What is Zero Trust?

Zero Trust is a security strategy. It is not a product or a service, but an approach in designing and implementing the following set of security principles.

Principle Description
Verify explicitly Always authenticate and authorize based on all available data points.
Use least privilege access Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
Assume breach Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

This is the core of Zero Trust. Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to "never trust, always verify."

Zero Trust is designed to adapt to the complexities of the modern environment that embraces the mobile workforce and protects user accounts, devices, applications, and data wherever they are located.

A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end-to-end strategy.

Different organizational requirements, existing technology implementations, and security stages all affect how a Zero Trust security model implementation is planned and executed. Using our experience in helping customers to secure their organizations, as well as in implementing our own Zero Trust model, Microsoft has developed guidance to assess your readiness and help you build a plan to get to Zero Trust.

With Zero Trust, you move away from a trust-by-default perspective to a trust-by-exception one. An integrated capability to automatically manage those exceptions and alerts is important so you can more easily find and detect threats, respond to them, and prevent or block undesired events across your organization.

Zero Trust and the US Executive Order 14028 on Cybersecurity

US executive order 14028, Improving the Nation's Cyber Security, directs federal agencies on advancing security measures that drastically reduce the risk of successful cyberattacks against the federal government's digital infrastructure. On January 26, 2022, the Office of Management and Budget (OMB) released the federal Zero Trust strategy in memorandum 22-09, in support of EO 14028.

Training Introduction to Zero Trust
Use this module to understand the Zero Trust approach and how it strengthens the security infrastructure within your organization.
Training Introduction to Zero Trust and best practice frameworks
Use this module to learn about best practices that cybersecurity architects use and some key best practice frameworks for Microsoft cybersecurity capabilities. You also learn about the concept of Zero Trust, and how to get started with Zero Trust in your organization.

Next steps

Use additional Zero Trust content based on a documentation set or the roles in your organization.

Documentation set

Follow this table for the best Zero Trust documentation sets for your needs.

Documentation set Helps you... Roles
Adoption framework for phase and step guidance for key business solutions and outcomes Apply Zero Trust protections from the C-suite to the IT implementation. Security architects, IT teams, and project managers
Deployment for technology pillars for conceptual information and deployment objectives Apply Zero Trust protections aligned with typical IT technology areas. IT teams and security staff
Zero Trust for small businesses Apply Zero Trust principles to small business customers. Customers and partners working with Microsoft 365 for business
Zero Trust Rapid Modernization Plan (RaMP) for project management guidance and checklists for easy wins Quickly implement key layers of Zero Trust protection. Security architects and IT implementers
Zero Trust deployment plan with Microsoft 365 for stepped and detailed design and deployment guidance Apply Zero Trust protections to your Microsoft 365 tenant. IT teams and security staff
Zero Trust for Copilot for Microsoft 365 for stepped and detailed design and deployment guidance Apply Zero Trust protections to Copilot for Microsoft 365. IT teams and security staff
Zero Trust for Azure services for stepped and detailed design and deployment guidance Apply Zero Trust protections to Azure workloads and services. IT teams and security staff
Partner integration with Zero Trust for design guidance for technology areas and specializations Apply Zero Trust protections to partner Microsoft cloud solutions. Partner developers, IT teams, and security staff
Develop using Zero Trust principles for application development design guidance and best practices Apply Zero Trust protections to your application. Application developers

Your role

Follow this table for the best documentation sets for the roles in your organization.

Role Documentation set Helps you...
Security architect

IT project manager

IT implementer
Adoption framework for phase and step guidance for key business solutions and outcomes Apply Zero Trust protections from the C-suite to the IT implementation.
Member of an IT or security team Deployment for technology pillars for conceptual information and deployment objectives Apply Zero Trust protections aligned with typical IT technology areas.
Customer or partner for Microsoft 365 for business Zero Trust for small businesses Apply Zero Trust principles to small business customers.
Security architect

IT implementer
Zero Trust Rapid Modernization Plan (RaMP) for project management guidance and checklists for easy wins Quickly implement key layers of Zero Trust protection.
Member of an IT or security team for Microsoft 365 Zero Trust deployment plan with Microsoft 365 for stepped and detailed design and deployment guidance for Microsoft 365 Apply Zero Trust protections to your Microsoft 365 tenant.
Member of an IT or security team for Microsoft Copilots Zero Trust for Copilot for Microsoft 365 for stepped and detailed design and deployment guidance Apply Zero Trust protections to Copilot for Microsoft 365.
Member of an IT or security team for Azure services Zero Trust for Azure services for stepped and detailed design and deployment guidance Apply Zero Trust protections to Azure workloads and services.
Partner developer or member of an IT or security team Partner integration with Zero Trust for design guidance for technology areas and specializations Apply Zero Trust protections to partner Microsoft cloud solutions.
Application developer Develop using Zero Trust principles for application development design guidance and best practices Apply Zero Trust protections to your application.
  • Zero Trust Overview-This video provides information about:

    • Zero Trust definition
    • Zero Trust principles
    • Zero Trust core concepts
    • Rapid modernization plan (RaMP) quick wins
  • Zero Trust - The Open Group-This video provides a perspective on Zero Trust from a standards organization.