New research: Global Cost of Ransomware Study. See what breaches are costing you.
Get the report
back to hub

Zero Trust 101 

Getting started with cybersecurity’s transformational shift

Introduction

Zero Trust is transforming cybersecurity — but its language can be dense and difficult to understand.  

This guide defines the essential terms, principles, and components that bring Zero Trust to life.  

Whether you’re building a strategy or aligning teams, use this dictionary to cut through jargon and drive clarity at every stage of your Zero Trust journey. 

Zero Trust foundations

The following foundational concepts describe the strategy, structure, and principles at the heart of every Zero Trust implementation. 

Zero Trust

Zero Trust is a strategic initiative that helps contain cyber breaches by eliminating digital trust from your organization.

Rooted in the principle of “never trust, always verify,” Zero Trust is designed as a strategy that will resonate with the highest levels of any organization. Yet, it can be tactically deployed using off-the-shelf technology.

As a strategy, Zero Trust doesn’t rely on any specific technology. While technologies will improve and change over time, the strategy remains the same.  

Zero Trust environment

A Zero Trust environment designates the location of your Zero Trust architecture, consisting of a single protect surface containing a single DAAS element.

Zero Trust environments are places where Zero Trust controls and policies are deployed. These environments include traditional on-premises networks such as data centers, public clouds, private clouds, on endpoints, or across an SD-WAN.  

Zero Trust architecture

Your Zero Trust architecture is the compilation of the tools and technologies used to deploy and build your Zero Trust environment. This technology is fully dependent upon the protect surface you are protecting.

Zero Trust is designed from the inside out, starting at the protect surface and moving outwards from there. Typically, the protect surface will be protected by a Layer-7 segmentation gateway that creates a microperimeter which enforces Layer-7 controls with Kipling Method policy.

Every Zero Trust architecture is tailor-made for an individual protect surface. 

Zero Trust design principles

Zero Trust includes four key principles: 

  • Define business outcomes. Ask the question “What is the business trying to achieve?” This aligns Zero Trust to the grand strategic outcomes of the organization. It makes cybersecurity a business enabler instead of the business inhibitor that it’s often seen as today.  
  • Design from the inside out. Start with the DAAS elements and the protect surfaces that need protection. Design outward from there.  
  • Determine who or what needs access. Determine who needs to have access to a resource to get their job done. Known as least-privilege access, it’s very common to give too many users too much access to sensitive data for no business reason. 
  • Inspect and log all traffic. All traffic going to and from a protect surface must be inspected and logged for malicious content and unauthorized activity up through Layer-7. 

Implementing Zero Trust

  • Define the protect surface. Identify the DAAS elements, including data, applications, assets, and services, that you want to protect. 
  • Map the transaction flows: Zero Trust is a system. To secure the system and have a successful Zero Trust deployment, it’s crucial to understand how the network works. Mapping transaction flows to and from the protect surface shows how various DAAS elements interact with other resources on your network and, in turn, where to place the proper controls. The way traffic moves across the network, specific to the data in the protect surface, determines the design. 
  • Build a Zero Trust architecture. Part of the magic of the five-step model to Zero Trust is that the first two steps will illuminate the best way to design your Zero Trust architecture. The architectural elements cannot be predetermined. Each Zero Trust environment is tailor-made for each protect surface. A good rule-of-thumb in design is to place the controls as close as possible to the protect surface. 
  • Create a Zero Trust policy. Ultimately, Zero Trust policies are Layer-7 policy statements. This means it requires Layer-7 controls. Use the Kipling Method of Zero Trust policy writing to determine who or what can access your protect surface.  
  • Monitor and maintain the environment. One of the design principles of Zero Trust is to inspect and log all traffic, all the way through Layer-7.  The telemetry provided by this process won’t just help prevent data breaches and other significant cybersecurity events. It will also provide valuable security improvement insights. This means that each protect surface can become more robust and better protected over time. Security teams can analyze telemetry from cloud, network, and endpoint controls using advances in behavioral analytics, machine learning, and artificial intelligence to stop attacks in real-time and improve security posture over the long term.  

Key terminology

With the foundations in place, the next sections define the key terminology and core architectural elements that are essential for understanding, designing, and implementing Zero Trust environments. 

DAAS

DAAS is an acronym that stands for data, applications, assets, and services. These define the sensitive resources that should go into individual protect surfaces. DAAS elements include:  

  • Data: This is sensitive data that can get an organization in trouble if it’s exfiltrated or misused. Examples of sensitive data include payment card information (PCI), protected health information (PHI), personally identifiable information (PII), and intellectual property (IP). 
  • Applications: Typically, these are applications that use sensitive data or control critical assets. 
  • Assets: Assets could include IT (information technology), OT (operational technology), or IoT (Internet of Things) devices such as point-of-sale terminals, SCADA controls, manufacturing systems, and networked medical devices. 
  • Services: These are sensitive services that are very fragile that your business needs. The most common services that should be protected in a Zero Trust manner include DNS, DHCP, Active Directory®, and NTP. 

