Zero trust is a strategic security concept and framework built on the principle that no implicit trust is granted to entities, assets, user accounts, or digital assets or connections based solely on simple factors. Depending on the policy configuration, these factors include physical or network location, such as local area networks vs. the internet, or asset ownership, like enterprise or personally owned.
Zero trust policies require that all entities, whether in or outside the organization's network, be authenticated, authorized, and continuously validated for security configuration and posture before gaining or maintaining access to applications and data. It further requires that those entities be placed in isolated and managed segments within an infrastructure and that their access to assets or network enclaves is based on sessions and dependent on policy controls.
Zero trust platforms include broad features like identity and access management (IAM), device security, network security, data security, application security, visibility and analytics, automation and orchestration capabilities, integration and interoperability, and compliance and policy management.
To qualify for inclusion in the Zero Trust Platforms category, a product must:
Follow the principle of “never trust, always verify" by enabling granular permissions based on user roles, content, and policies
Enforce identity-based controls with strong authentication, such as single sign-on (SSO) and multi-factor authentication (MFA), before access is granted to workloads
Continuously evaluate trust by monitoring behaviour in security posture in real time
Offer zero-trust network access to ensure users can only reach authorized applications or resources