Skip navigation

A Zero Trust Strategy

Never trust; always verify. A zero trust model establishes trust in users and devices through authentication and continuous monitoring of each access attempt, with custom security policies that protect every application.

Watch Cisco's Webinar Register for Duo's Webinar

What is Zero Trust?

Zero Trust: A strategy that allows little room for assumptions to be made; a user must never trust that they are accessing their data securely and instead must double- or triple-verify identity at login.

Traditional security approaches assume that anything (devices, users, infrastructure, etc.) inside the corporate network can be trusted. The reality is that this assumption no longer holds true. 

Now more than ever, employees and users have more control over the applications they use. Data and applications are no longer behind the firewall, and users can connect directly to work applications over the internet using personal owned devices.

People using devices plus icons of clouds and screens, representing zero trust security.

What are the main concepts of zero trust?

  • User/Application Authentication
    Ensuring users and their devices are trustworthy at every access request, no matter where it comes from
  • Device Authentication
    Securing access across applications and networks
  • Trust
    Extending trust to support a modern enterprise across the distributed network

A core tenet of zero trust is that security is not a one-size-fits-all proposition, even within the same organization. Zero trust applies anywhere an access decision is made. When approaching security design using the zero trust model, it’s easiest to break adoption down into three pillars: 

  • Workforce
    Ensure only the right users and secure devices can access applications.
  • Workload
    Secure all connections within your apps, across multi-cloud.
  • Workplace
    Secure all user and device connections across your network, including IoT.

The massive demand to support remote work and adopt cloud environments amplifies the need for security in the workforce, so that’s where many organizations begin their adoption of a zero trust security.

How does Zero Trust Work?

Zero trust can be summed up as “never trust; always verify.” This approach treats every access attempt as if it originates from an untrusted network — so access won’t be allowed until trust is demonstrated. Once users and devices have been deemed trustworthy, zero trust ensures that they have access only to the resources they absolutely need, to prevent any unauthorized lateral movement through an environment.

Adoption of zero trust can help address common security challenges in the workforce, such as phishing, malware, credential theft, remote access, and device security (BYOD).

This is done by securing the three primary factors that make up the workforce: users, their devices, and the applications they access.

Two people looking at a screen and an illustration of a screen with checkmarks, representing zero trust users.

Users that Need Access

Users are the people, such as employees, contractors, partners and vendors, that need access to work applications and systems. 

Zero trust requires that a user be given access only to the applications they truly need to do their job — and no more. It also requires that user identities be verified using a method like strong multi-factor authentication, to establish that they are who they say they are at every single access attempt.

A person looking at a smart phone and an illustration of a smart phone authentication screen, representing zero trust devices

Secure Devices

Devices are the things that are used to gain access to resources. These could be corporate-managed or personal devices (desktops/laptops, tablets, mobile phones).

Under zero trust, devices are checked at every access request to ensure that they meet security parameters and aren’t introducing risk. Devices should also be monitored over time, to detect potential threats or anomalous behavior.

A person on a laptop and an illustration of a browser screen, representing zero trust applications.

Application Access

Applications are the tools businesses use to operate. They can be located anywhere — from the cloud, to being hosted in-house or on physical systems.  

Application access should be governed by adaptive access policies, created based on the sensitivity of the data in the application. This granularity ensures that access is provided only to users or groups of users who need it, from locations and devices that are trusted.

What are the challenges of implementing Zero Trust?

Zero trust arose to address the uniquely 21st-century security challenges that exist in the modern workplace.

Security Overload for End-Users

As apps, data and identities move to the cloud, the IT model extends past the traditional corporate perimeter. Organizations need to comprehensively secure this new model, without compromising on agility or usability.

Workforce Decentralization

Deperimeterization means that users may not be protected by traditional security measures, and may be more susceptible to phishing, malware and other threats.

