In the age of widespread remote work, digital collaboration and cloud adoption, cybersecurity threat perimeters are growing. This reality, coupled with ever-evolving attack vectors, is leading many organizations to adopt zero-trust security models. Zero-trust models are intended to ensure no entity—either human or machine—is inherently trusted, thus reducing the risk of breaches and insider threats.
Zero trust entails a significant paradigm shift, and implementing it effectively requires a clear strategy and a deep understanding of its foundational principles. Below, members of Forbes Technology Council share essential elements of a robust zero-trust environment and explain the role they play in a well-rounded strategy.
“Dynamic, daily identity governance is key to effective zero trust. Static role-based access is outdated—organizations must continuously assess identity risk using knowledge graphs and digital twins to adapt permissions based on context, behavior and anomalies. This ensures just-in-time access, minimizing attack surfaces while enabling secure, frictionless operations in hybrid and AI-driven environments.” – Craig Davies, Gathid
1. Continuous Verification
In a zero-trust model, continuous verification occurs—there is no default trust, and real-time checks are conducted. As modern cybersecurity requires it, zero trust combats complex threats by valuing the assumption that attackers can penetrate the network from any point. Continuous verification provides strong controls to protect remote workers from possible security threats. – Daniel Keller, InFlux Technologies Limited (FLUX)
2. Least-Privilege Access
The principle of least privilege is essential for reducing attack surfaces by limiting user and device access to only what is necessary, thereby decreasing breach impacts. It curtails insider threats, enhances security measures by enforcing stringent access controls, aids in compliance with regulations, and simplifies the auditing process by clearly tracking access. – Anvesh Gunuganti, Optum
3. Simplified Management
Zero trust is just one piece of the puzzle; we must avoid creating a complex environment. Throwing an array of point products at the problem isn’t the answer. To make zero trust meaningful, simplify management by converging it with SD-WAN, a cloud access security broker, data loss prevention and a secure Web gateway, connecting over a private backbone with multiple points of presence (sounds like SASE to me). – Etay Maor, Cato Networks
4. An Understanding Of Your Most Sensitive Data
Zero trust isn’t just about “verify everything”; it’s about knowing exactly what to protect and who or what has access to it. Know thy data. If you don’t know where your most valuable and sensitive data is or how it’s being used, all the authentication in the world won’t save you. Visibility and control over valuable and sensitive data is step No. 1 in any zero-trust strategy—because you can’t protect what you don’t see. – Ravi Ithal, Proofpoint
5. Clear Definitions Of Roles
Zero-trust deployments are most effective when an organization has a clear understanding of the roles that exist and the access that each role requires. If this isn’t understood before embarking on the change, there can be too much trial and error, resulting in a poor user experience. Better planning in advance, along with capturing this data in an identity management platform, makes a huge difference. – Ciaran Roche, Coevolve
6. Asset Discovery And Validation
Asset discovery and validation through continuous monitoring and real-time inventory tracking is crucial in zero-trust environments. By maintaining a dynamic catalog of all network assets and their security states, organizations can quickly identify and respond to unauthorized devices or compromised resources, ensuring no security gaps exist. – Nick Damoulakis, Orases
7. Management Of Machine And Non-Human Entities
One key principle of an effective zero-trust environment is managing machine and non-human identities. Devices, applications, workloads, service accounts and APIs require certificates to enable trust, authentication and encryption. By automating certificate life cycle management, you can ensure continuous trust, promote strong authentication and prevent unauthorized access to critical systems. – Gregory Webb, AppViewX
8. An ‘Assume Breach’ Mindset
One core tenet of zero trust is “assume breach,” meaning we operate as if attackers are already inside. This is crucial because it shifts our focus from perimeter defense to protecting data and resources directly. By assuming a breach, we proactively limit an attacker’s lateral movement and potential damage, even if they manage to gain initial access. – Neil Lampton, TIAG
9. Microsegmentation
A key zero-trust principle is microsegmentation, which divides networks into small, isolated segments with strict access controls for each. This is crucial because it prevents attackers from moving laterally once they breach one segment, drastically reducing the potential damage and limiting the scope of a successful attack. – Praveen Thopalle, Dell Technologies
10. Shadow IT Visibility
Shadow IT visibility is critical in zero-trust environments, which hinge on controlling and monitoring resource access. SaaS offerings, including AI, are often adopted outside of central identity and access management systems, and organizations cannot see or monitor the interactions, permissions or even the data that is transferred into these hidden services, thwarting zero-trust controls. – Douglas Murray, Auvik
11. Dynamic, Daily Identity Governance
Dynamic, daily identity governance is key to effective zero trust. Static role-based access is outdated—organizations must continuously assess identity risk using knowledge graphs and digital twins to adapt permissions based on context, behavior and anomalies. This ensures just-in-time access, minimizing attack surfaces while enabling secure, frictionless operations in hybrid and AI-driven environments – Craig Davies, Gathid
12. A ‘Never Trust, Always Verify’ Approach
A key principle of zero trust is “never trust, always verify”—every access request must be authenticated, authorized and continuously validated. This minimizes risks like unauthorized access and insider threats. For example, the U.S. Space Systems Command applies zero-trust to secure satellite communications and ground systems, protecting critical space infrastructure from cyberthreats. – Shelli Brunswick, SB Global LLC
13. AI-Powered Threat Detection And Response
One key feature of an effective zero-trust environment is AI-driven threat detection and response. By leveraging machine learning, systems can continuously analyze user behavior, network patterns and access requests to detect anomalies in real time. This proactive approach is crucial as it identifies potential threats faster than traditional methods, enabling dynamic, risk-based access controls. – Deepak Gupta, Cars24 Financial Services
14. Dynamic Access Controls
As employees’ roles change within a company, their access controls might not be updated promptly, leading to excessive permissions that violate zero-trust principles and increase cyberthreat exposure. Dynamic access controls mitigate this risk by leveraging real-time data to make adaptive, automatic decisions about granting or revoking access based on risk factors. – Piyush Pandey, Pathlock
15. Time-Bound Access
Time-bound access is crucial for security. Accounts or sessions should automatically expire after their set duration. If users need access again, they must request and revalidate it. This prevents dormant accounts with unlimited access from becoming potential security risks over a period of time, ensuring tighter control over permissions. – Koushik Sundar, Citibank
16. Securing The Weakest Link
A key principle of zero trust is securing the weakest link—end users—through strict identity verification and access controls. In my experience, many zero-trust models fail when they’re focused only on network segmentation or devices. Without robust user authentication and behavior monitoring, attackers bypass defenses through compromised credentials. Protecting users is critical in zero-trust security. – Tim Bates, Oppos
17. Three-Factor Security
Verification is required in an effective zero-trust environment; access should never be granted by default. While multifactor authentication is key, it’s not enough. Strong security combines three factors: something you know (like a password), something you have (like a smart card), and something you are (biometric data). Adding device trust technologies can strengthen access control. – Metin Kortak, Rhymetec
18. Verifiable Identities For All Devices
Zero trust isn’t about trusting nothing—it’s about earning trust. Traditional networks grant access just because a device is on the network, which is a terrible idea. Instead, every device should have a verifiable identity, backed by certificates, and get only the minimum access needed. Attackers will get in—your job is making sure they can’t do anything useful once they’re there. – Avery Pennarun, Tailscale
