Skip to main content

What is zero trust?

Key takeaways:

Zero trust is built on the principle of never trusting anyone implicitly. The term originated in a 2010 Forrester report by John Kindervag and has since become a widely adopted security model, replacing the traditional perimeter‑based approach. Zero trust requires continuous verification of users and devices at every stage, helping organizations counter breaches and adapt to a boundaryless enterprise environment.

Zero trust explained

Zero trust is a security mindset that helps ensure the safety of everything that accesses your information assets and helps prevent threats to information assets based on the phrase "trust no one implicitly".
Security measures are crucial to protecting a company's critical information, including applications, endpoints, networks, and similar assets that they need to stay safe and relevant in today’s IT environment. The security measure “zero trust” can be indispensable for companies looking to increase their cyber resilience.

In addition to data, zero trust security can be applied to applications, endpoints, networks, and similar assets.

Today’s IT environment has evolved. Cloud service adoption is much more common, virtually everyone has at least one mobile device on them at all times, and the internet of things (IoT) ensures that everyone is connected. How users access information assets is also diversifying, and it’s virtually impossible to protect our endpoint devices, network, data, and applications while leveraging yesterday’s conventional security measures.

Zero trust discards the concept of "boundaries and perimeters" in traditional security measures and verifies safety, enabling optimal security measures in a perpetually changing IT environment.

Techopedia notes that "because untrusted threat actors exist both internally and external to a network, zero trust supports the following principles:

  • Never trust
  • Always verify
  • Enforce Principle of Least Privilege (PoLP)

An important goal of the zero trust model is to prevent malicious actors from using a compromised account to move laterally across a target network".

How is zero trust different from traditional cybersecurity?

Traditional security models rely on a network perimeter, assuming everything inside is safe. But in today’s cloud-driven world, that trust is risky. Cybercriminals exploit phishing, stolen credentials and lateral movement to bypass these defences. As attacks grow more sophisticated, the old approach simply isn’t enough.

Zero trust flips the script. It assumes breaches can happen at any time and enforces continuous verification for every access request. Instead of trusting location, it focuses on identity, device health and real-time risk.

As NIST SP 800-207 explains, zero trust isn’t a product, but a strategy. It combines integrity checks, network segmentation and ongoing monitoring to shrink the attack surface. Organizations adopting zero trust report stronger resilience and faster incident response

How to adopt zero trust framework?

Two widely recognized standards—NIST SP 800-207 and CISA’s zero trust maturity model, form the backbone of zero trust implementation.

A practical, outcome-driven approach connects these standards to help organizations implement zero trust. It starts by identifying critical assets such as sensitive data, applications, endpoints and services, and applying zero trust controls around them.

The framework combines NIST’s logical components (policy enforcement, decision points and continuous diagnostics) with CISA’s five pillars: identity, device, network, application workload and data. This alignment ensures practitioners follow industry best practices.

Adopting zero trust typically involves four steps:

  • Assessment: Review your current security posture and identify gaps against NIST and CISA benchmarks.
  • Design: Define architecture and policies tailored to your organization.
  • Implementation: Deploy controls like identity verification, micro-segmentation and encryption.
  • Continuous improvement: Monitor, measure and optimize using maturity scorecards.

By integrating governance, automation and interoperability with existing systems, this structured approach accelerates adoption, reduces complexity and ensures compliance. The result? Measurable security outcomes and greater resilience in an evolving threat landscape.  

Core tenets of zero trust

NIST outlines seven core principles that form the foundation of zero trust:

  1. Treat everything as a resource: Every interaction, whether with data or services, requires validation.
  2. Secure all communication: Internal traffic is no longer trusted by default; every connection must be protected.
  3. Grant access per session: This limits persistent privileges that attackers often exploit.
  4. Apply dynamic policies: Decisions consider identity, device health and behavioural context.
  5. Authenticate before access: Verification happens upfront, not after entry.
  6. Monitor continuously: Real-time checks maintain asset integrity and detect anomalies.
  7. Log and analyze everything: Visibility supports trust evaluation and rapid incident response.

Together, these tenets create an adaptive security posture that meets evolving threats and aligns with compliance frameworks like GDPR and HIPAA.

How can zero trust help organizations adapt to dynamic threat landscapes?

Zero trust integrates with several security practices to deliver comprehensive protection, including:

  • Microsegmentation isolates workloads, reducing the surface area of attacks.
  • Continuous monitoring uses telemetry and behavioral analytics to detect anomalies in early stages.
  • IAM enhancements such as passwordless authentication and identity federation improve user experience while maintaining security.
  • Policy-as-Code automates enforcement across hybrid environments, ensuring consistency and scalability.