Environmental Complexity

Environments are now a hybrid mix of legacy on-premises services and multi-cloud infrastructure and software as a service (SaaS) apps. 

Attackers that make it past one verification point (such as a firewall or a user login) can exploit inherent trust and move laterally within a network, application or environment to target sensitive data.

What are the Benefits of Zero Trust?

Streamline User Experiences 

Adding security doesn’t need to add friction to a user's experience. By implementing solutions that verify users and devices at the point of access you can provide a balance between security and productivity. 

Adaptive policies and device monitoring practices inherent to zero trust help you catch and mitigate security risks before they become problematic. 

Protect a Diverse Workforce

Zero trust requires that companies have visibility into users and their devices as they access applications. Enforce user, device or application-specific policies to meet your organization's security requirements for access. Flag risky users’ devices, then block or notify users to update any out-of-date software on their own devices before granting access to applications.

Secure Remote Work

By applying the same trust-based reasoning to every access point, users get a consistent and productive security experience regardless of location, device or whether their applications are on-premises or in the cloud.

Make it harder for attackers to access and move laterally within your environment by segmenting resources, using strong authentication factors, adding encryption, and marking known and trusted devices.

The History of Zero Trust

The term “zero trust” entered the security lexicon relatively recently, but the concept itself has been around for nearly two decades. 

Today, zero trust is a leading security model poised to evolve further in the years to come.

Hands using laptops & a security token, & wooden blocks with bullseye and gear icons, reflecting the evolution of zero trust.
2004: The Need for Trust Arises

In the early 2000s, the Jericho Forum was created to tackle “de-perimeterization,” which was becoming more and more common in the workplace. Hybrid infrastructures meant the traditional castle and moat approach to security became antiquated and the threat surface broadened.

2009: Zero Trust Is Born

In 2009, John Kindervag, then a Vice President and Principal Analyst on the Security and Risk Team at Forrester Research, introduced the concept of a “zero trust model,” in response to these security challenges. He defined the approach as one that assumes traffic within an enterprise’s network is no more trustworthy by default than traffic coming from the outside​.

2014: Google Implements BeyondCorp

This model served as the building blocks for Google's BeyondCorp, introduced in 2014. BeyondCorp is Google’s particular implementation of the zero trust architecture. It includes securely identifying users and devices, separating trust from the network, externalizing apps and workflow, and implementing inventory-based access controls.​

2017: Continuous Adaptive Risk & Trust Assessment

Gartner's CARTA model - continuous adaptive risk and trust assessment - calls for a shift away from one-time, binary access decisions toward contextual, risk and trust-based decisions. This model is about giving just enough trust to users, even after authentication, to complete the action requested.​

2018: Forrester Extends Zero Trust

Forrester evolved to the zero trust extended framework and introduced seven pillars for the model’s implementation. The research giant started the publication of a Wave report, evaluating leading vendors offering zero trust solutions.​

2019: Zero Trust Goes Mainstream

2019 saw zero trust enter the mainstream with NIST’s SP-800-207 zero trust guidance and UK NCSC guidance. These recommendations align important core tenets of security that every organization should be paying attention to when designing their own zero trust journey

How to Implement Zero Trust

There are five phases for implementing Zero Trust for the Workforce, which comprises an organization’s users and their devices, and how they access applications. The approach is iterative. 

Begin with a specific set of people, expand coverage for their applications, and expand coverage for their devices. Once we are always verifying trust within this well-defined scope, apply a set of reasonable policies to enforce trust and protect the organization. Finally, integrate this scope with the broader organization’s IT and security functions and shift to continuous improvement.

1. A hummingbird eating out of a person's hand, representing user trust.

Establish User Trust

Ensure only authorized users are accessing your resources. This can be done a number of ways — multi-factor authentication (MFA) is the most prevalent method, but passwordless authentication is also becoming an attractive option.

  • Duo’s Cloud-Based SSO
    Enable single sign-on (SSO) for any SAML2-enabled app, to consolidate users’ login workflows under a single set of credentials, protected by strong MFA.

