ZERO TRUST
A set of principles and strategies to prevent and be resilient to cyber attacks by eliminating trust and nullifying breaches that have already occurred.
Zero Trust has been defined by the National Security Telecommunications Advisory committee. This slightly tweaked version tidies up a couple of inconsistencies.
Zero Trust is a cybersecurity strategy premised on the idea that no asset (user, software, device) or transaction between them is to be trusted. It assumes that a breach has already occurred or will occur, and therefore access to information is only to be granted only while the transactions between assets are valid as compliant to the policy in place.
In 2025, John Kindervag, has been using this shorter definition:
Zero Trust is a strategy designed to stop data breaches and prevent other cyber-attacks from being successful by eliminating trust from digital systems.
The reason for many definitions is that as it evolves practioners are constantly refining and explaining their own understanding – to themselves! This is a healthy demonstration of the works journey.
It’s never a single or complete solution for IT, Networking,etc. – don’t be persuaded otherwise. You will have many context-dependent implementations across your organization and ecosystem. The defense deployed depends upon on the specific threat.
Only when you look at Cybersecurity holistically, does it become blindingly obvious that Zero Trust is a mind set, an organizational and technical strategy and why it should shape your organization’s thinking.
The Cause - why Zero Trust has become and will remain critical.
The Network Cloud Ecosystem (shown below), Network as a Service, distributed workforces, supply chain and open source software weaknesses means the network perimeter no longer exists to be defended.
Exploitation
State-sponsored threats change daily: from Phishing/Ransomware-as-a-Service, Advanced Persistent Attacks, Living-off-the-land attacks, lateral movement, insider and supply chain threats, etc. – and that’s just scratching the surface. They all prey on the vulnerabilities exposed by creation of the dynamic ecosystem shown above.
Why Now?
The cause and resulting exploitation above show why Zero Trust principles and strategies, when applied, have become so relevant. Although coined more than a decade ago, Zero Trust today represents the only viable defensive approach.
Principles and Strategies
Zero Trust Principles:
Never Trust, Always and constantly Verify | Assume Breach | Access using Least Privilege | Prevent exfiltration of data as opposed to just preventing access to data.
Zero Trust Strategies:
Begin with a top level Security Policy to decide what should be protected and curate those resources to create resilience to your critical assets.
Then understand your deployment of Identity management and authentication of actors – users, software, devices | authorize via actor-specific, attribute-based policies, controls, management and enforcement | automated, constant, time-sensitive monitoring to ensure ongoing verification and prevent trusted actors becoming threat actors | prevention, testing and remediation | automation is critical to ensure created assets are up-to-date and to elimate human errors.
Create Business Resilience by planning seamless recovery when incidents. Become a steward protecting data, software, devices and services. Have rigorous testing of backed-up assets become the norm.
Step-by-step, form an ongoing Zero Trust strategy for your journey, measure your progress. Rinse and repeat.
Holistic Cybersecurity and Zero Trust
Encompassing Organization and Technology
The best approach to eliminate hundreds of weak links is a holistic one that begins with the executive team, includes the whole organization and ensures proper delegation to external contractors and supply chains.
Zero Trust applies across the organization not just to Information Technology with only 32% of actions within IT. The remainder are distributed across the organization: Exec Team 15% Asset curation 14%, Operations 10%, HR 8%, etc.
Implementation Journey - The 5 Step Methodology
Deployment
Where Should Zero Trust Be Deployed?
The chart below makes it obvious why there cannot be a single Zero Trust solution! Map the diagram onto your organization, download the top ten list from cybyr.com, then read the book, and decide what matches the assets you need to curate and protect.
Deployment of solutions that enforce and implement the strategies may span several locations over a Trusted Path or workflow, or at a single location and at various layers.
Step-by-Step, starting with the most important areas to protect, map the access and flows to and through each point, plan the Zero Tust elements and monitoring. Bake this into your Security Strategy.
Zero Trust is a Journey
Finally, don’t be daunted. Zero Trust is not an overnight fix. It’s a constant journey that begins with asset curation to identify the most critical assets to protect first. Each action you take addresses your vulnerability, strengthens your weakest links and reduces your risks. Keep aware of new threats and developments such as those listed on the breaking news section of this site. Expand your understanding by reviewing the 390+ cybersecurity terms covered on this site. Use our Security as a Service software to measure your progress. If you are challenged with stress or burnout, then Zero Trust can help here too. It has hidden power!