What is zero trust architecture?
According to IBM's 2024 Cost of a Data Breach report, an average breach costs an organization $4.88 million, a number that climbs even higher based on the number of records exposed. These hard facts mean that the days of trusting anything inside your network perimeter are over. After all, it doesn’t matter whether it was an IT failure or a human error that led to a breach. Your financial and reputational hit will be the same either way.
The solution here? Zero trust architecture, which fundamentally challenges the traditional security model by operating on a simple but powerful premise: Never trust, always verify. This approach, defined in NIST’s zero trust maturity model, treats every access request as potentially hostile, regardless of where it originates from or who makes it.
Interestingly, the move to zero trust isn't just about technology, though that's certainly part of it. It also comes down to how modern enterprises operate. Remote workforces, cloud-native applications, IoT devices, and hybrid infrastructures have dissolved traditional network boundaries. What we're left with is a landscape where the old “castle-and-moat” approach to security offers little more than a false sense of protection.
Federal initiatives have also accelerated zero trust adoption rates. Executive Order 14028 required federal agencies to develop zero trust strategies, while OMB M-22-09 (Federal Zero Trust Strategy) and the DoD Zero Trust Strategy (2022) have provided detailed implementation roadmaps alongside CISA guidance. These mandates haven't just influenced government organizations; they've created market momentum that drives private sector adoption.
Guide to Data Governance and Compliance in the Cloud
Our Guide to Data Governance and Compliance in the Cloud provides a straightforward, 7-step framework to help you strengthen your cloud governance approach with confidence.
Core principles of zero trust architecture
Zero trust is built on three foundational principles that work in concert: verify explicitly, use least-privilege access, and assume breaches will happen. Let’s take a closer look at each:
Verify explicitly
Unlike traditional perimeter-based security models that establish trusted zones within corporate networks, zero trust architecture operates without implicit trust. This means your CFO accessing financial systems from the corporate office undergoes the same verification process as a contractor logging in from a coffee shop.
“Verify explicitly” means abandoning assumptions about user or device trustworthiness based on network location. Instead, every access decision should incorporate multiple data points, including user identity, device health, location intelligence, and behavioral analytics. The zero trust architecture you have in place should correlate identity context with network exposure, configuration drift, and vulnerability data to drive risk-based access decisions and automated remediation actions.
Modern implementations might verify a user's identity through multi-factor authentication while simultaneously checking their device for compliance with security policies. Factoring in each user’s typical access patterns and the sensitivity of requested resources can provide extra protection.
Use least-privilege access
Traditional VPNs grant network-level access to entire zones, which violates zero trust principles. Instead, pair VPNs with context-aware, least-privilege access controls and device posture checks—or better yet, adopt zero trust network access (ZTNA) solutions that verify identity and context before granting application-level access.
In practice, this might mean implementing just-in-time (JIT) access for administrative accounts, where privileged access gets granted temporarily and only for specific tasks. Session controls can automatically revoke access when risk levels change or when tasks are completed.
Assume a breach will happen
The final foundational principle says you should operate with the understanding that, sooner or later, attackers will gain some level of access to your environment. This principle focuses on minimizing blast radius through encryption in transit and at rest (for example, mutual TLS between services), microsegmentation that isolates workloads, and continuous monitoring that detects anomalous behavior.
Concrete cloud implementations might include microsegmentation that isolates workloads from each other, even within the same network zone, combined with continuous telemetry that detects lateral movement attempts. Container environments benefit from pod-level security policies, while function-level access controls protect serverless functions.
The five pillars of zero trust architecture
According to CISA, every zero trust system rests on five key pillars, which each handle a unique area of security. These pillars work together to fully safeguard everything an organization owns.
Identity
What it is:
Central pillar that checks users and service accounts with extra security steps like multi-factor authentication, behavioral analysis, and privileged access management.
Extends beyond traditional user accounts to include service principals, managed identities, and cross-account roles that drive cloud-native applications.
How to implement it:
Continuously verify both human and machine identities with policies that adapt based on risk signals.
Start here for immediate visibility into access patterns and potential threats.
Foundational controls:
Multi-factor authentication (MFA)
Single sign-on (SSO)
Identity provider integration (Okta, Azure AD, Auth0)
Basic role-based access control (RBAC)
Advanced controls:
Just-in-time (JIT) access provisioning with temporary permissions
Adaptive authentication with real-time risk scoring based on location, device, and behavior
Cloud infrastructure entitlement management (CIEM) for permission rightsizing
Device
What it is:
Covers asset inventory, compliance checking, health monitoring, and trusted device policies.
In cloud environments, includes virtual machines, containers, and serverless execution contexts.
Managing devices can become complex in hybrid environments with corporate devices, personal devices, and cloud-native compute resources requiring consistent security controls.
How to implement it:
Inventory all devices and apply uniform policies across hybrid setups to maintain compliance and health checks.