Protect surface

The protect surface is the inversion of the attack surface which is massive and includes the entire internet. Using a Zero Trust strategy, the overall attack surface can be significantly reduced to something very small and easily known.

Each protect surface contains a single DAAS element. Each Zero Trust environment will have multiple protect surfaces. 

Asserted identity

Identity is always an assertion of the abstraction of a user on a network.

The identity system “asserts” that a device is generating packets under the control of the asserted identity. The asserted identity is the validated and authenticated “who” statement that is part of the Kipling Method Policy assertion: “Who” should have access to a resource? 

Least-privileged access

Least-privileged access asks the question, “Does a user need to have access to a specific resource to get their job done?”

We give too much access to most users based upon the broken Trust model. By mandating a least-privilege, or need-to-know, policy, you can severely limit a user’s ability to perform malicious actions on a resource. This reduces both stolen credential and insider attacks.  

Granular access control

Granular access control is the outcome of an explicitly defined Zero Trust Kipling Method policy statement.

Multiple access control criteria provide fine-grained policy for access to a protect surface. This makes it substantially more difficult for attackers to perform a successful attack against that protect surface.  

Trust levels

The existing cybersecurity paradigm is based upon a broken Trust model where all systems external to the corporate network are considered “Untrusted” and those inside the corporate networks are known as “Trusted.”

It’s this flaw that undergirds Zero Trust. Trust is a human emotion injected into digital systems for no technical reason. It’s not measurable. Trust is binary. All successful cyberattacks exploit Trust in some way, making Trust a dangerous vulnerability that must be mitigated.

In Zero Trust, all packets are Untrusted and treated exactly the same as every other packet flowing across the system. The Trust level is defined as zero, hence the term Zero Trust.  

Data toxicity

Data toxicity is the doctrine that sensitive data becomes “toxic” to your organization if it has been stolen or exfiltrated from your networks or systems into the control of malicious actors. This exfiltration leads to a negative impact on the business.

The data has become toxic as its theft leads to lawsuits or regulatory action on the organization. Every organization has both non-toxic and toxic data.

An easy way to recognize toxic data types is to remember the 4 Ps of toxic data:

  • PCI: credit card data
  • PII: personally identifiable information
  • PHI: patient health information
  • IP: intellectual property

Most toxic data falls into this simple framework. 

Architectural elements

Microsegmentation

Microsegmentation is the act of creating small segments in a network so that attackers have difficulty moving around and accessing internal resources.

Many networks are “flat,” meaning that there are no internal segments. If an attacker gets a foothold in the network, they can move around unnoticed to attack resources and steal data. 

A microperimeter is a type of microsegment. The microperimeter defines a Layer-7 boundary for protecting a DAAS element. Some organizations may choose to use Layer-3 microsegmentation technology inside of a microperimeter  

Segmentation gateway

A segmentation gateway (SG) is a Layer-7 gateway designed to segment networks based on users, applications, and data.

SGs are the primary technology used to enforce Layer-7 policy in Zero Trust environments. SGs can be physical (PSG) when used in traditional on-premises networks or virtual (VSG) when used in public or private clouds.

Next-generation firewalls (NGFWs) traditionally function as SGs when they’re deployed in Zero Trust environments.  

Microperimeter

When a Segmentation Gateway connects to a protect surface and a Layer-7 Kipling Method Policy is deployed, then a microperimeter is placed around the protect surface.

The microperimeter ensures only known, approved, and validated traffic have access to the protect surface, based on policy.

One architectural principle of Zero Trust is to move your SGs as close as possible to the protect surface for the most effective preventative controls enforced by the microperimeter.   

Zero Trust Kipling Method Policy (KMP) 

Zero Trust policy is known as The Kipling Method, named after the writer Rudyard Kipling who gave the world the idea of Who, What, When, Where, Why, and How in a poem in 1902. 

Since the idea of WWWWHD is well known worldwide, it crosses languages and cultures and allows easily created, easily understood, and easily auditable Zero Trust policy statements for various technology. 

A KMP determines what traffic can transit the microperimeter at any point in time. This prevents unauthorized access to your protect surface, while preventing the exfiltration of sensitive data into the hands of malicious actors.  

True Zero Trust requires Layer-7 technology to be fully effective. The Kipling Method describes a Layer-7 Zero Trust granular policy.  

