What is the Zero-Trust

Security Model?
In this guide:
This guide goes in-depth into the origins of zero trust, its principles, the technology and
What Is the zero-trust
security model? products that enable a zero-trust model, as well as how to implement and manage it.

What is zero trust?

Why is a zero-trust model

important?

How does ZTNA work?

Planning for zero-trust

Zero-trust use cases

What are the principles of

a zero-trust model?

Zero-trust vs. other

technologies

How to 'buy' zero-trust

Steps to implement zero-

trust

1 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:

What Is the zero-trust What is the zero-trust security model?

security model?
ALISSA IREI, SENIOR SITE EDITOR | SHARON SHEA, EXECUTIVE EDITOR
What is zero trust?
The zero-trust security model is a cybersecurity approach that denies access to an
Why is a zero-trust model
important? enterprise's digital resources by default and grants authenticated users and devices tailored,
siloed access to only the applications, data, services and systems they need to do their jobs.
How does ZTNA work?
Gartner has predicted that by 2025, 60% of organizations will embrace a zero-trust security
Planning for zero-trust strategy.
Zero-trust use cases
This guide goes in-depth into the origins of zero trust, its principles, the technology and
What are the principles of
products that enable a zero-trust model, as well as how to implement and manage it.
a zero-trust model?

Zero-trust vs. other

technologies WHAT IS ZERO TRUST?

How to 'buy' zero-trust

Historically, enterprises have relied on a castle-and-moat cybersecurity model, in which
Steps to implement zero- anyone outside the corporate network perimeter is suspect and anyone inside gets the
trust benefit of the doubt. The assumption that internal users are inherently trustworthy, known
as implicit trust, has resulted in many costly data breaches, with attackers able to move
laterally throughout the network if they make it past the perimeter.

2 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
Instead of focusing on user and device locations relative to the perimeter -- i.e., inside or
What Is the zero-trust
security model? outside the private network -- the zero-trust model grants users access to information based
on their identities and roles, regardless of whether they are at the office, at home or
What is zero trust?
elsewhere.
Why is a zero-trust model
important?
In zero trust, authorization and authentication happen continuously throughout the
How does ZTNA work? network, rather than just once at the perimeter. This model restricts unnecessary lateral
movement between apps, services and systems, accounting for both insider threats and the
Planning for zero-trust
possibility that an attacker might compromise a legitimate account. Limiting which parties
Zero-trust use cases have privileged access to sensitive data greatly reduces opportunities for hackers to steal it.
What are the principles of
a zero-trust model? The concept of zero trust has been around for more than a decade, but it continues to
evolve and grow. John Kindervag, a Forrester analyst at the time, introduced the
Zero-trust vs. other
technologies revolutionary security model in 2010. Shortly thereafter, vendors such as Google and Akamai
adopted zero-trust principles internally, before eventually rolling out commercially available
How to 'buy' zero-trust
zero-trust products and services.
Steps to implement zero-
trust

3 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
WHY IS A ZERO-TRUST MODEL IMPORTANT?
What Is the zero-trust
security model?
Zero trust interest and adoption have exploded in recent years, with a plethora of high-
What is zero trust? profile data breaches driving the need for better cybersecurity, and the global COVID-19
Why is a zero-trust model pandemic spurring unprecedented demand for secure remote access technologies.
important?

How does ZTNA work?

Traditionally, enterprises relied on technologies such as firewalls to build fences around
corporate networks. In this model, an off-site user can access resources remotely by logging
Planning for zero-trust
into a VPN, which creates a secure virtual tunnel into the network. But problems arise when
Zero-trust use cases VPN login credentials fall into the wrong hands, as happened in the infamous Colonial
Pipeline data breach.
What are the principles of
a zero-trust model?
In the past, relatively few users required remote access, with most employees working on
Zero-trust vs. other
technologies
site. But enterprises now need to support secure remote access at scale, magnifying the risks
associated with VPN use.
How to 'buy' zero-trust

Steps to implement zero- Additionally, the perimeter-based model was designed for a time when an organization's
trust resources resided locally in an on-premises corporate data center. Now most enterprises'
resources lie scattered across private data centers and multiple clouds, diffusing the
traditional perimeter.

4 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:

What Is the zero-trust

security model?

What is zero trust?

Why is a zero-trust model

important?

How does ZTNA work?

Planning for zero-trust

Zero-trust use cases

What are the principles of

a zero-trust model?

