What Is Zero-Trust Networking?

A zero-trust networking is based on a security model that establishes trust through continuous authentication and monitoring of each network access attempt. It's different from the traditional model of assuming everything in a corporate network can be trusted.

What are the benefits of a zero-trust network?

The benefits of a zero-trust network include:

  • Greater security. Attacks usually originate far from the intended target, such as a corporate network. Attackers also frequently piggyback on approved users' access before moving laterally within a network to gain access to targeted assets.
  • Ability to manage dispersed infrastructure. Network infrastructure has become more complex and dispersed, with data, applications, and assets spread across many cloud and hybrid environments. Users are working from many locations as well, making it more difficult to define a defensible perimeter. In fact, simply securing a perimeter is an outdated approach to a complex challenge that varies widely from company to company.
  • Simpler approach to security. Historically, organizations have layered security solutions to block attackers. Over time, this can create security gaps for attackers to compromise. With zero-trust networking, security is seamless and more well integrated throughout networks.

How does a zero-trust network operate?

  • The zero-trust philosophy is "never trust, always verify." Traditionally, network perimeters were secured by verifying user identity only the first time a user or device entered an environment. With zero trust, networks are built around "microperimeters," each with its own authentication requirements.
  • Microperimeters surround specific assets, such as data, applications, and services. Through segmentation gateways, authentication is defined not just by user identity but also by parameters such as device, location, time stamp, recent activity, and description of the request. These complex authentications are more secure and can occur passively in the background.
  • Narrowly defined authentication rules protect networks from unauthorized users. They also grant approved users only the specific privileges for which they have an immediate need. This workflow helps ensure that even if attackers gain entry, they can't move freely in the network environment.

How to create a zero-trust network

A zero-trust network relies less on specific hardware and more on new approaches to security. These can be incorporated into existing infrastructure using the following process:

Identify assets

Take an inventory of assets and make assessments about the value and vulnerability of corporate assets such as proprietary data and intellectual property.

Verify devices and users

Intrusions often are initiated through a device that has been spoofed. To maintain zero trust, devices and users must verify they are who or what they say they are. This verification can be supported through multi-factor authentication for users, embedded chips in devices, and behavior analytics for connected IoT devices.

Map workflows

Define who accesses assets, when they should access them, and how and why they should be granted access as part of the normal course of business.

Define and automate policies

Use assessment results to define policies for authentication, including metadata such as device, location, origin, and time, as well as contextual data such as recent activity and multi-factor authentication (MFA). Automate these processes with firewalls that screen for these attributes.

Test, monitor, and maintain

A zero-trust approach—similar to threat modeling—requires testing to ensure that the impact on productivity is minimal and hypothetical security threats are neutralized. After deployment, security teams need to observe device behavior continuously to detect anomalies that indicate new intrusions, and proactively adapt policies to block attackers.

Zero-trust network terms

Protect surface

Protect surface refers to any asset that needs to be protected.

Segmentation gateway

Segmentation is a term for reorganizing a larger protect surface. An example is dividing an entire network into smaller protect surfaces defined by value, use, workflow traffic, and other factors. A segmentation gateway is in effect a firewall that protects a specific segment within a larger network.


A micro-segment is a smaller, secured area within a larger network that is protected by a micro-perimeter. Micro-segments can be used to apply granular access control to specific workflows

Layer 7 firewall

A Layer 7 firewall is a new generation of firewall that can examine packet contents to use more of the data within those contents to define authentication criteria.

Multi-factor authentication

Multi-factor authentication is a core principle of zero-trust networks. Virtually all zero-trust authentications are multi-factor—that is, the authentications require multiple pieces of information or attributes to allow access to network resources.

SMS authentication

SMS authentication is the most popular additional factor added to user authentication today. It's used widely by e-commerce and social media services. With SMS authentication, users receive SMS codes that they provide to a network or service to prove their identity.

Least privilege access

Least privilege access refers to the practice of limiting even trusted users to only the specific applications, services, and data for which they have an immediate need.

Software-defined network

In a zero-trust environment, security is provided by default through rules and policies written and implemented by software. The elements of a zero-trust environment—segments and perimeters within larger environments—are themselves defined by software.

As with software-defined network infrastructure, software-defined security rules allow more control, better visibility, and more opportunities for automation.

Granular enforcement

Granular enforcement is another term for what zero trust accomplishes: authentications for very specific actions.