Foundational controls:
Endpoint detection and response (EDR)
Mobile device management (MDM)
Automated patch management
OS-level encryption
Device inventory and asset tracking
Basic device compliance policies
Advanced controls:
Runtime integrity monitoring for virtual machines and containers
Continuous device posture attestation with health checks
Cloud workload protection platforms (CWPPs) with behavior-based threat detection
Device control policies for peripheral management
eBPF-based sensors for container runtime security
Automated response and remote wipe capabilities
Hardware virtualization security for complete isolation
Network/Environment
What it is:
Implements microsegmentation, encrypted communications, traffic inspection, and software-defined perimeters.
Cloud environments benefit from adaptive network policies.
Harder in older systems because separating network segments often requires major architecture changes, though cloud-native apps can apply network rules immediately.
How to implement it:
Deploy adaptive policies for segmentation and encryption, starting with cloud-native tools for quicker wins.
Foundational controls:
Network firewalls
Virtual private cloud (VPC) segmentation
Security groups and network access control lists (NACLs)
TLS/SSL encryption for data in transit
Basic traffic inspection
VPN gateways
Advanced controls:
Identity-aware microsegmentation with granular policy enforcement
Software-defined perimeters (SDPs)
Service mesh integration with automatic mTLS (Istio, Linkerd)
Cloud network firewalls with deep packet inspection
Egress filtering and monitoring
Zero trust network access (ZTNA) solutions
Why traditional perimeter-based security fails in modern environments
When applications span multiple cloud providers, data moves between numerous services, and users access resources from anywhere, the concept of a security perimeter becomes meaningless.
Here’s a closer look at why traditional perimeter-based security falls short in the cloud:
Lateral movement: The assumption that internal network traffic is trustworthy proves dangerous when attackers gain initial access and start to move laterally through "trusted" network zones. Segmentation raises the bar by forcing attackers to breach multiple security boundaries, but without identity-aware controls and continuous verification at each boundary, attackers can still pivot within allowed network paths and escalate privileges.
Remote work: People using their own devices, working from home networks, or accessing things on the go offer many ways around usual security measures. VPNs create secure connections, but they don't solve the core problem: People working remotely (and their devices) still require access to internal resources.
Multi-cloud deployments: Applications that work across AWS, Azure, and Google Cloud build network designs that move beyond usual limits. On top of that, each provider has unique security approaches, which makes it tough to enforce consistent policies if you're just securing the perimeter.
Legacy environments: Old environments frequently make the problems we’ve discussed worse because they operate programs that weren’t built to be secure from the start. When systems use the same account for many tasks, allow wide access on networks, or fail to record enough activity, intruders who get inside a system can easily spread around.
Watch 12-minute demo
Learn about the full power of the Wiz cloud security platform. Built to protect your cloud environment from code to runtime.
Watch demo
Business and security benefits of zero trust architecture
Now, that we’ve seen what’s at stake, let’s look at what ZTA has to offer:
Enhanced security posture
Zero trust systems constantly watch for trouble in every access attempt, collecting data to show how attacks happen and alerting you when things seem off.
Another huge benefit to your security posture? Microsegmentation. Breaking down security into smaller parts keeps threats contained. If someone breaks into a system, they often find themselves stuck in a limited area, unable to move to other parts of the network.
For hard data on the benefits of zero trust, organizations track measurable KPIs like…
Percentage of identities with just-in-time access
Percentage of workloads protected with mutual TLS
Time required to rightsize excessive privileges
Mean time to contain lateral movement attempts
Percentage of sensitive data stores with least-privilege access controls
Operational efficiency gains
Remember: Zero trust strategies aren’t just about security; they make employees’ day-to-day work smoother, too:
Single sign-on: When one login handles all accounts, access control isn’t frustrating. And security groups work much better too.
Policy engines: Leveraging policy engines to automatically apply appropriate controls based on resource characteristics frees up security teams from doing the same tasks over and over again. Setting up security by hand for every new item doesn't work well, and with ZTA, there’s no need.
Cost optimization and ROI
You might be surprised by the potential savings. A Forrester Total Economic Impact study commissioned by Microsoft reported a 92% return over three years for organizations implementing Microsoft Zero Trust solutions, with payback periods under six months. That same study found an average cost savings exceeding $7 million from retired legacy systems.
That makes sense: Companies frequently find that building a zero trust system lets them combine similar security tools, which lowers expenses (no more tool sprawl!), simplifies technology management, and results in better overall coverage.
Compliance and business agility
Security systems with automatic checks make following rules easier, and they also improve how accurate the checks themselves are. Here’s how zero trust strategies boost compliance and business agility:
Logging and monitoring: Keeping logs of who accesses what makes creating reports for compliance rules easy. You simply query the information you already have, instead of trying to piece things together later.
Multi-cloud adoption: Zero trust helps businesses adopt new cloud services quickly by offering the same security rules for all your different cloud setups. Companies innovate faster when they can onboard online services knowing that their existing security features will keep everything safe.
