What Is Zero Trust?

Why Traditional Security Models Fall Short

Traditional security models were built on the assumption that anything on the network could be trusted. So while good things should be kept “in,” bad things should be kept “out.” This resulted in the naming convention of “castle-and-moat security.” However, this perimeter-based approach is no longer effective in today’s distributed, hybrid, and cloud-first business environment. Having to extend the network perimeter to facilitate remote work, mobile devices, SaaS apps, and partnerships with third parties has increased cost and complexity, impeded productivity, slowed digital transformation initiatives, and, most importantly, increased cyber risk. 

From a security perspective that considers each stage of the cyberthreat attack chain, there are four key weaknesses of traditional security models:

• They expand the attack surface: By design, traditional tools like firewalls and VPNs expose IP addresses to the public internet. But these IPs can be found not just by legitimate users, but also by cybercriminals looking for an attack surface. 
• They struggle to stop compromise: Yesterday’s security is appliance based, and whether security tools are deployed as hardware or virtual appliances, they struggle to scale as needed to inspect encrypted traffic, where most threats hide. As a result, most attacks pass through defenses undetected. 
• They enable lateral threat movement: Traditional approaches connect entities to the network in order to give them app access. But this entails implicit trust and excessive permissions that can be abused, enabling access to everything connected to that network, and fueling bigger breaches. 
• They fail to stop data loss: After scouring the network for sensitive data, criminals attempt to exfiltrate it. Increasingly, this is accomplished through encrypted traffic, because they know that most organizations rely on appliance-based security that will fail to secure said traffic. 

These shortcomings make traditional security architectures not only ineffective at addressing modern threats, but also poorly suited to support today’s dynamic, distributed IT environments. Organizations need a new approach: one that eliminates implicit trust and places security at the center of every connection.

The Core Principles of Zero Trust

Zero trust is a unique architecture that brings a highly differentiated paradigm and methodology to cybersecurity. At its core is the notion that trust must be continuously earned, not granted by default at a single point in time based on network location. Five foundational principles govern the zero trust security model:

Never Trust, Always Verify

Trust is never assumed for any entity on any network, whether that entity is a user, workload, device, or external party, and even if they are on-premises. Every access request must be verified based on multiple factors, as discussed further below.

Least-Privileged Access

Access should be granted only to the specific resource that an authorized user needs (at the moment they need it) in order to complete a specific task—and nothing more. In other words, users with legitimate access requirements should be connected directly to apps and not to the network as a whole, where they could move laterally and access other network-connected resources. 

Contextual and Risk-Based Access Governance

Zero trust continuously evaluates risk by analyzing the context behind every access request. This is done by leveraging AI/ML to scrutinize contextual variables like user behavior, device posture/health, geolocation, time of day, and more. This computation of risk is then used to govern access to IT resources. 

Continuous Monitoring and Risk Adaptation

Zero trust applies continuous monitoring across all transactions to identify risks in real time. This dynamic analysis ensures that trust isn’t static. As access context changes, a zero trust platform should be able to adapt in real time and enforce different policies. 

No Public IP Addresses

Unauthorized users and devices should not be able to discover services or data they don’t have explicit permission to access. To that end, zero trust requires shielding applications from prying eyes on the internet. That means eliminating public IP addresses and exchanging inbound connections in favor of inside-out connections that help minimize the attack surface.

By adhering to these principles, zero trust enables organizations to minimize risk, reduce complexity, and better secure their distributed environments.

How Zero Trust Works

Zero trust is not merely another appliance or lever for status quo security.  It is a unique framework and a differentiated architecture whereby organizations effectively have an intelligent switchboard that provides secure any-to-any connectivity—without extending the network to anyone or anything. In essence, the internet becomes the new corporate network.

This is accomplished through a zero trust platform that proxies traffic and delivers the architecture as a service from a purpose-built cloud (it also involves the use of two other solutions: identity management from an identity provider (IdP), as well as an endpoint detection and response (EDR) solution). At a high level, here’s how the architecture works: 

• Access requests begin with verification: Providing least-privileged access requires knowing who or what is attempting access. As such, every user or entity attempting to connect to an IT resource has its identity verified.
• Next, the destination is identified: Ultimately, zero trust means connecting entities directly to their destinations rather than to the network, preventing lateral movement. As such, once the user is verified, the IT resource she or he is trying to reach needs to be identified, as well, and its risk must be understood.
• Risk is calculated based on context: Identity alone is not sufficient to govern access to IT resources (they can be stolen, and even authorized users can do damage). So, as mentioned above, zero trust governs access based on risk, which is determined via AI/ML that assesses access context. 
• Policy is enforced: Policy is automatically applied in real time and on a per-session basis, meaning for each access attempt. Several actions can be enforced, including allow, block, isolate, deceive, and more. Even after access is granted, continuous monitoring identifies risk changes in real time and alters policy as necessary.
• The connection is established: Users are connected directly to apps. While the connection is “inbound” to SaaS and the web, private apps require an inside-out connection, which is facilitated by an app connector that reaches out to the zero trust cloud so that it can stitch the full connection together. This eliminates the need for public IPs that expose applications. 

