Skip navigation
Zero trust security explained

Never trusting, always verifying

Zero trust

What is zero trust?

Zero trust is a modern cybersecurity paradigm that shifts the focus of perimeter defense from broader network-based perimeters to individual assets and resources. 

Unlike traditional security models, zero trust assumes that no user is to be inherently trusted based on their physical or network location or devices from which they are accessing. Instead, micro perimeters are established that continuously monitor and authenticate any user attempting to access a resource, including assets, services, workflows and network accounts.

Users are authenticated based on strict access policies that can be as granular as needed. Common attributes include the user’s identity, location, device, time and date of request, and previous usage patterns.

Once a user is verified, a secure connection is established between the user and the requested resource. This prevents public discovery or lateral movement to other applications on the network, significantly reducing the risk of cyberattacks. 

Most of the world’s ICT infrastructures today have implemented some form of zero trust security model or are in the process of doing so. This includes corporate networks that support enterprise and industrial workflows including Wireless WAN, as well as 5G cellular networks including mission-critical and private network deployments.

Zero trust is a new cybersecurity

Above: Zero trust shifts the focus of cybersecurity from traditional network-based perimeters to individual assets and resources. It is founded on the key principles of assumed breach, least privilege access, defense in depth and never trust, always verify.

Zero trust in simple terms: the elevator analogy

Imagine you check in to a hotel. In return you get a key card that gives you access to your room and the hotel elevator.

Traditional perimeter-based security models are like traditional hotel elevators. Once in the elevator, you can access any floor regardless of where your room is located as trust is assumed within the perimeters of the hotel. In the same way, users can move largely unrestricted between any node, function, or app within the walls of the network based on a single authentication.

Zero trust models can be likened to modern hotel elevators. Access is granted only to the floor where your room is located and all other floors become inaccessible without authorization. In the same way, zero trust models can set up multiple micro perimeters around each network node or function, as well as any resource or app hosted outside the network. Access is continually monitored and any potential lateral movement by unauthorized users is restricted.

elevator analogy
Got the basics covered?

Take your first steps towards zero trust with Ericsson Enterprise Wireless Solutions

Explore now

Key benefits

Enhances the security posture

Enhances the security posture

Zero trust significantly enhances the security posture of today’s multi-cloud, multi-location organizations. Through a robust, multi-layered defense that narrows the attack surface, minimizes risk of breach and restricts the lateral movement of any potential threat, zero trust is capable of combating an evolving threat landscape.

Improves threat visibility

Improves threat visibility

Through closed loop, continuous real-time monitoring of network data and incident detection, zero trust enables enterprises to quickly identify and respond to potential threats in real time. Anomalies can also be configured to trigger an immediate response, such as facilitating quick adjustments to access controls or security protocols based on real-time data.

Serves all clouds, devices and locations

Serves all clouds, devices and locations

Increasingly complex networks depend on multiple cloud-based applications, remote workforces, and widespread IoT. Traditional perimeter-based security, such as VPNs, make it difficult to maintain a high security baseline in this new reality. By enabling more adaptive and dynamic security mechanisms, zero trust makes it possible for organizations to expand into today’s hybrid cloud and heterogeneous computing environments without increasing risk.

Basic principles of zero trust

Zero trust is based on four key design principles that ensure strict access control at each stage of the network’s end to end.

Assume breach

Starting from the assumption that an attacker may already be inside the network, the zero -trust model enhances security by demanding all interaction between resources only happens after secure authorization. This is enforced through continuous monitoring and incident detection. 

Never trust, always verify

Zero trust rests on the notion that all entities both inside and outside the network cannot be implicitly trusted, even if they were previously verified. Every access attempt is authenticated and authorized through a series of dynamic access controls.

Least privilege access

Based on the premise of granting the lowest access necessary for the entity to perform its task, zero trust ensures that most network nodes, functions, and apps remain undiscoverable even to authenticated entities.

Defense in depth

Zero trust advocates a multi-layered security approach that is both far-reaching and multi-faceted. This means that, even if one layer is breached, the overall integrity of the network can remain intact. Common defense layers include micro perimeters, continuous monitoring and verification, and data protection mechanisms. 

What’s driving zero trust?

Network perimeters are expanding. The rise of cloud computing, virtualization, and container-based products across both enterprise ICT and 5G networks means that more resources than ever now exist outside traditional boundaries. For enterprises and service providers, this makes it increasingly difficult to integrate, configure, and protect network resources with conventional perimeter-based approaches.

Zero trust introduces a common security management function that bridges the security view across heterogeneous elements. By automating the monitoring of robust security configuration, it plays a vital role in ensuring a solid security posture across the entire network end to end.

Wider digitalization of enterprise, industry, and critical infrastructures creates larger attack surfaces and increased risk — risk that can no longer be mitigated with traditional security models alone. Increasingly complex heterogeneous networks with multiple distributed end points also mean that sensitive enterprise data is now more exposed than ever. 

