforce and privileged identities across the hybrid cloud, infused with AI.
Protect your infrastructure and network from sophisticated cybersecurity threats with proven security skills, expertise and modern solutions.
Protect data across hybrid clouds and simplify compliance requirements.
This no-cost, virtual or in-person, 3-hour design thinking session with senior IBM security architects and consultants helps you understand your cybersecurity landscape and prioritize initiatives.
The IBM Office of the CIO turned to IBM Security® Verify for next-generation digital authentication across its workforce and clients.
Learn how to improve your data security and compliance posture even as the IT landscape becomes increasingly decentralized and complex.
Footnotes
All links reside outside ibm.com.
1 Trends in Zero Trust. Enterprise Strategy Group by TechTarget. March 2024.
2 Executive Order on Improving the Nation’s Cybersecurity. The White House. 12 May 2021.
3 NIST SP800-207: Zero Trust Architecture. NIST. August 2020.
4 CISA Zero Trust Maturity Model. CISA. April 2023.