    Duo SSO is available in all Duo editions.
2. A cat watching a fish in a fishbowl, representing device and activity visibility.

Device and Activity Visibility

Which endpoint or device is being used with every access request? What is its current security state, and from where is the request originating? Tracking device activity is key in detecting account takeover attempts and other risks.

  • Duo’s Device Visibility
    See every endpoint that’s logging in to your apps, so that you can spot risky devices before they compromise your resources.

    Device Visibility is available in all Duo editions.
  • Duo’s Device Health
    Monitor laptop and desktop devices to ensure they have the right security protocols in place.

    Device Health is available in Duo Advantage and Duo Premier.
  • User Self-Remediation
    Allow users to easily correct security issues on their devices without help desk involvement.

    User Self-Remediation is available in all Duo editions.
3. A person uses handholds to climb, representing device trust.

Device Trust

Define the characteristics of a “trusted” device within your organization. Identify known devices, both corporate-managed and personal, that meet those criteria, so that unexpected devices can be easily flagged.

  • Device Access Policies
    Manage access permissions based on operating system, encryption status, software version and more.

    Device Access Policies are available in all Duo editions, with advanced options in Duo Advantage and Duo Premier.
  • Duo’s Trusted Endpoints
    Identify corporate-owned vs. personal laptops, desktops, and mobile devices, to reduce friction in user workflows.

    Duo’s Trusted Endpoints is available in Duo Premier edition.

4. A chameleon on a tree limb representing adaptive policies.

Adaptive Policies

Set requirements for access based on the sensitivity and security state of your resources. These policies can range from allowing only corporate-managed devices to requiring certain versions of software, encryption or step-up authentication based on user behavior.

  • Application Access Policies
    Enforce security policies for any and every application, block Tor and anonymous networks, detect anomalous access, and more.

    Application Access Policies are available in all Duo editions, with advanced options in Duo Advantage and Duo Premier.
5. Two bees on a flower, representing workforce zero trust.

Zero Trust for the Workforce

You’ve achieved zero trust for the workforce! All applications and systems within scope are protected; monitoring and response to threat scenarios are ongoing. Now, it’s time to optimize user workflows and management of your zero trust ecosystem.

  • Modern Remote Access with the Duo Network Gateway
    Provide clientless remote access to any application, including internal servers via SSH. Employees will experience a streamlined, friction-free login flow, whether they’re on the corporate network or not.

    The Duo Network Gateway is available in Duo Premier edition.
  • Logging and Reporting
    Set up reports to consistently monitor activity specific to your organization. Export logs for compliance purposes, see the impact of your security policies, identify whether a third-party agent is enabled on a user’s device and more.

    Logging and reporting features are available in all Duo editions, with advanced options available in Duo Advantage and Duo Premier.
  • Duo Trust Monitor
    Capture what baseline access activity looks like for your users and devices, so that you can easily spot anomalous behavior.

    Duo Trust Monitor is available in Duo Advantage and Duo Premier editions.

Related Topics

Multi-Factor Authentication

User trust is the foundation upon which a zero trust strategy is built — and strong multi-factor authentication is a tested and proven way to establish that trust.

Device Trust 

Under zero trust, devices should be checked and monitored based on unique, situation-based policies. Duo’s Device Trust helps you do exactly that.


Credential theft continues to be a thorn in the side of even the most diligent zero trust adherent. A passwordless approach could change that.

Cover of Cover of the From MFA to Zero Trust white paper: a collage of a phone, laptop, lock & woman holding a portrait over her face. eBook

From MFA to Zero Trust: A Five-Phase Journey to Securing the Workforce

Achieving zero trust for the workforce is a journey. In this white paper, we'll take you through a five-phase iterative transformation which ensures users and devices can be trusted as they access systems, regardless of location.

Get the Free Guide