Zero Trust
Security model that requires strict verification for every user and device, regardless of network location
Also known as: Zero Trust Security, Zero Trust Architecture, ZTA, Never Trust Always Verify
Category: Principles
Tags: security, access-control, network-security, architecture
Explanation
Zero Trust is a security model based on the principle 'never trust, always verify.' Unlike traditional security that trusts users inside the network perimeter, Zero Trust assumes breach and verifies every access request as if it originates from an untrusted network. No user, device, or system is inherently trusted, regardless of their location.
The core tenets of Zero Trust include: verify explicitly (always authenticate and authorize based on all available data points), use least privilege access (limit user access with just-in-time and just-enough-access), and assume breach (minimize blast radius and segment access, verify end-to-end encryption, and use analytics for threat detection).
Key components of Zero Trust architecture include: strong identity verification using multi-factor authentication, device health validation before granting access, micro-segmentation to contain breaches, continuous monitoring and validation throughout sessions, and encryption of all data in transit and at rest.
Zero Trust emerged because traditional perimeter-based security fails in modern environments. With cloud computing, remote work, and mobile devices, the network perimeter has dissolved. Attackers who breach the perimeter (through phishing, compromised credentials, or supply chain attacks) traditionally gained broad access. Zero Trust limits this by treating every access request skeptically.
Implementing Zero Trust is a journey, not a single project. Organizations typically start by identifying sensitive data and critical assets, mapping access patterns, implementing strong authentication, then progressively adding verification layers and monitoring.
Related Concepts
← Back to all concepts