Zero trust provides a robust and dynamic solution that makes it easier to integrate, configure, and manage access policies across diverse platforms, technologies, and vendors – future-proofing the network as it evolves into new platforms and paradigms.

The number of cybersecurity attacks across enterprises, industries, and society has grown dramatically in recent years. Threats are constantly evolving. Different types of malware and attack toolkits are now sold as-a-service, lowering the technological barrier for a successful attack. The development of AI-based toolkits is also increasing the sophistication and frequency of attacks. This poses a serious threat to the integrity, availability, and confidentiality of today’s network infrastructures.

By establishing micro perimeters, least privilege access, and robust defense in depth strategies, a zero- trust security model prevents lateral movement within the network. This means that even if an attacker breaches the outer network perimeter, the rest of the network will remain undiscoverable. Multi-factor authentication and real-time anomaly detection mean that any anomalies, such as failed access requests, can be picked up and acted upon in real time. 

There are numerous regional- and industry-based efforts driving the development and deployment of zero trust. This has been spurred by growing network value, increasing complexities of security management and the ongoing rise of advanced cyber threats. 

Today’s key zero trust documents include:

  • US National Institute of Standards and Technology (NIST) 800-207
  • US Executive Order on improving the nation’s cybersecurity
  • EU Cyber Resiliency Act

NIST 800-207 provides the foundational framework for implementing a zero- trust architecture with a focus on key principles, components, and implementation considerations. Both US and EU regional guidelines provide a similar framework in respective markets. While the EU Cyber Resiliency Act focuses on market-wide compliance for all digital products in the EU, the US Executive Order provides a focus on compliance of federal supply chains.

What’s driving zero trust

Zero trust solutions

Ericsson Security Manager for mobile networks and Ericsson NetCloud Secure Connect deliver a robust zero trust defense at every step of the network end to end. 

Suited for standalone or combined deployment scenarios, our end-to-end zero trust solutions are engineered to ensure uninterrupted and high- performance enterprise ICT operations, mobile network operations, or a combination of both. 

Zero trust solutions for enterprises

As employee locations become increasingly remote and workforces expand to include contractors and part-time or temporary workers, the security, flexibility, and scalability of cloud-delivered zero trust networks become an essential part of any enterprise network. When delivered as part of a complete Secure Access Service Edge (SASE) solution, zero trust provides:   

  • Increased network visibility through a cloud-based platform 
  • Controls and adaptive policies to mitigate risks 
  • Direct-to-app connections to create a better user experience  
  • Ability to scale rapidly without sacrificing security 
Zero trust solutions for enterprises

How a zero trust network protects enterprises

IT teams face two significant challenges in today’s increasingly remote and diverse work environment. They must ensure that users maintain proper authentication to access assets needed to do their job and have a consistent experience regardless of where or how they access the network. Zero trust addresses these challenges from a single management platform. 

Secure access for third parties

A zero trust network eliminates default access by giving users and devices access only to the resources they need to do their jobs. Zero Trust Network Access (ZTNA) extends secure, isolated user-to-resource connections to third-party contractors, suppliers, and other remote network users. It allows companies to enable remote access from a router or client while using identity principles and continuous monitoring to limit access to trusted users and devices.

Explore ZTNA solution

IoT protection

Enterprise IoT devices such as cameras, sensors, and digital signs are vulnerable due to simple hardware and communication protocols. Without proper policies and security measures, users can exploit network blind spots in these devices and move laterally within the network, increasing risk and complicating activity monitoring. A zero trust network ensures users are connected only to the resources they need to do their job — nothing else. 

Read IoT security blog

Web and email security

Using remote browser isolation (RBI), email and web content are isolated to neutralize threats before they reach user devices. Website code, including sites from email links, runs in a virtual browser in the cloud, and only safely rendered data is streamed to user browsers. Policy-based controls regulate access to sites or categories based on permissions. For untrusted sites, “read-only” mode prevents theft by blocking users from entering credentials. 

Zero trust internet

Application access for unmanaged devices

Giving third-party contractors and “bring your own device” (BYOD) employees access to an enterprise network can create new threat vectors, which is why it’s crucial to utilize zero trust web application isolation (WAI), especially for unmanaged devices. WAI renders applications in a secure cloud environment, granting access to authorized users while preventing hackers from attacking and breaching corporate web or cloud applications. No intricate device configurations or clients are needed.  

Read BYOD security blog

Generative data and AI protection

Sensitive data entered into generative AI (GenAI) apps can be incorporated into datasets, risking exposure to other parties through future responses. Using zero trust GenAI isolation, users can engage with GenAI websites in a protected virtual browser environment. Here, stringent controls over data loss protection, data sharing, and access policies can be enforced to reduce the likelihood of exposure and potential data breaches while the user experience remains normal.

Read GenAI security blog

FAQs: zero trust for enterprises

Traditional VPNs are perimeter-based, meaning once a user has been verified, they have free rein to move throughout the company’s secure applications without much resistance. Zero trust does not consider any part of the enterprise network an implicit trust zone. Instead, it applies microsegmentation and prescriptive security policies to network architecture to create tunnels for users to access specific applications and nothing else. At most, a user can only access whatever exists behind the single microsegments to which they have access.

