What is Zero Trust architecture?

Zero Trust architecture protects each of an organization’s resources with authentication, instead of just protecting access to the corporate network.

How does Zero Trust architecture work?

To understand Zero Trust architecture, first think about traditional security architecture: after someone signs in at work, they can access the entire corporate network. This only protects an organization’s perimeter and is tied to the physical office premises. This model doesn’t support remote work and exposes the organization to risk, because if someone steals a password, they can access everything.

Instead of only guarding an organization’s perimeter, Zero Trust architecture protects each file, email, and network by authenticating every identity and device. (That’s why it’s also called “perimeterless security.”) Rather than just securing one network, Zero Trust architecture also helps secure remote access, personal devices, and third-party apps.

The principles of Zero Trust are:

Verify explicitly

Consider every data point before authenticating someone’s access, including their identity, location, and device, as well as how the resource is classified and if there’s anything unusual that might be a red flag.

Use least privileged access

Limit the amount of information and length of time people can access something, instead of providing access to all company resources indefinitely.

Assume breach

Segment networks so if someone does get unauthorized access, the damage is contained. Require end-to-end encryption.

Benefits of using Zero Trust security

Businesses that implement Zero Trust architecture enjoy stronger security, support for remote and hybrid work, lower risk, and more time for people to focus on high-priority work instead of tedious tasks.

  • Support remote and hybrid work

    Help people work securely anytime, anywhere, using any device.

  • Minimize risk

    Limit damage by preventing attacks, spotting threats faster, and taking action sooner than with traditional security.

  • Migrate to the cloud

    Shift from on-premises to the cloud smoothly and reduce vulnerabilities during the process.

  • Save time

    Let security teams focus on incident response instead of password resets and maintenance by eliminating false positive alerts, extra workflow steps, and redundant security tools.

  • Improve the employee experience

    Simplify access to resources by using single sign-on (SSO) or biometrics instead of multiple passwords. Provide more flexibility and freedom by supporting a bring-your-own-device (BYOD) model.

Zero Trust capabilities and use cases

Key features of Zero Trust architecture include:


End-to-end governance

Siloed systems introduce risk. Instead, Zero Trust authenticates access to an organization’s whole digital estate with comprehensive encryption and strong identity management.



Discover shadow IT systems and all devices trying to access your network. Find out if users and devices are in compliance and restrict access if not.



Analyze data automatically and get real-time alerts about unusual behavior for faster threat detection and response.



Use AI to block attacks, reduce false alarms, and prioritize which alerts to respond to.


Zero Trust use cases include:

• Supporting hybrid and remote work or multiple cloud environments.
• Responding to phishing, stolen credentials, or ransomware.
• Giving secure, limited-time access to temporary employees.
• Protecting and monitoring access to third-party apps.
• Supporting frontline workers using a variety of devices.
• Staying in compliance with regulatory requirements.

How to implement and use a Zero Trust model

Here’s how to deploy and use Zero Trust for your organization’s identities, devices, networks, apps, data, and infrastructure.


1. Create strong identity verification

Start authenticating access to every app, service, and resource that your organization uses, starting with the most sensitive. Give admins tools to assess risk and respond in real time if an identity has warning signs, like too many failed login attempts.


2. Manage access to devices and networks

Make sure all endpoints, whether personal or corporate, are in compliance with your organization’s security requirements. Encrypt networks and ensure all connections are secure, including remote and on-site. Segment networks to limit unauthorized access.


3. Improve visibility into apps

“Shadow IT” is any unauthorized application or system that employees use, and it can introduce threats. Investigate which apps people have installed so you can make sure they’re in compliance, set permissions, and monitor them for any warning signs.


4. Set data permissions

Assign classification levels to your organization’s data, from documents to emails. Encrypt sensitive data and provide least-privileged access.


5. Monitor your infrastructure

Assess, update, and configure every piece of infrastructure, like servers and virtual machines, to limit unnecessary access. Track metrics so it’s easy to identify suspicious behavior.


Zero Trust solutions

Zero Trust solutions vary from tools anyone can use to complex, large-scale approaches for enterprises. Here are a few examples:

Individuals can turn on multifactor authentication (MFA) to get a one-time code before getting access to an app or website. You can also start signing in using biometrics like your fingerprint or face.

Schools and communities can go passwordless, since passwords are easy to lose. They can also improve endpoint security to support remote work and school, as well as segment access in case a device is lost or stolen.

Organizations can adopt Zero Trust architecture by identifying all access points and implementing policies for more secure access. Because Zero Trust is a long-term approach, organizations should commit to ongoing monitoring to detect new threats.

The role of Zero Trust for businesses

Zero Trust is a comprehensive security model, not a single product or step to take. Businesses need to reevaluate their entire security approach to meet today’s challenges and cyberthreats. Zero Trust provides a roadmap for security, and when implemented, can not only make organizations more secure but also help them scale safely and be prepared for the next evolution of cyberthreats.

Businesses interested in adopting Zero Trust architecture should look for solutions that:


• Authenticate each access point, verify every identity, and limit access.
• Encrypt data end-to-end, including emails and documents.
• Provide visibility and real-time analytics to monitor and detect threats.
• Automate threat responses to save time.

Learn more about Microsoft Security

Frequently asked questions


Zero Trust is widely accepted and has been praised by cybersecurity authorities for over a decade. Large enterprises and industry leaders use Zero Trust and adoption is growing as more organizations adopt remote and hybrid work.

Zero Trust is important because organizations need threat protection against the latest cyberattacks and a way to support secure remote work. Due to the rapid increase in threats and high cost of responding to a data breach, Zero Trust has become even more important in recent years.

Zero Trust network security means not trusting an identity just because it has gained access to a network. Instead, implementing Zero Trust network access means continuously authenticating every device, app, and user trying to access the network, encrypting everything on the network, segmenting the network to contain any attacks, establishing policies to limit network access, and identifying threats in real time.

The main concepts of Zero Trust are to continuously authenticate users and devices (instead of just once), encrypt everything, provide the minimum access needed and limit access duration, and use segmentation to limit the damage of any breaches.

Zero Trust in the cloud means applying Zero Trust principles and strategies to an organization’s cloud security so that cloud resources are secure and in compliance and an organization has more visibility. Zero Trust in the cloud encrypts anything stored in the cloud, manages access, helps identify any breaches to cloud infrastructure, and speeds up remediation.