Using the Kipling Method, you can create Zero Trust policy effortlessly by answering the following questions: 

  • Who should be allowed to access a resource? The validated “asserted identity” will be defined in the Who statement. This replaces the source IP Address in a traditional firewall rule. 
  • What application is the asserted identity allowed to use to access the resource? In almost all cases, protect surfaces are accessed via an application. The application traffic should be validated at Layer 7 to keep attackers from impersonating the application at the port and protocol level and using the rule maliciously. The What statement replaces port and protocol designations in traditional firewall rules. 
  • When defines a timeframe. When is the asserted identity allowed to access the resource? It’s common for rules to exist 24/7, but many rules should be time limited and turned off when authorized users aren’t typically using the rule. Attackers take advantage of these always-on rules and attack when approved users are away from the system. This makes their attacks more difficult to discover. 
  • Where is the resource located? The location of the protect surface could be anywhere data is stored or assets are deployed. The Where statement replaces the destination IP Address in a traditional firewall rule. 
  • Why is the user allowed to access the resource? In most instances, the reason for putting data or an asset into a protect surface is because of its sensitivity. The sensitivity may be defined by a compliance mandate or by a business driver. There are often ways of tagging a packet to identify those sensitive data or systems. This tagging creates metadata that various controls can use to inform or automate policy statements and defines the policy’s Why statement. 
  • How should the traffic be processed as it accesses a resource? These criteria often apply additional controls or inspection on the packet as it accesses the resource. Controls that once were separate products deployed individually are now delivered as a service. These advanced services can be applied to individual rules as needed. These advanced controls include IPS (intrusion prevention system), DLP (data loss prevention), sandboxing, decryption, and other features that are available on an individual control.  

Zero Trust Maturity Model 

Because Zero Trust is a strategic initiative, it's important to benchmark your Zero Trust journey and measure your maturity over. The maturity model documents improvements made to your individual Zero Trust environments.  

Designed using a standard Capability Maturity Model, the Zero Trust Maturity Model uses the five-step methodology for implementing Zero Trust. It should be used to measure the maturity of an individual protect surface containing a single DAAS element. 

Initial (1) Repeatable (2) Defined (3) Managed (4) Optimized (5)
1. Define your protect surface The DAAS element is unknown or discovered manually. Data classification isn’t done or is incomplete. The use of automated tools to discover and classify DAAS elements has begun, but it's not standardized. Data classification training and processes have been introduced and are maturing. Protect surface discovery is becoming automated. New or updated DAAS elements are immediately discovered and automatically assigned to the correct protect surface. Discovery and classification processes are fully automated.
2. Map the transaction flows Flows are conceptualized based interviews and workshops. Traditional scanning tools and event logs are used to construct approximate flow maps. A flow mapping process is in place. Automated tools are beginning to be deployed. Automated tools create precise flow maps. All flow maps are validated with system owners. Transaction flows are automatically mapped across all locations in real time.
3. Architect a Zero Trust environment With little visibility and an undefined protect surface, the architecture cannot be properly designed. The protect surface is established based on current resources and priorities. The basics of the protect surface enforcement is complete, including placing segmentation gateways in the appropriate places. Additional controls are added to evaluate multiple variables (e.g., endpoint, SAAS, and API controls). Controls are enforced using a combination of hardware and software capabilities.
4. Create Zero Trust policy The policy is written at Layer 3. Additional “who” statements are starting to be identified to address business needs. Application and resource user IDs are known, but access rights are unknown. The team works with the business to determine who or what should have access to the protect surface. Custom user-specific elements are created and defined by policy, reducing policy space and the number of users with access. Layer-7 policy is written for granular enforcement. Only known allowed traffic and legitimate application communication is allowed.
5. Monitor and maintain Visibility into what is happening on the network is low. Traditional SIEM or log repositories are available, but the process is still mostly manual. Telemetry is gathered from all controls and is sent to a central data lake. Machine learning tools are applied to the data lake for context into how traffic is used in the environment. Data is incorporated from multiple sources and used to refine Steps 1-4. Alerts and analysis are automated.
back to hub

Illumio briefs

brief

14 Years of Zero Trust: A Retrospective on Security’s Biggest Mindset Shift

Learn about the origins of the Zero Trust security model and how it has progressed over the last 14 years.
Read now
brief

AI-Generated Attacks Are Here. Zero Trust Is How We Fight Back.

Learn why traditional defenses fail against GenAI threats, and explore actionable steps to implement a resilient, adaptable Zero Trust strategy.
Read now
brief

Are You Asking the Right Questions About AI?

Get insight into the eight key questions CISOs need to be asking about AI.
Read now

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?

Learn more