What is zero trust security?
The U.S. National Institute of Standards and Technology (NIST) defines zero trust as a security model “designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
Zero trust is based on the principle of "never trust, always verify." It treats all users, devices, and network traffic as possibly hostile. This is different from traditional security models, which are perimeter-based (think of a castle and moat).
Because it’s based on these principles, zero trust is a strategic approach, not a single product or technology. Tools that support zero trust will simplify your organization’s path to cybersecurity maturity.
Guide to Data Governance and Compliance in the Cloud
Our Guide to Data Governance and Compliance in the Cloud provides a straightforward, 7-step framework to help you strengthen your cloud governance approach with confidence.
Zero trust vs. traditional security models
Traditional perimeter-based security relies on tools like firewalls and VPNs. Once users are allowed “inside” these tools’ zone of trust, they’re given access for the duration of that session.
But this model fails when it comes to some of today’s networking challenges:
With remote work, users and devices are outside the traditional perimeter.
Unmanaged, insecure IoT devices lack central visibility and control.
Cloud applications reside on the public internet; their existence is dynamic and ephemeral.
Traditional controls often can’t detect insider threats or lateral movement and may not monitor or restrict users’ access to sensitive resources, increasing the risk of privilege escalation.
On the other hand, zero trust security models can provide dynamic, risk-based access controls based on the principle of least privilege.
Why does zero trust matter for cloud security?
According to an MIT poll of security leaders, 55% said their biggest challenge was securing hybrid or remote workforces. Next-biggest was securing decentralized applications and data in the cloud.
Zero trust is most urgently needed in hybrid and multi-cloud environments, where traditional tools can't see new attack surfaces such as ephemeral workloads, containers, and serverless functions.
To address this issue, zero trust…
Helps secure "east-west" traffic between cloud services that bypasses traditional security controls, like an online store's web server communicating with its database server
Fills in security gaps created by the shared responsibility model, where you are responsible for identity security (for example, on a PaaS AI platform, you might be responsible for securing your own custom data and application code while the provider secures the underlying platform)
Secures new attack paths in cloud-native architectures, like dynamic connections between APIs and microservices, as well as publicly exposed resources
What are the five pillars of zero trust in the cloud?
The CISA Zero Trust Maturity Model defines five pillars. Here’s how each maps to cloud-native controls:
| Pillar | AWS | Azure | GCP |
|---|---|---|---|
| Identity | IAM Identity Center, IAM | Microsoft Entra ID, Azure RBAC | Cloud Identity, Cloud IAM |
| Devices | WorkSpaces, AppStream 2.0 | Microsoft Intune, Endpoint Manager | Endpoint Verification, Chrome Enterprise |
| Networks | Security Groups, Network Firewall | NSGs, Azure Firewall | VPC firewall rules, Cloud Armor |
| Applications | ECS/EKS with IAM roles | AKS with managed identities | GKE with Workload Identity |
| Data | KMS, Macie | Key Vault, Purview | Cloud KMS, DLP API |
Identity: Use just-in-time (JIT) and privileged identity management (PIM) with SCIM provisioning, such as AWS IAM Identity Center (with SCIM/SSO).
Devices: Enforce device posture with EDR/MDM signals (e.g., disk encryption, OS version, EDR status), such as Google Endpoint Verification.
Networks: Apply microsegmentation and service mesh mTLS, such as AWS Security Groups.
Applications & Workloads: Use workload identity and short-lived credentials, such as SPIFFE/SPIRE.
Data: Protect with KMS, envelope encryption, tokenization, and data security posture management (DSPM), such as AWS KMS.
See Wiz in action
Learn about the full power of the Wiz cloud security platform. Built to protect your cloud environment from code to runtime.
How does zero trust work in cloud environments?
In a basic zero trust architecture, NIST defines three central components: the policy engine (PE), the policy administrator (PA), and the policy enforcement point (PEP).
These components work together to process all access requests based on pre-defined security policies:
Here’s how a typical user request for access to a cloud resource might be handled:
The policy enforcement point (PEP) sends a request and context to the policy administrator (PA) →
The PA asks the policy engine (PE) if access is granted →
The PE returns a response to the PA, which responds to the PEP →
The PEP then enforces that decision, granting or denying access to the user
What do you need to know when it comes to zero trust?
While the core idea is self-explanatory, there are three essential principles behind the zero trust approach for the cloud.
Identity and access management in zero trust
Implementing zero trust requires just-in-time access and privileged access management, along with federation and single sign-on across multi-cloud environments.
Cloud-native IAM tools enforce cloud identity security through strong authentication, including multifactor authentication and risk-based access controls. These integrate with diverse cloud identity providers like Microsoft Entra ID, AWS IAM (and IAM Identity Center), and Google Cloud Identity for consistent access management. They automatically map detections to owners so remediation work lands with the right team and SLAs.
Network segmentation and microsegmentation
Traditional perimeter-based security fails in the cloud because it creates one big, hard shell around everything, trusting anything inside the perimeter.
Instead, zero trust relies on a network microsegmentation approach. Rather than a network “edge,” boundaries are dynamic and policy-driven. These software-enforced, just-in-time boundaries protect every single resource: users, devices, applications, databases, and more.
