Zero trust: the security paradigm for the digital age
In our changing world, organisations have no choice but to continuously refine their security strategy. The zero-trust approach challenges the assumption of inherent trust within IT infrastructures and requires authentication of every access request. Organisations that adopt such a model can both increase their security and drive digital transformation. But what’s at the core of this approach?
February 2025, text Andreas Heer 6 min.
The protective wall is breached and the attacker storms the interior of the facility. This is not a scene from a movie, but the starting point for a company’s cybersecurity strategy. Security loopholes including exploited 0-days in firewalls of different manufacturers have opened a backdoor for attackers. The cloud and remote working have also undermined on-premises security models. With the ‘assume breach’ approach, organisations presume that cybercriminals have long been looking around their infrastructure.
The security paradigm that takes this scenario into account is called zero trust. ‘This is a paradigm and an architecture concept that removes implicit trust within the IT landscape,’ says Stephan Andreas Weber, a cybersecurity specialist at Swisscom, explaining the idea behind it. While traditional security architectures protect the perimeter and trust devices and people within the corporate network, all access requests from both humans and machines are authenticated in a zero-trust approach. Ensuring attacks can be detected at an early stage.
Zero trust as an enabler of digitalisation
But zero trust is not just another form of security – it is a digital transformation enabler. ‘This approach enables the secure deployment and use of cloud services, helping organisations to meet legal and compliance requirements during the transition to the digital age,’ emphasises Weber. At the same time, zero trust provides a secure foundation for hybrid models that allow employees to work securely and flexibly while away from the office, for example when on the go or at home. Policies covering aspects such as access to the organisation’s cloud resources can then be enforced regardless of location.
Furthermore, zero trust increases cyber resilience(opens in new tab) by providing dynamic and adaptive security policies. This helps organisations to react quickly to new threat scenarios and to be agile in adapting their cybersecurity to changing business conditions.
The five principles of zero trust
Zero trust is a comprehensive security strategy that covers all levels of the IT infrastructure. These include:
- Controlling people’s access to services (user-to-service)
- Monitoring activities within these services (user-in-service)
- Securing communication between different services via API (service-to-service)
With this holistic approach, every interaction is continuously verified and validated to ensure the security and integrity of the IT environment. The zero-trust model comprises five principles for identifying, authenticating and authorising employees and services:
- Continuous verification
Every access to resources, whether by employees, devices or services, is constantly verified and validated. - Principle of least privilege
Access rights are granted only to the extent necessary for the respective task. The fine-grained assignment of rights minimises potential areas of attack. - Centralised information collection and analysis
All relevant security information (such as identity data, device statuses and login processes) is monitored centrally in order to create a comprehensive overview of the situation and dynamically control access. - Comprehensive security controls
Security measures are implemented across all infrastructure levels and components, from personal identity to devices, networks, services and data. - Dynamic access controls
Access control is based on real-time data such as user context, device status and location (geolocation). This control is often carried out by policy engines that apply adaptive policies.
Strategic alignment with Agile values
In terms of implementation, there are parallels between zero trust and the Agile Manifesto(opens in new tab), which defines the values and principles of Agile (software) development. Both emphasise continual adaptation, a shift away from rigid assumptions and the promotion of collaboration. While Agile refines software development with iterative feedback loops, the zero-trust model uses continuous monitoring and real-time validation of security policies. Organisations can iteratively adapt and expand their architecture in order to progress their zero-trust maturity. ‘This contributes to better results because adjustments are made gradually, based on current conditions,’ summarises Weber.
With zero trust, the focus is on protecting the interaction and needs of the individual actors in the organisation. Priority is given to the most important and critical business processes. The focus does not have to be exclusively on security measures, emphasises Weber: ‘We recommend that usability be taken into account in a zero-trust implementation and that business processes be simplified for use.’ For example, companies can remove barriers for users while still increasing security by automatically authenticating devices using certificates as an additional factor.
Using maturity models to plan and measure zero-trust approaches
When implementing a zero-trust approach, organisations should establish targets that are as measurable as possible, such as a shorter MTTD (mean time to detect) or the achievement of a particular degree of maturity. Weber says that support is available: ‘Maturity models are important tools for assessing the current status of implementation, setting milestones and measuring progress.’
These models also offer a common language for communicating progress to non-technical stakeholders. Popular maturity models include NIST SP 800-207(opens in new tab) for multi-cloud environments and CISA Zero Trust(opens in new tab). The Swisscom Zero Trust Journey(opens in new tab) advisory approach is also based on these and facilitates gradual implementation.
Implementing zero trust
Introducing a zero-trust approach is a major undertaking. After all, this paradigm needs to be implemented across different local and cloud infrastructures and platforms, and any legacy systems also have to be taken into account. Weber therefore recommends a strategic approach that begins with these three steps:
- Create the mindset for this security transformation and confirm the will to implement it, for example with appropriate governance.
- Secure identities (users, devices, services, etc.), for example with a company-wide Identity & Access Management (IAM) system. Ideally, the trust assessment process should begin with user accounts.
- Even if the aim is to secure business-critical processes, it’s worth going after the low-hanging fruit first and starting with the areas where maturity can be most easily increased.
In zero-trust architectures, identities are the new security perimeter to some extent. Protecting them is therefore a priority. After that, organisations can apply zero-trust mechanisms to their ‘crown jewels’ – processes, data and services. Focusing on the core areas ensures that a basic level of security is quickly achieved and there are visible results that build stakeholder trust.
The zero-trust journey continues
Implementing zero-trust approaches is a continuous process, not a one-off initiative. It requires constant support, training and adaptation to new situations. Technologies such as AI-driven security analyses and automated measures can be used to further refine zero-trust approaches.
And while in the movies the invaders are repelled after a heroic battle, in reality the happy ending is a bit less dramatic, but all the more successful: for organisations, zero trust serves as an enabler of business agility and improved cyber resilience.
Glossary: the most important components of a zero-trust architecture
The key components of a zero-trust infrastructure comprise a variety of technologies and approaches that together ensure a comprehensive security strategy. Here are some of the most important components:
Identity & Access Management (IAM) system
This core element of a zero-trust architecture allows for centralised management of identities and access rights. IAMs ensure that users can only access the resources they need, integrating features such as single sign-on (SSO) and role-based access control (RBAC).