What Is Zero Trust?

Written by Coursera Staff • Updated on

It’s more important than ever to have a robust security process that addresses ever-evolving hacking technology. Learn more about zero trust, including what it is, how it uses authentication to protect sensitive data, and its role in cybersecurity.

[Featured Image] A business person is using their smartphone to gain access to a password-protected website on their laptop that is instituting zero trust security measures.

As organizations increasingly rely on the internet and cloud storage options to conduct business, they must implement security systems to reduce the risk of cyberattacks or sensitive data breaches. To address these potential issues, IT teams choose different types of security frameworks to build around their business’s users. One popular framework is zero-trust security. Read on to learn more about zero trust, including what it is, how it uses authentication to protect sensitive data, and the role it plays within cybersecurity.

Read more: Cybersecurity Terms: A to Z Glossary

What is zero trust?

Zero trust is a security framework that always assumes a computer network is at risk of both internal and external threats. With zero trust, the system denies all access requests by default. Users only gain access to each network through continuous verification processes, a method called least-privileged access. The zero-trust security system treats every request to access resources as an untrusted source until the system authenticates and confirms the requester’s identity.

Read more: 9 Cybersecurity Best Practices for Businesses

3 core principles of zero trust by Forrester

John Kindervag, a former Forrester analyst, created the original concept of zero-trust security. He established three core principles that are the foundation of every successful zero-trust security framework today. These core principles are:

  • By default, zero trust does not trust all entities.

  • Zero trust enforces least-privileged access.

  • Zero trust implements comprehensive security monitoring.

6 pillars of zero-trust framework by NIST

The National Institute of Standards and Technology (NIST) put forth six pillars of a zero-trust architecture. These pillars are:

  1. Resources include all data sources and services. 

  2. Network location does not imply trust.

  3. Requesters can access individual resources on a per-connection basis.

  4. Set policy determines access to resources.

  5. The organization ensures all associated systems are in the most secure state possible.

  6. User authentication is dynamic and strictly enforced.

Why is zero trust important?

Zero trust is important because it addresses the risks of internal threats in a way that traditional security frameworks tend to miss. The classic “castle-and-moat” security structure’s goal is to protect a business from outside threats while giving users unlimited access to the different applications within the network. However, if an external threat happens to make it across the “moat,” then it has the ability to destroy everything in the “castle.” Zero trust addresses this weakness by requiring authentication for every entry point in the network—not only the “moat” but also every “door” within the castle.

Zero-trust security is particularly important because many businesses have shifted their workforces to remote or global positions. Instead of having everyone accessing a network housed in the same building, businesses now have to contend with hundreds, if not thousands, of remote access points, which increase the risk of a potential threat making its way through. Zero-trust security helps to address the increase in access points with a robust authentication response.

Who can implement zero trust?

Any business working with digital access to networks can implement zero trust. IT and security teams primarily establish this security framework.

How does zero trust work?

Zero trust works by making data and resources inaccessible by default. The system continually monitors, authenticates, and logs every user and access point to track any potential threats. The system works by treating every access point as a potential threat. For example, if an employee tries to log in from a location that’s different than usual, the zero-trust system might trigger an additional authentication step to ensure secure access.

Pros and cons of using zero-trust security solutions

Zero-trust security solutions have several advantages and some limitations. The pros of this type of security system include reducing the risk of hacks, breaches, or data exposure. If a breach does occur, the zero-trust framework minimizes the affected areas and protects the rest of the system. Zero trust also allows businesses to track their assets more accurately since each part of the computing network must be transparent.

One challenge of zero-trust security is that it requires significant buy-in from a business’s leadership since it usually entails overhauling an existing security system and consistent oversight. Also, the multiple authentication steps required might become cumbersome, which can limit productivity. As a result, users might try to find ways around the system.

How to implement zero-trust security

Successful implementation of a zero-trust security system typically involves adding additional authentication and security measures to an existing framework. Here are some steps to take to enforce zero-trust security.

  • Step 1: You’ll want to first assess your established security system for weaknesses and potential exposure points.

  • Step 2: You’ll add a monitoring framework to watch for suspicious or unauthorized access attempts.

  • Step 3: The final step of a zero-trust security system is to implement automated monitoring that prevents access to data and requires authentication.

Because of the complexity of the change, it’s important to keep your workforce updated and introduce the zero-trust security system one step at a time. To gradually integrate this security system, allow your employees to adjust before progressing to the next step.

Prerequisites for establishing a zero-trust security strategy

The main prerequisite for successfully establishing a zero-trust security strategy is to have a workplace that commits to the process. Cooperation and buy-in will make the system easier to implement. You’ll also want to make sure that everyone has a general awareness and understanding of security basics to simplify participation.

CISA’s Zero Trust Maturity Model

The Cybersecurity & Infrastructure Security Agency (CISA) offers its free Zero Trust Maturity Model, which is a guide that provides different examples of zero-trust framework structures and recommends how to best implement these protocols for your business. You can download the current version of the model to help implement a zero-trust security strategy in your workplace.

Read more: 6 CISA Jobs and How to Get Started

Learn more with Coursera.

Sharpen your security skills and learn more about implementing a zero-trust security system with courses and Professional Certificates on Coursera. With options such as the Google Cybersecurity Professional Certificate, you’ll have the opportunity to learn about how to create an effective and successful cybersecurity system. The courses cover topics such as security models, tools that are used to access and address threats, networks, and more.

Keep reading

Updated on
Written by:

Editorial Team

Coursera’s editorial team is comprised of highly experienced professional editors, writers, and fact...

This content has been made available for informational purposes only. Learners are advised to conduct additional research to ensure that courses and other credentials pursued meet their personal, professional, and financial goals.