Published February 18 2025
Cybersecurity best practices for companies and organizations used to focus on firewalls and trusted networks. The firewall would keep out attackers and the trusted network behind it could operate securely. Within this trusted network, all devices and actors would be trusted and allowed to access others behind the network.
However, this approach can lead to significant vulnerabilities if the firewall is compromised, with threat actors able to easily access other devices once they are within the trusted network, potentially uncovering sensitive information and expanding the breach they created.
In response to this problem, and in recognition that firewall breaches are likely to occur, zero trust architecture has emerged as a new paradigm for keeping organizations and their data cybersecure.
The term zero trust was coined by Forrester Research in 2010 and has been applied to a wide variety of security products and approaches in subsequent years. Zero trust architecture and practices are used by companies like Microsoft and Google as well as the U.S. Department of Defense.
Both the U.S. Cybersecurity and Infrastructure Security Agency and the National Institutes of Standards and Technology (NIST) have published guidance on implementing zero trust architecture.
However, despite the promise of this approach for improving cybersecurity and the large number of companies using some elements of zero trust architecture, such as multi-factor authentication, most do not have fully developed zero trust architecture systems in place. According to a report from Cisco surveying 4,700 global IT professionals, 86.5 percent of organizations have begun implementing some zero trust architecture practices but only 2 percent have fully developed systems.
At its core, zero trust architecture centers on the idea that all devices in a network, even if they are behind a firewall, should be treated as though they are potentially compromised. No device or actor in the network is inherently trusted and all must be verified and authenticated every time they try to connect with another device or access information. Thus, in a zero trust architecture system, all of an organization’s devices are treated like devices outside a trusted network would be treated in a more traditional system.
By using this approach, zero trust architecture makes it more difficult for an attacker who penetrates the system to expand their breach or access information since they will constantly be authenticated while they act within the network.
Zero trust architecture is built on several key components and practices, including the assumption of breaches, explicit verification and the use of least privilege access.
Zero trust architecture assumes that an organization’s system is already compromised and that any device within it may already be a threat or controlled by a threat actor. This assumption grounds the rest of zero trust architecture and helps prevent damage by ensuring that rigorous security checks are applied to all devices at all times.
Performing these regular checks involves another pillar of zero threat architecture, the use of explicit verification. This means that, instead of implicitly trusting a device because it is located within a network or for other reasons, the identity and secure status of the device must be verified every time it attempts to access another device or resource in the organization.
Verification within zero trust architecture often goes beyond simply verifying the identity of a user prior to allowing them to access a device or resource. Since identities can be easily stolen, verification also considers a variety of vectors, such as user behavior, the potential risks posed by unauthorized access to the request device or resource, and the status of the device being used. Such contextual analyses for verification often require artificial intelligence or machine learning tools to conduct and provide additional security to prevent malicious actors accessing sensitive information. Requiring multi-factor authentication is another common element of zero trust verification, as it helps further verify the identity of the person accessing a device or account.
Zero trust architecture also depends on giving all users the minimum access and privileges necessary and providing these privileges for as little time as possible. This approach is called the principle of least privilege and if often considered a best practice for protecting critical information in cybersecurity. Implementing the practice often involves two key practices, including just-in-time (JIT) access and just enough administration (JEA).
JIT access involves granting access to a resource or device for only when it is needed and for as long as it is needed. This reduces the amount of time that a hacker has to utilize the device and its access privileges to steal information or break into another device. It also can allow organizations to better track which privileged resources are accessed and when, potentially making tracking down breaches or threats easier.
JEA operates similarly, although it focuses on ensuring that users are only granted the minimum privileges necessary to perform tasks and access resources, minimizing the damage that a compromised device or account can do.
Together, the three pillars of assumed breaches, explicit verification and least privileged access practices create a strong zero trust architecture environment where users and devices are regularly verified and only granted the access they need when they need it, mitigating the potential damage if a device is hacked. The structure and lack of implicit trust also makes it more difficult for a hacker to spread an attack across an organization or access important information due to the all devices constantly being checked when they make new connections. Thus, zero trust architecture creates enhanced security and resilience from cyberattacks without the firewalls and other security measures on which many organizations rely.
A variety of resources are available if you are interested in learning more about zero trust architecture or want to implement it for your organization. However, a particularly detailed and freely available source on zero trust architecture is NIST Special Publication 1800-35, which offers detailed guidance implementing zero trust architecture and was written in partnership with experts from Microsoft, Amazon Web Services, Google Cloud, IBM and other companies.
Another useful resource for learning about zero trust architecture within Windows systems is the Microsoft Learn documentation and trainings on the subject, located here.
With these resources and other tools available, you should be well positioned to advance your cybersecurity by understanding and potentially implementing zero trust architecture at your organization.