Zero Trust – Explained in Simple Terms

By John King, CISSP, PMP, CISM •  Updated: 01/01/23 •  3 min read

Zero trust is a newer security model that assumes that all users and devices, whether inside or outside of an organization’s network, are untrusted and must be authenticated and authorized before they are granted access to resources. Zero trust aims to protect against cyber threats, such as data breaches and malware attacks, by eliminating the assumption that users and devices within an organization’s network are trustworthy.


One of the key principles of zero trust is the idea of “never trust, always verify.” This means that every request for access to a resource, whether it comes from a user within the organization or from an external device, must be verified before access is granted. This is in contrast to traditional security models, which often assume that users and devices within an organization’s network are trusted, and only external threats must be guarded against.
To implement a zero trust model, organizations typically use a variety of security controls, including multi-factor authentication, network segmentation, and application-level access controls. These controls are used to verify the identity of users and devices and ensure that they are authorized to access specific resources.
One of the key benefits of zero trust is that it helps to protect against insider threats, such as employees who may have malicious intentions or who may accidentally expose sensitive data. By requiring all users to be authenticated and authorized before they are granted access to resources, zero trust can prevent these types of threats from causing damage.
Another benefit of zero trust is that it can help organizations to comply with regulations and industry standards, such as both the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA). These regulations often require organizations to implement robust security measures to protect against data breaches and other cyber threats.
There are also some challenges associated with implementing a zero trust model. One of the main challenges is the complexity of the model, which requires organizations to implement and manage a variety of security controls and processes. This can be time-consuming and resource-intensive, and may require organizations to invest in additional security infrastructure and staff.
Another challenge is the potential impact on user experience. By requiring users to authenticate and authorize their access to resources, zero trust can add an extra layer of complexity to the process of accessing and using these resources. This may be particularly problematic for organizations that rely on many remote or mobile users, who may be less willing to tolerate the added security measures.
Despite these challenges, many organizations are adopting zero trust as a way to better protect against cyber threats. According to a survey by Forrester, 71% of organizations that have implemented zero trust reported a significant reduction in security incidents, while 79% reported an improvement in the overall security posture of their organization.
Overall, zero trust is a security model that is well-suited to the modern threat landscape, which is characterized by a proliferation of cyber threats and an increasing reliance on remote and mobile users. While implementing zero trust can be challenging, the benefits of increased security and compliance make it a worthwhile investment for many organizations.

John King, CISSP, PMP, CISM

John King currently works in the greater Los Angeles area as a ISSO (Information Systems Security Officer). John has a passion for learning and developing his cyber security skills through education, hands on work, and studying for IT certifications.