Zero Trust Network Access (ZTNA) protects against malicious actors who may use a third-party application to penetrate the network. ZTNA extends secure, isolated user-to-resource access to contractors and IT users accessing the network from anywhere through a client. It also allows remote users to access the network securely through a router. 

To determine the scope and attributes of a zero trust network, consider your business' future, including network expansion or adding IoT and mobile devices. Here are some questions for potential buyers to explore when implementing a zero trust strategy:

  1. What are your zero trust use cases? 
    Regarding WAN edge security, most organizational zero trust needs will fall into three primary use cases: extended workforce remote access and “bring your own device” (BYOD), privileged remote access, and on-premises access.
  2. How will resources connect to the network?
    A ZTNA solution can be agent-based or agentless when considering the location and connectivity options for users and endpoints.
  3. Is SD-WAN a critical component to your enterprise network?
    By implementing zero trust to eliminate default network access, you create a secure network foundation that can scale more efficiently by adding 5G and SD-WAN capabilities as part of a 5G SASE solution. 

Dive deeper into zero trust for enterprise

Find solutions to combat cyberattacks

5G SASE with a zero trust foundation can optimize performance, improve resiliency, and equip networks against malware and other threats.  

Zero trust solutions

Replace complex VPNs with a scalable zero trust network

Zero trust enables simpler setup and management while eliminating east-west default access in the case of a breach. 

Explore Secure Connect

Fortify your Wireless WAN security architecture

Learn how a zero trust model provides greater security, easier management, and improved scalability compared to traditional VPNs.

Read white paper

Zero trust solutions for service providers

Mobile networks have been aligned with zero trust principles since the 4G standard which introduced the separation of control and user-planes transport using cryptographic means, as well as authentication through strong identities.

As the value of networks has grown with 5G, so too has the importance of zero trust. Many parts of today’s networks are secured through zero trust architecture, including the 5G Core. As a result, zero trust is not only integral to the security of today’s networks, but also many high-value and mission-critical applications and workflows that run on top of them. 

3GPP standards provide a standardized and well-defined way to deploy zero trust functions in the network. However, the complexity, scale and performance of 5G networks also require fully automated security management, such as the industry-leading Ericsson Security Manager. As part of this, unified security analytics, enforcement, and visibility across the 5G network are also key drivers of zero trust network deployments.

service providers

Zero trust in mobile networks: key features

Secure digital identities

As the primary factor that determines access, unique and secure digital identities serve as the new micro perimeters in 5G zero trust. Common examples include the digital identity in SIM cards used to authenticate subscribers and network access control, digital identities based on X.509 certificates used for mutual authentication of network devices and network functions, and management user identities for management access control. Robust provisioning, storage, and revocation processes are required to mitigate the dynamic and exposed nature of virtual 5G deployments.

Secure transport

Industry-standard security mechanisms are used in 5G networks to secure data communication across 3GPP interfaces. This includes the use of cryptographic algorithms that provide confidentiality and integrity protection between devices and network nodes, the introduction of Subscription Concealed Identifier (SUCI) to enhance subscriber privacy, and the implementation of industry-standard security protocols to support mutual authentication between transport networks, network functions, and interconnect networks. 

Policy frameworks

Access to network resources is managed through a policy framework using policy decision points (PDP) and policy enforcement points (PEP). The PEP provides access control of connections between the subject and resource based on access control decisions from the PDP. This is predefined based on the organization’s processes and acceptable level of risk.

Security monitoring

Security monitoring in 5G networks supports the detection of threats. It also continuously measures the security posture of the network assets, as well as compliance with dynamic access control policies. This includes devices accessing the network, RAN network functions, core network functions, and management functions.

Zero trust and 5G

Learn more about the tenets of zero trust in today’s 5G networks

Read the white paper

Deployment insights for CSPs

Enhance operational resilience with ZTA

Explore why a Zero Trust Architecture (ZTA) approach is the most effective way to ensure full visibility and control over network security in today’s interconnected world.

Read the article

ESM as a zero trust enabler

Securing your business from telecom specific threats will help you stay up and running while meeting the increasing need for relevant security information to regulatory stakeholders and enterprise customers.

Explore the solution

ENM leads the way to a secure and scalable network

Learn how the Ericsson Network Manager (ENM) supports today’s CSPs to manage open and multi-vendor networks at scale with low TCO and a zero trust level of security. 

Read the article

Learn more about zero trust in today’s networks

Telecom security

Find out what it takes to securely connect everything from enterprises, smart factories, and critical public safety infrastructures.

Private Networks

Discover the broadest portfolio of private network solutions and use cases to accelerate your connected transformation. 

Open RAN explained

Learn more about the game changing shift towards open and disaggregated network paradigms with Open RAN architecture.

Security Management

Learn more about how to configure, monitor and maintain mobile network security with Ericsson Security Manager.