Zero-trust vs. other

technologies

How to 'buy' zero-trust In short, the legacy approach to cybersecurity is becoming less effective, less efficient and
Steps to implement zero- more dangerous. In contrast to perimeter-based security, zero trust lets enterprises securely
trust and selectively connect users to applications, data, services and systems on a one-to-one
basis, whether the resources live on premises or in the cloud and regardless of where users
are working.

5 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
Zero trust adoption can offer organizations the following benefits:
What Is the zero-trust
security model?
• protection of sensitive data;
What is zero trust? • support for compliance auditing;
• lower breach risk and detection time;
Why is a zero-trust model
important? • visibility into network traffic; and
• better control in cloud environments.
How does ZTNA work?
A zero-trust model also includes microsegmentation -- a fundamental principle of
Planning for zero-trust cybersecurity. Microsegmentation enables IT to wall off network resources in discrete zones,
Zero-trust use cases containing potential threats and preventing them from spreading laterally throughout the
enterprise. With zero-trust microsegmentation, organizations can apply granular, role-based
What are the principles of
a zero-trust model? access policies to secure sensitive systems and data, preventing an access free-for-all and
limiting potential damage.
Zero-trust vs. other
technologies

How to 'buy' zero-trust

Steps to implement zero-

trust

6 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:

What Is the zero-trust

security model?

What is zero trust?

Why is a zero-trust model

important?

How does ZTNA work?

Planning for zero-trust

Zero-trust use cases

What are the principles of

a zero-trust model?

Zero-trust vs. other

technologies
In a 2021 action that may put the federal government in the lead in terms of zero trust
How to 'buy' zero-trust deployment, the White House issued an executive order calling on federal agencies to move
Steps to implement zero- toward a zero-trust security strategy, citing cloud adoption and the inevitability of data
trust breaches as key drivers. Later that year, the U.S. Office of Management and Budget (OMB)
published a draft strategy for executing on the presidential directive, and the Cybersecurity
and Infrastructure Security Agency (CISA) released additional guidance in its Cloud Security
Technical Reference Architecture and Zero Trust Maturity Model (ZTMM).

7 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
HOW DOES ZTNA WORK?
What Is the zero-trust
security model?
A major element of the zero-trust model, zero-trust network access (ZTNA) applies zero-trust
What is zero trust? concepts to an application access architecture.
Why is a zero-trust model
important? In ZTNA, a controller or trust broker enforces an organization's preestablished access policies

How does ZTNA work?

by facilitating or denying connections between users and apps, while hiding the network's
location (i.e., IP address). The software authenticates users based on their identities and
Planning for zero-trust
roles, as well as by contextual variables such as device security postures, times of day,
Zero-trust use cases geolocations and data sensitivity. Suspicious context could prompt a ZTNA broker to deny
even an authorized user's connection request.
What are the principles of
a zero-trust model?
Once authenticated and connected, users can see only the applications they are authorized
Zero-trust vs. other
technologies
to access; all other network resources remain hidden.

How to 'buy' zero-trust

Steps to implement zero-

trust

8 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:

What Is the zero-trust

security model?

What is zero trust?

Why is a zero-trust model

important?

How does ZTNA work?

Planning for zero-trust

Zero-trust use cases

What are the principles of

a zero-trust model?

Zero-trust vs. other

technologies PLANNING FOR ZERO TRUST

How to 'buy' zero-trust Experts agree that a zero-trust approach is critical in theory but often difficult to implement
Steps to implement zero- in practice. Organizations planning to embrace a zero-trust model should bear in mind the
trust following challenges:

• Piecemeal adoption can leave security gaps. Because implicit trust is so ingrained in
the traditional IT environment, it is virtually impossible to transition to a zero-trust

9 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
framework overnight. Rather, implementation is almost always piecemeal, which can
What Is the zero-trust
security model? result in growing pains and security gaps.
• It can cause friction with legacy tech. Zero-trust tools may not always play nicely with
What is zero trust? legacy technology, creating technical headaches and potentially requiring major
architectural, hardware and software overhauls.
Why is a zero-trust model • There are no easy answers. Because zero trust isn't a single product or technology,
important?
but instead an overarching strategy encompassing the entire IT environment, there's
How does ZTNA work? no simple path to full adoption.
• It's only as good as its access control. A zero-trust strategy hinges on identity and
Planning for zero-trust access control, requiring near-constant administrative updates to user identities, roles
and permissions to be effective.
Zero-trust use cases • It can hurt productivity. Zero trust's goal is to restrict user access as much as possible
without unduly hindering the business. But overzealous policies can block users from
What are the principles of
a zero-trust model? resources they need, hampering productivity.

