This guide explains Zero Trust, a cybersecurity strategy built on the principle of “never trust, always verify”.
It covers:
- Definition & principles – Zero Trust is a strategy that is business-driven, focused on data, access control and continuous monitoring.
- Why it matters – Zero Trust reduces data breach risk, prioritizes critical assets, and offers a future-proof alternative to perimeter security.
- Who it’s for – the Zero Trust strategy is relevant for any organization, but we’ve highlighted organizations in finance, healthcare, manufacturing, and government organizations.
- Implementation – the four design principles and the five-step framework (protect surfaces, map flows, design architecture, define policy, monitor/maintain) make the strategy practical and actionable.
- Expert insight – ON2IT, having worked closely together with Zero Trust creator John Kindervag since 2009, provides strategy, managed services, and readiness assessments.
What is Zero Trust?
Zero Trust is a strategic approach to cybersecurity, focused on preventing data breaches. Trust is a human emotion – not a security principle. That’s why Zero Trust follows the core philosophy: “Never trust, always verify.”
This strategy is decoupled from technology. While tools and solutions will evolve, the Zero Trust strategy remains constant. It’s a future-proof approach that resonates at the executive level and is easy to deploy with off-the-shelf technologies.
Why choose Zero Trust?
Zero Trust is the only cybersecurity approach that is a strategy. Instead of engaging in an endless arms race with hackers across your entire, ever-growing attack surface, Zero Trust shifts the focus to what matters most: your most valuable data, applications, assets, and services.
Zero Trust offers a practical way to reduce both the likelihood and impact of a data breach. By emphasizing prevention and detection, this strategy makes it easier to protect critical assets and mitigate risks effectively.
Who is it for?
Zero Trust is relevant for any organization that handles sensitive data, runs critical operations, or wants to strengthen its cybersecurity posture. Whether you’re in finance, healthcare, manufacturing, or government, the strategy can be adapted to your business context and compliance requirements.
How organizations in your industry apply Zero Trust
- Health care: A regional hospital replaced its costly in-house SIEM with ON2IT’s managed SOC. By embracing Zero Trust, they cut expenses, freed up IT staff, and gained continuous compliance and threat prevention — ensuring sensitive patient data stays secure.
- Manufacturing: A global manufacturer unified its fragmented security after rapid growth. With ON2IT’s Zero Trust architecture and managed services, they now run a future-proof, incident-free environment that lets IT focus on business innovation.
- Local government: A municipality modernized its outdated, in-house IT setup with ON2IT’s Zero Trust-based virtual network and SOC-as-a-Service. The result: secure connectivity for staff anywhere, scalable infrastructure, and peace of mind for the city’s operations.
The four principles of Zero TRust
There are four design principles of Zero Trust:
Define business outcomes – Align security objectives
Zero Trust is a business-driven strategy. This means that it emphasizes the need to involve business owners. They’re the ones who can tell you what parts of the organization are the most important and therefore need a higher level of protection.
If you don’t include the business owners, then defining the business outcomes becomes a very complex task and you’ll never know what exactly needs to be protected.
Design from the inside out – Zero Trust network segmentation
With everything being interconnected or remotely accessible, the idea of a friendly ‘trusted’ internal network and the angry outside internet is obsolete.
Designing your security from the inside out means that you take the data as a starting point as data represents business value – which is ultimately what you want to protect.
Determine who or what needs access – Identity and device mapping
These days, more and more systems communicate with each other; via the cloud, APIs, or IoT devices. As more and more of these systems and devices exist, it has become all the more important to specify ‘who’ but also ‘what’ has access.
Access from one system to the other must be explicitly given. This is done on a need-to-know basis. Access must never be considered taken for granted.
Inspect and log all traffic – Continuous monitoring and analysis
Every flow of data must be inspected to see if there is any possible suspicious behavior. We cannot ‘trust’ that the traffic is good, even if it’s internal traffic.
How to implement Zero Trust
John Kindervag, the founder of Zero Trust and former SVP Cybersecurity at ON2IT, has defined five steps for a successful Zero Trust implementation. Below, we walk you through these five steps. Each step helps you build a stronger, more resilient cybersecurity posture – one practical milestone at a tone.
Step 1. Define your protect surfaces
In this first step of Zero Trust, we identify the so-called DAAS-elements: Data, Applications, Asset and Services. These are the elements that you want to protect.
Step 2. Map the transaction flows
The mapping of the transactions flows to and from the protect surface shows how various DAAS components interact with other resources on your network and, therefore, where to place the proper controls. The way traffic moves across the network, specific to the data in the protect surface, determines the design.
Step 3. Build a Zero Trust architecture
Part of the magic of the five-step model is that the first two steps will illuminate the best way to design the Zero Trust architecture. Each Zero Trust environment is tailor-made for each protect surface. A good rule-of-thumb in design is to place the controls as close as possible to the protect surface.
Step 4. Create Zero Trust policy
Ultimately, we need to instantiate Zero Trust as a Layer 7 policy statement. Therefore, it requires Layer 7 controls. Use the Kipling Method of Zero Trust policy writing to determine who or what can access your protect surface.
Step 5. Monitor and maintain
One of the design principles of Zero Trust is to inspect and log all traffic, all the way through Layer 7. The telemetry provided by this process will not just help prevent data breaches and other significant cybersecurity events, but will provide valuable security improvement insights.
Zero Trust and the Dutch Waterworks
At ON2IT, we have been leading the Zero Trust journey since 2009, working alongside its creator John Kindervag. We help organizations turn strategy into practice with tailored architectures, managed services, and proven expertise.
Like the Dutch waterworks that protect what matters most, Zero Trust applies precise, layered defenses where they are needed most. ON2IT brings this mindset to cybersecurity, ensuring resilience by design.
Ready to implement Zero Trust, but not sure where to start?