Zero trust in hybrid and cloud environments

Hybrid IT brings complexity as data and workloads span on-premises systems and multiple clouds. Zero trust addresses this by enforcing identity-based controls, encrypting traffic and applying microsegmentation across environments.

Cloud-native services often include built-in zero trust features such as conditional access and workload isolation. Compliance frameworks like PCI DSS and HIPAA increasingly align with these principles, making adoption a regulatory advantage. To strengthen security, organizations should focus on securing SaaS applications, implementing unified identity management and monitoring cross-cloud traffic for anomalies.

As businesses expand across hybrid and multi-cloud environments, strategic partnerships—such as those between Kyndryl and Cloudflare—play a vital role in enabling secure connectivity and robust network protection

What are the benefits of zero trust?

Several key advantages of adopting zero trust security mindset include:

  • Enhanced perimeter-less security with strengthened Identity and Access management
  • Protection of enterprise assets including end-points, applications, and data
  • Secured cloud and edge services
  • Secured remote working and working on the go

Remote work and modern cloud-oriented environments can hinder conventional perimeter security and the ability to draw boundaries between what is inside and outside the company network. Zero trust security measures help to verify the resilience of all assets and communications regardless of where a company’s employees are working.

Adopting a zero trust security approach in today's diversifying hybrid IT environment helps strengthen your enterprise’s security and firmly protect your information assets.

Challenges in Implementing zero trust

Rolling out zero trust isn’t without hurdles. Legacy systems often lack modern identity controls, forcing integration workarounds. Stricter access policies can also spark cultural resistance when they affect user experience. Another common pitfall is overengineering. Ttrying to apply zero trust everywhere at once can create unnecessary complexity and even delays.

The best approach? Start with high-value assets, adopt a phased rollout and secure leadership support. Clear communication and user education are essential to overcome resistance and ensure successful adoption.

What should I consider when implementing zero trust?

When adopting zero trust security measures, consider the following factors:

  • Cost
  • Convenience
  • Business goals
  • Strategy, framework, and architecture
  • Competency center

Before you implement any zero trust security measures, consider establishing a zero trust-specific framework, architecture, and competency center.

To implement zero trust security measures, an IT department often must do the following:

  • Create an integrated team with the right specialized skills
  • Create a management system and a mechanism for identifying the most critical assets to be protected, and the key use cases managing common governance and visibility capabilities across the five pillars of zero trust:
    • Identity
    • Data
    • Applications
    • Network
    • Endpoints

The governance and management system helps introduce dedicated solutions for sharing intelligence and managing operations optimally. While this process has obvious benefits, there is an initial cost to implement it and a continual cost to maintain it.

Zero trust security measures can use VPNs, increase password inputs, multi-factor authentication, and identity verification apps. Although these tools can increase cyber security and resilience, they can also result in increased employee frustration and decreased productivity. For example, say an employee has to run code that takes several hours to process, but also has a security software configuration that logs them off from the VPN if the computer senses 10 minutes of cursor inactivity. This requires the employee to remain at their desk while their code runs and periodically move their cursor in order to prevent themselves from being booted from the VPN and forcing them to restart the coding process.

Today's diversified environment necessitates going beyond yesterday’s conventional security measures. Organizations today are looking at combining cyber security with recovery capabilities to increase cyber resilience. Zero trust security is important to protecting today’s enterprises and compliments other essential aspects of the cyber resilience framework, including the ability to anticipate, respond to and recover from cyber incidents.

Learn more about how your organization can benefit from zero trust security.

FAQs

Think of microsegmentation as smart barriers inside your network. If attackers break in, they can’t move freely. Kyndryl partners with Illumio and Akamai to make microsegmentation simple to deploy and manage. Together, our certified teams help isolate workloads, contain breaches and keep your business running smoothly.

Kyndryl works with Cloudflare, Cisco and others to deliver secure, seamless connectivity and strong network protection across multi-cloud and hybrid environments. These partnerships help organizations modernize infrastructure, boost agility and achieve comprehensive zero trust security.

Kyndryl offers hands-on support, training and managed services to help your team adopt zero trust solutions. Our experts work with you to build confidence, streamline processes and ensure your security strategy is sustainable. That way, you can focus on your business, not just your tech.

Related topics

Explore zero trust services >

3 key steps to implement a zero trust policy >

How zero trust helps financial institutions adapt to regulatory change >  

It’s time for the public sector to embrace zero trust >