M&A integration: Just like with multi-cloud adoption, mergers and acquisitions benefit from zero trust too. Zero trust architectures let you extend security policies to acquired organizations without requiring extensive infrastructure changes. The result? Fast integration timelines without any compromises on security standards.
Adaptability: Companies frequently discover greater adaptability when they put zero trust into practice. Protecting information by focusing on the data itself, not just the network, lets departments use new tech and try different ways of working, without waiting a long time for security checks.
Zero trust implementation challenges
Legacy system integration can be one of the most significant hurdles for zero trust adoption. Quite a few businesses still rely on vital apps that were built before today’s login methods existed, so fitting them into a zero trust setup can be tricky and also costly.
Modernization requirements often involve updating applications that don’t support APIs, implementing authentication capabilities in systems that assume network-based security, and bridging implicit trust architectures with explicit verification requirements. This work takes real effort—both building it and moving over without breaking anything. Graph-based platforms help by connecting these scattered challenges into a unified security context, showing how legacy gaps relate to broader risk across your environment. Teams can then prioritize modernization work based on actual exposure rather than treating every system as equally urgent.
But there are additional challenges. Many companies struggle to truly embrace zero trust because they lack the necessary funding or expertise. Finding experts to plan, build, and then maintain a zero trust system is tough because those skills aren’t readily available. Remember: Costs go beyond simply buying software; expect expenses for learning, outside help, plus daily upkeep.
Finally, getting people on board is usually tougher than fixing tech issues. When zero trust shifts how folks work—introducing fresh logins or altering teamwork—managing that shift in company culture matters a lot. If users foresee hassles or things feeling clunky, leaders might lose faith unless those worries are tackled head-on.
In the next section, we'll go over some of the best practices that can help ease your zero trust implementation journey so that there’s nothing holding you back.
Zero trust architecture in cloud-native environments
Cloud setups readily adjust resources, let services talk directly to each other, and automatically apply security rules, making them a great fit for zero trust. Here are our top zero trust tips and considerations for different aspects of cloud environments.
Containers
To lock down containers within Kubernetes, use Pod Security Admission or policy engines (for example, Gatekeeper or Kyverno), service meshes like Istio or Linkerd, NetworkPolicies for traffic control, and least-privilege role-based access control (RBAC) to create tight workload isolation. Tools such as Istio can automatically encrypt connections between tasks, offering insight into how they interact.
Microservices
Microservices lend themselves to a zero trust approach since they check each other constantly. They secure connections via encrypted communication, gatekeepers for APIs, and verification between services, alongside tracking activity across the system.
Serverless systems
To keep serverless systems safe:
Limit what each function can do.
Shield them while running.
Build security around events.
Use cloud-native identity with short-lived credentials (for example, AWS IAM roles, Azure Managed Identities, GCP service accounts) and least-privilege execution roles scoped to each function's specific needs.
Each time a serverless function starts is a fresh ask for access, so trusting nothing by default is a clear choice.
Multi-cloud environments
Multi-cloud consistency requires unified policy management across AWS, Azure, and GCP environments and hybrid deployments. Organizations benefit from microservices security practices that work consistently across different cloud platforms while respecting platform-specific security capabilities.
How Wiz enables zero trust principles across multi-cloud environments
The picture we now have in front of us is compelling. Organizations struggle with increasingly sophisticated attacks that bypass traditional defenses, and breach containment times continue to extend. Luckily, zero trust offers a path forward that acknowledges the reality of modern threat landscapes.
Want a partner in your zero trust journey? Look no further than Wiz.
Wiz provides comprehensive capabilities that support zero trust implementation across complex cloud environments:
Agentless deep scanning provides coverage across cloud service providers and Kubernetes environments. Our agentless approach aligns perfectly with zero trust's "assume a breach" mindset by providing visibility without introducing an additional attack surface through agent software.
The Wiz Security Graph connects misconfigurations, vulnerabilities, identities, data exposure, and public access to reveal actual attack paths rather than isolated security findings.
CIEM capabilities identify excessive permissions and enable rightsizing for least-privilege access, while Wiz DSPM discovers and classifies sensitive data with automated protection that follows information across environments.
Unified policy automation integrates zero trust principles directly into CI/CD pipelines so security is built in during development rather than retrofitted later.
Runtime detection through lightweight eBPF sensors provides continuous monitoring of processes and network activity, delivering the “always verify” capabilities zero trust requires without traditional performance overhead.
Wiz brings agentless, code-to-cloud visibility together with a unified security graph and a single policy engine. That means fewer blind spots across your entire cloud estate, a prioritized risk queue based on real attack paths (not isolated findings), and automated guardrails that enforce zero trust policies from code to runtime. Instead of stitching together point solutions for each pillar, you get comprehensive zero trust coverage through one platform. Ready to see zero trust in action? Schedule a demo today!
Accelerate your Zero Trust journey
See why CISOs at the fastest growing organizations trust Wiz to help them ensure Zero Trust in their cloud environments.