Zero-trust vs. other Explore how to negotiate these and other zero-trust challenges by running trials, starting
technologies small and scaling slowly.
How to 'buy' zero-trust

Steps to implement zero-

trust

10 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
Enterprises planning zero-trust transitions should also consider creating dedicated, cross-
What Is the zero-trust
security model? functional teams to develop strategies and drive implementation efforts. Ideally, a zero-trust
team will include members with expertise in the following areas:
What is zero trust?

Why is a zero-trust model • applications and data security;

important? • network and infrastructure security;
• user and device identity; and
How does ZTNA work?
• security operations.
Planning for zero-trust
Team members can fill any knowledge gaps and gain specialized expertise via a variety of
Zero-trust use cases zero-trust training courses and certifications from organizations such as Forrester, (ISC)2,
What are the principles of SANS and the Cloud Security Alliance.
a zero-trust model?

Zero-trust vs. other ZERO-TRUST USE CASES

technologies

How to 'buy' zero-trust As with any new technology, use cases should drive zero-trust adoption decisions. The
following are four clear examples of how zero trust can help protect the enterprise:
Steps to implement zero-
trust
1. Secure third-party access
2. Secure multi-cloud remote access
3. IoT security and visibility
4. Data center microsegmentation

11 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
WHAT ARE THE PRINCIPLES OF A ZERO-TRUST MODEL?
What Is the zero-trust
security model?
The zero-trust framework lays out a set of principles to remove inherent trust and ensure
What is zero trust? security using continuous verification of users and devices.
Why is a zero-trust model
important? The following are five main principles of zero trust:

How does ZTNA work?

1. Know your protect surface.
Planning for zero-trust 2. Understand the security controls already in place.
3. Incorporate new tools and modern architecture.
Zero-trust use cases 4. Apply detailed policy.
5. Monitor and alert.
What are the principles of
a zero-trust model?
The continuous aspect of zero trust also applies to the principles themselves. Zero trust isn't
Zero-trust vs. other a set-it-and-forget-it strategy. Principles must be addressed via a continuous process model
technologies
that restarts once a principle is achieved.
How to 'buy' zero-trust

Steps to implement zero- ZERO TRUST VS. OTHER TECHNOLOGIES

trust
The cybersecurity industry is rife with technologies, strategies and policies. It can be difficult
to keep track of what's what. This is especially true in zero trust, which is not a technology
but a framework of principles and technologies that apply those principles.

12 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
Let's look at how zero trust and other terms compare.
What Is the zero-trust
security model?
Zero trust vs. SDP
What is zero trust?
Like zero trust, a software-defined perimeter (SDP) aims to improve security by strictly
Why is a zero-trust model
important? controlling which users and devices can access what. Unlike zero trust, SDP is an architecture
comprised of SDP controllers and hosts that control and facilitate communications.
How does ZTNA work?

Planning for zero-trust Many experts and vendors use the terms zero trust and SDP interchangeably. That said, the
terms are evolving, and some now refer to ZTNA as SDP 2.0.
Zero-trust use cases

What are the principles of

a zero-trust model?

Zero-trust vs. other

technologies

How to 'buy' zero-trust

Steps to implement zero-

trust

13 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:

What Is the zero-trust

security model?

What is zero trust?

Why is a zero-trust model

important?

How does ZTNA work?

Planning for zero-trust

Zero-trust use cases

What are the principles of

a zero-trust model?

Zero-trust vs. other

technologies

How to 'buy' zero-trust

Steps to implement zero-

trust

14 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
Zero trust vs. VPN
What Is the zero-trust
security model?
Zero trust and VPNs both share the goal of ensuring security, but the efficacy of legacy
What is zero trust? perimeter security technology has come under scrutiny over the past decade.