Once your networks are appropriately segmented, zero trust network access (ZTNA) brokers granular, application-level access to resources. Inspection of east-west traffic is handled by complementary controls such as cloud firewalls or intrusion detection/prevention systems (IDS/IPS).
Continuous monitoring and risk assessment
Zero trust relies on real-time threat detection and behavioral analytics in cloud environments, drawing on signals from diverse cloud logs, metrics, and security events to instantly spot anomalous activities.
Attack path analysis that correlates misconfigurations, vulnerabilities, identities, and data exposure helps teams prioritize remediation where zero trust controls reduce the most risk.
Based on this dynamic risk assessment, you’ll set up automated responses that can continuously adjust access policies to mitigate threats in real time.
What are the stages of zero trust implementation in a multi-cloud environment?
Like roughly one-third of organizations out there, you’re probably working with multiple cloud providers in your move towards zero trust.
As you phase in zero trust network architecture across multi-cloud environments, you should focus on your most critical applications first to build confidence and establish best practices.
Here are some top tips for every stage of your zero trust rollout:
1. Assessment and planning phase
Gap analysis: Perform a comprehensive gap analysis comparing your current security posture to zero trust requirements.
Agentless discovery at scale: Use an agentless, API-based platform to auto-build a security graph of resources, identities, data, and exposure paths across AWS, Azure, and GCP. Agentless scanning provides complete visibility into ephemeral workloads (containers, serverless functions) without agents to install, maintain, or scale—critical for zero trust in dynamic cloud environments.
2. Gradual rollout and policy enforcement
Focus on the high-risk users, applications, or data sets that were revealed during the assessment and planning phase.
Begin with “monitoring-only” phases to observe behavior and refine policies with minimal disruption or performance impact before starting to enforce blocking actions.
Tweak and refine policies based on observation and user feedback, ensuring a smooth and successful transition to a zero trust maturity model.
3. Scaling across cloud platforms
When expanding zero trust across your entire cloud footprint and other platforms, standardize policies and controls by defining common security frameworks. You can simplify this process with policy-as-code templates.
Unified policy engine and normalization: Prefer platforms that normalize resource models and risks across AWS, Azure, and GCP and enforce policy as code consistently (e.g., OPA/Rego) to prevent drift and maintain uniform controls.
Use federated identity management to create a single source of truth so that entitlements map consistently across cloud environments, minimizing local account sprawl and reducing the risk of inconsistent access policies.
Aggregate cloud logs (CloudTrail, Azure Activity Logs, Cloud Audit Logs) and runtime telemetry (process execution, network connections, file access) into a central platform for consistent threat detection and rapid response across hybrid environments.
Choose vendor-agnostic platforms to avoid lock-in and maintain flexibility.
Zero Trust Security: Checklist to Implement, Tools to Use, and Key Challenges
Leggi di più
What are some expert tips to simplify zero trust adoption?
These tips will help you anticipate and overcome the most common challenges of zero trust adoption:
| Challenge | Solution |
|---|---|
| Visibility gaps in cloud and hybrid environments | Start with cloud visibility and automate asset, user, and data flow inventory. |
| Difficulty integrating with legacy systems | Plan for phased transitions or use proxy services to bridge the gap. |
| Security measures slowing down performance and user experience | Test policies in "monitoring-only" mode and optimize policy engines. |
| Lack of specialized zero trust skills within security teams | Invest in upskilling team members on cloud identity and microsegmentation. |
| Ongoing maintenance and policy refinement | Adopt vendor-agnostic platforms for continuous monitoring and simplified policy orchestration. |
Here are a few final tips for simplifying zero trust (and compliance audits):
Create consistent identity and access policies for all users and resources, spanning AWS, Azure, and Google Cloud to ensure uniform security.
Adopt a unified management platform to simplify policy enforcement and management across your heterogeneous cloud environments, reducing complexity.
Regularly monitor and audit all configurations for continuous compliance and centralized visibility throughout your rollout.
Enable zero trust security with Wiz
A cloud native application protection platform (CNAPP) like Wiz provides the automation, visibility, and context you need for a smoother, simpler transition to zero trust.
Wiz powers up zero trust with comprehensive visibility across all your cloud environments, laying a foundation for effective policy enforcement with…
Agentless scanning and API-based discovery for an up-to-date picture of your entire cloud footprint, including ephemeral resources, with near-zero performance impact
Attack path mapping and risk prioritization to pinpoint exactly where zero trust will have the most impact
Code-to-cloud enforcement: Integrate policy guardrails directly into your CI/CD pipelines to prevent risky configurations from ever reaching production and automatically remediate drift in your cloud environments
Essential insights into all your cloud assets and data through integration with cloud identity providers and policy engines to automate enforcement of zero trust principles at scale across code, infrastructure, and runtime
Ready to see Wiz in action? Get a free demo to learn how agentless visibility, attack-path prioritization, and unified policy make zero trust practical at cloud speed.
Accelerate your Zero Trust journey
See why CISOs at the fastest growing organizations trust Wiz to help them ensure Zero Trust in their cloud environments.