With zero trust, all connections—whether initiated by users, systems, or devices—are treated with the same level of scrutiny. This minimizes opportunities for attackers while ensuring legitimate users have a smooth and safe experience.

The Business Benefits of Zero Trust

By shifting the security model to one founded on least-privileged access, zero trust provides both security and business benefits. These include:

Enhanced Cybersecurity

By eliminating implicit trust in all of its various forms (network connectivity, public IPs, etc.), and enforcing contextual access, direct-to-app segmentation, and continuous monitoring, zero trust decreases the likelihood of breaches and minimizes their potential blast radii.

Reduced Complexity and Cost

Zero trust cuts costs by consolidating security and networking point products into a single platform, simplifying IT infrastructure, enhancing admin efficiency and minimizing operational overhead. It also prevents breaches and their associated costs, enhances user productivity through superior digital experiences, and more. As a result of all this, zero trust strengthens an organization’s ability to invest in innovation and adapt to future challenges—securely.

Support for Digital Transformation

Zero trust is a modern architecture that securely enables organizations to embrace cloud computing, remote work, IoT/OT devices, and other modern technologies.

Improved User Productivity

Direct-to-app connectivity delivered at the edge eliminates the need to backhaul traffic to a distant data center or cloud. This removes the latency associated with network hops, VPN bottlenecks, and other issues that harm user experiences.

Common Use Cases for Zero Trust

Zero trust principles can be applied across various scenarios to meet the diverse security needs of today’s organizations. Popular use cases include:

User-Centric Use Cases

• Remote access without VPN: Enable users to securely and directly access private applications without exposing the network or relying on complex VPN connections.
• Embracing cloud security for SaaS apps: Extend zero trust policies to SaaS, ensuring least-privileged access to business-critical apps like Microsoft 365 and Salesforce.
• Protecting sensitive data: Zero trust platforms can provide data loss prevention (DLP) functionality that finds and secures sensitive information in motion to the web, at rest in the cloud, and in use on endpoints. 

Use Cases for Other Entities

• Securing workloads across multicloud environments: Workloads frequently interact with the web and with other workloads. As part of securing any-to-any connectivity, zero trust can secure these workload communications to stop threat infections and data leaks.
• IoT and OT security: Extend zero trust principles to branch sites, manufacturing plants, and other industrial environments, protecting IoT and OT devices by enforcing least-privileged policy controls.
• Third-party and partner access: Provide contractors, vendors, and technology partners with secure, zero trust access to IT resources—without exposing your broader network and without using endpoint agents.

Moving Toward Zero Trust with Confidence

Zero trust is a foundational strategy for securing modern business. By eliminating implicit trust, enforcing strict least-privileged access, and continuously verifying every connection, zero trust protects against today’s most pressing cybersecurity threats.

To operationalize zero trust, organizations need a platform that secures any entity (not just users) accessing any IT resource (not just SaaS), while providing seamless digital experiences across distributed environments—all without introducing complexity.

The Zscaler Zero Trust Exchange

The Zscaler Zero Trust Exchange platform empowers organizations to fully embrace a zero trust security model by offering a cloud native architecture that securely connects users, workloads, devices, third parties, clouds, applications, and branch sites. Acting as an intelligent switchboard, the Zero Trust Exchange ensures that every transaction and every component of an organization’s IT ecosystem adheres to strict zero trust principles. Key benefits include:

• Minimizing the attack surface: Firewalls are eliminated and apps are made invisible by hiding them behind the Zero Trust Exchange, removing entry points for attackers.
• Stopping compromise: A high-performance cloud inspects all traffic (including encrypted TLS/SSL traffic at scale) to enforce real-time threat detection capabilities and policies that stop threats. 
• Preventing lateral movement: Zero trust segmentation keeps everyone and everything off the network, preventing lateral movement across network-connected resources.
• Blocking data loss: Data is protected wherever it goes, inline in encrypted traffic, at rest in SaaS and cloud apps, and on user devices, while AI Auto Data Classification minimizes the administrative burden. 
• Improving user experience: Users enjoy fast, seamless, and direct access to the applications and data they need, without the friction of legacy VPNs.
• Simplifying IT infrastructure and security operations: A unified, cloud native platform consolidates security functions and reduces complexity while lowering costs.

Want to experience how the Zscaler Zero Trust Exchange can transform your organization’s security and operational efficiency? Join Zscaler’s three-part webinar series and get everything you need in order to understand and implement zero trust architecture.