Why is a zero-trust model

important? VPNs, which have long been used to connect remote users and devices to corporate
networks, have faced difficulty securing increasing numbers of remote workers and cloud
How does ZTNA work?
services used in the modern enterprise. Zero trust is expected to supplant aging VPN
Planning for zero-trust technology because it can better secure perimeter-less enterprises.
Zero-trust use cases
Don't tear out those VPNs yet, however. Zero trust and VPNs can be used in tandem. For
What are the principles of example, zero-trust microsegmentation, in conjunction with a VPN, can reduce a company's
a zero-trust model?
attack surface -- although not as much as a full zero-trust initiative would -- and can prevent
Zero-trust vs. other damaging lateral movements and attacks, should a breach occur.
technologies

How to 'buy' zero-trust Zero trust vs. zero-knowledge proof

Steps to implement zero- While they may sound the same, zero trust and zero-knowledge proof overlap only slightly in
trust
terms of technology.

Zero-knowledge proof is a methodology that can be used when one party wants to prove the
validity of information to a second party without sharing any of the information.

15 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
Cryptographic algorithms based on zero-knowledge proof enable the proving party to
What Is the zero-trust
security model? mathematically show the information is true.

What is zero trust?

Zero-knowledge proofs can be used to authenticate users without divulging their identities.
Why is a zero-trust model Some two-factor (2FA) and multifactor authentication (MFA) methods use zero-knowledge
important?
proofs. The overlap with zero trust is that 2FA and MFA are critical technologies in a zero-
How does ZTNA work? trust strategy.

Planning for zero-trust

Zero trust vs. principle of least privilege
Zero-trust use cases
The principle of least privilege (POLP) is a security concept that gives users and devices only
What are the principles of the access rights required to do their jobs and nothing more. This includes access to data,
a zero-trust model?
applications, systems and processes. If a device's or user's credentials are compromised,
Zero-trust vs. other least privilege access ensures a malicious actor can only access what that user has
technologies
permission to access and not necessarily the entire network.
How to 'buy' zero-trust
Zero trust and POLP are similar in that they both restrict user and device access to resources.
Steps to implement zero-
trust Unlike POLP, zero trust also focuses on user and device authentication and authorization.
Zero-trust policies are often based on POLP, yet they continuously reverify authentication
and authorization.

16 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
Zero trust vs. defense in depth
What Is the zero-trust
security model?
A defense-in-depth security strategy involves multiple layers of processes, people and
What is zero trust? technologies to protect data and systems. The belief is that a layered security approach
protects against human-caused misconfigurations and ensures most gaps between tools and
Why is a zero-trust model
important? policies are covered.

How does ZTNA work?

Defense in depth may be stronger than zero trust, in that if one layer of security fails, other
Planning for zero-trust layers pick up the slack and protect the network. Zero trust is often more appealing,
Zero-trust use cases
however, because its never-trust, always-verify stance ensures that if attackers infiltrate a
network, they won't be there for long before they need to be reverified, and that zero-trust
What are the principles of
microsegmentation will limit what they can access.
a zero-trust model?

Zero-trust vs. other Including defense-in-depth principles in a zero-trust framework can make the security
technologies
strategy even stronger.
How to 'buy' zero-trust

Steps to implement zero- HOW TO 'BUY' ZERO TRUST

trust
Vendor messaging around zero trust can be confusing -- even downright incorrect. No one-
size-fits-all, out-of-the-box zero-trust product or suite of products exists. Rather, zero trust is
the overarching strategy involving a collection of tools, policies and procedures that build a
strong barrier around workloads to ensure data security.

17 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
That said, several existing zero-trust-enabled products are available to include in a zero-trust
What Is the zero-trust
security model? deployment. ZTNA offerings make up many of these products. In order to qualify as a true
ZTNA product, it must be identity-centric, have default "deny" responses and be context-
What is zero trust?
aware.
Why is a zero-trust model
important?
ZTNA has two basic architectures:
How does ZTNA work?
1. Endpoint-initiated ZTNA. Also known as agent-based ZTNA, this involves deploying
Planning for zero-trust software agents on each network endpoint. A broker decides, based on policy, if a
Zero-trust use cases
user or device can access a resource after which, if allowed, a gateway initiates a
session to permit access.
What are the principles of 2. Service-initiated ZTNA. Also called clientless ZTNA, this involves using a connector
a zero-trust model? appliance in an organization's private network that initiates connections to the ZTNA
provider's cloud. A ZTNA controller initiates a session if the user and device meet
Zero-trust vs. other policy requirements.
technologies
Enterprises can opt for as-as-service offerings or self-hosted ZTNA deployments. ZTNA as a
How to 'buy' zero-trust
service is popular due to its scalability and manageability. On the other hand, self-hosted
Steps to implement zero-
ZTNA can offer organizations greater control.
trust

Learn more about the ZTNA market, including questions to ask when evaluating potential
vendors and a list of products available today.

