IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

What Is Zero Trust? A Guide to the Cybersecurity Approach

Zero trust contrasts with a “castle and moat” approach to cybersecurity thinking, and recognizes that use of remote workforces and cloud services means there’s no longer a clear perimeter to defend.

A person trying to log into a computer.
The term “zero trust” is rapidly gaining attention as agencies move away from the more traditional “castle and moat” models of cybersecurity.

Zero trust refers to a cybersecurity strategy or set of principles based in the understanding that just because an account or device is associated with the organization or has seemed trustworthy in the past doesn’t mean they should be assumed to be trustworthy in the future. The mindset assumes an attacker could be in the network already and emphasizes limiting a bad actor’s ability to access data and other resources.

Organizations adopting zero-trust principles require users — and devices — to continually prove they are who they claim to be, whenever they want to access data or services. This stands in contrast to older thinking in which users may have only had to authenticate themselves once to enter the organization’s network, such as by logging in, and then were granted access to a wide swathe of internal resources.

These approaches often involve applying more robust identity verification methods — think multifactor authentication (MFA) rather than just a username and password — and encrypting all communications, even those within the organization’s network.

Core zero-trust principles also involve restricting users’ access privileges to the minimum amount they need to do their jobs, something known as the “principle of least privilege” (POLP).


The more traditional “castle and moat” approach saw organizations focus on securing the perimeters of their networks to block out malicious actors. Those who provided the right credentials were assumed to be trustworthy and allowed through firewalls to access many of the network’s systems and data, without necessarily having to re-authorize themselves at each access attempt. 

But many of today’s organizations rely on workforces that are no longer on premise and on assets stored in the cloud — meaning there’s no longer a castle to wrap the moat around. Remote employees connect to the network from a variety of locations, through personal Internet networks and, sometimes, on personal devices outside of an organization’s control. Cloud-based data also remains outside of the defense of the organization’s perimeter firewalls.

Malicious actors can attempt to pass themselves off as employees using new devices or may seize control of employees’ accounts or devices that are already familiar to the organization, then move within the network.

Organizations need to avoid locking out legitimate employees, but enabling the wrong device or allowing the wrong level of access privileges creates significant cyber risks.

To thread the needle, organizations that adopt the zero-trust approach require devices and users to verify themselves repeatedly and monitor continually. Reducing each account’s privileges to only what is essential also minimizes the damage that a bad actor or malicious insider would be able to achieve.

The federal government has thrown its support behind the idea, with Biden’s executive order asking federal agencies to transition to zero trust.


Organizations adopting zero-trust architecture — that is, a cybersecurity plan informed by zero-trust thinking — must address several core principles.

The National Institute of Standards and Technology (NIST) outlines seven tenets in a 2021 draft white paper and 2020 publication:

1. Network identity governance: Organizations need policies and tools to ensure that only authorized users who have gone through a sufficient level of authentication are granted access to enterprise data and services, and that they are only able to perform authorized actions.

2. Secure end devices: Zero-trust plans need to address end devices such as mobile devices, remote sensors and compute resources.

3. Monitor, defend and defend against owned and associated assets: Organizations should attend closely to their data and services’ defenses — including understanding how they are configured and maintained — as well as continually monitor for signs of compromise and respond quickly to events like new patches or indicators of vulnerabilities. They may also need to block connections or restrict access to those devices over which they have less control.

4. Secure all communication: Organizations must safeguard the integrity and privacy of all data in transit — even for communications within the network. Otherwise, an attacker hiding on the network could view or tamper with the communications.

5. Users should only be given access to individual enterprise resources on a “per-session basis”: Organizations should try to tightly control access to data, services and devices. To the extent possible, organizations should require users to clear authentication and authorization checks each time they seek to perform “unique operation[s].” Users also should only be given the minimum access privileges required to complete their objectives. Adopting logging, backups and versioning tools can also help recovery if unauthorized activity does occur.

6. Thoroughly — and “dynamically” — vet access requests: Limit access to enterprise resources only to members of an allow-list who also both prove their identities and their genuine need to access the particular asset in question. Identities should be verified in robust ways. Organizations may continually monitor accounts and devices for suspicious behaviors and characteristics as well as require MFA to access some systems or data and require reauthentication at various points.

7. Gather information to understand and improve security posture: Organizations should collect and analyze as much data as they can about the status of their assets, network infrastructure and communications to help them identify ways to improve policies.
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.