18 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
STEPS TO IMPLEMENT ZERO TRUST
What Is the zero-trust
security model?
A successful zero-trust implementation requires considerations around what the Forrester
What is zero trust? Zero Trust eXtended (ZTX) model coined as the "seven pillars of zero trust":
Why is a zero-trust model
important? 1. Workforce security
2. Device security
How does ZTNA work?
3. Workload security
Planning for zero-trust
4. Network security
5. Data security
Zero-trust use cases 6. Visibility and analytics
7. Automation and orchestration
What are the principles of
a zero-trust model? OMB, in its 2021 document complementing the executive order requiring federal agencies
Zero-trust vs. other achieve zero-trust goals by the end of 2024, and CISA, in its ZTMM, align with the ZTX pillars,
technologies adding "governance" as an eighth pillar.
How to 'buy' zero-trust
ZTX and ZTMM are just two approaches to adopting zero trust. Both aim to help
Steps to implement zero-
organizations establish and execute on a zero-trust strategy. While ZTX is for any
trust
organization, the ZTMM was designed for federal agencies, although any company can use
the information to implement a strategy.

19 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
The CISA ZTMM also outlines the three layers of zero-trust adoption:
What Is the zero-trust
security model?
1. Traditional zero-trust architecture
What is zero trust? 2. Advanced zero-trust architecture
3. Optimal zero-trust architecture
Why is a zero-trust model
important?

How does ZTNA work?

Planning for zero-trust

Zero-trust use cases

What are the principles of

a zero-trust model?

Zero-trust vs. other

technologies

How to 'buy' zero-trust

Steps to implement zero-

trust

20 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
Once an organization is ready to adopt zero trust, it is highly beneficial to approach it in phases.
What Is the zero-trust
security model? The following are seven steps to implement zero trust:

What is zero trust? 1. Form a dedicated zero-trust team. Zero trust is a team sport. Choosing the right team
members may mean the difference between success and hardship. For example, when
Why is a zero-trust model
important? deciding who manages zero-trust deployments, consider who has the most expertise
in that specific area. Security teams often develop and maintain a zero-trust strategy.
How does ZTNA work? But if deploying zero trust across networking-specific areas -- such as managing and
configuring network infrastructure tools and services, including switches, routers,
Planning for zero-trust firewalls, VPNs and network monitoring tools -- then the networking team should take
charge.
Zero-trust use cases
2. Choose a zero-trust implementation on-ramp. An organization generally approaches
What are the principles of zero trust at one particular on-ramp. The three on-ramp options are user and device
a zero-trust model? identity, applications and data, and the network.
3. Assess the environment. Review the controls already in place where zero trust is
Zero-trust vs. other being deployed, as well as the level of trust the controls provide and what gaps need
technologies
to be filled. Many organizations may be surprised to hear they have pieces of the zero-
How to 'buy' zero-trust trust puzzle already in place. Organizations should start by comparing their current
security strategy with this zero-trust cybersecurity audit checklist, based on the
Steps to implement zero- ZTMM. It will unveil what zero-trust processes are already in place and where gaps
trust exist that need addressing.
4. Review the available technology. Review the technologies and methodologies needed
to build out the zero-trust strategy.
5. Launch key zero-trust initiatives. Compare the assessment with the technology
review, then launch the zero-trust deployment.

21 WHAT IS THE ZERO-TRUST SECURITY MODEL?

In this guide:
6. Define operational changes. Document and assess any changes to operations. Modify
What Is the zero-trust
security model? or automate processes where necessary.
7. Implement, rinse and repeat. As zero-trust initiatives are put into place, measure
What is zero trust? their effectiveness and adjust as needed. Then, start the process all over again.

Why is a zero-trust model Read more on the zero-trust on-ramps and implementation steps.
important?

How does ZTNA work? Remember: Zero trust is a journey, not a destination. Run trials, start small and then scale
deployments. It takes a lot of planning and teamwork, but in the end, a zero-trust security
Planning for zero-trust
model is one of the most important initiatives an enterprise can adopt, even if it hits bumps
Zero-trust use cases along the way.
What are the principles of
a zero-trust model?

Zero-trust vs. other

technologies

How to 'buy' zero-trust

Steps to implement zero-

trust

22 WHAT IS THE ZERO-TRUST SECURITY MODEL?