Zero Trust Security model

Updated May 26, 2025

Abstract

Defines the steps to building a zero trust environment.

Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. A holistic view of zero trust security is further defined as the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan. Zero trust security is, therefore, not only a product or an approach--it's a web of connected policies, practices, software, and hardware that create an entire zero-trust ecosystem.

Much like other kinds of digital transformation, zero trust isn't a plug-and-play solution to the shortcomings of current cybersecurity practices: It's a total commitment to a process that alters large swaths of an organization's structure.

Segment the network

Traditional cybersecurity has a single boundary of trust: the edge of the enterprise network.

Zero trust is less castle, more secure government facility: Users have to constantly request access to areas they need to be, and if there isn't an absolute need for them to be there then security keeps them out.

Network segmentation is a lot like that government facility: there are lots of security boundaries throughout a segmented network, and only the people who absolutely need access can get it.

This is a fundamental part of zero-trust networking, and eliminates the possibility that an attacker who gains access to one secure area can automatically gain access to others.

Note

MobilityData currently does not occupy a space where a local area network (LAN) exists, but we are in compliance with this step since every employee works from home.

Implement access management and identity verification

Multi-factor authentication (MFA)(1) and passkeys(2) are a fundamental part of good security, whether it's zero trust or not. Under a zero trust system users should be required to use at least one two-factor authentication method or a passkey whenever possible as a more secure replacement.

1. See Glossary > MFA (Multi-Factor Authentication) or 2FA (Two-Factor Authentication)
2. See Glossary > Passkeys

Along with MFA, roles for employees need to be tightly controlled, and different roles should have clearly defined responsibilities that keep them restricted to certain segments of a network. It is recommended to use the principle of least privilege (POLP) when determining who needs access to what.

Passkeys are a secure, phishing-resistant authentication method ideal for a zero-trust environment. They replace passwords with cryptographic credentials tied to a user’s device and identity, ensuring that only trusted users on trusted devices can access resources. Passkeys support strong user verification (like biometrics) and align with zero-trust principles by reducing reliance on shared secrets and preventing credential-based attacks.

Note

MobilityData is in compliance with those principles, as established in the Password construction policy section of its security policies.

Extend the principle of least privilege to the firewall

Zero trust isn't concerned only with users and the assets they use to connect to a network: It's also concerned with the network traffic they generate. POLP, likewise, should be applied to network traffic both from without and within a network.

Establish firewall rules that restrict network traffic between segments to only those absolutely needed to accomplish tasks. It's better to have to unblock a port later on than to leave it open from the get-go and leave an open path for an attacker.

Note

MobilityData currently does not occupy a space where a local area network (LAN) is possible, but we are in compliance with this step since the built-in firewall is active on every computer.

Firewalls should be contextually aware of traffic

Rules-based firewall setups aren't enough: What if a legitimate app is hijacked for nefarious purposes, or a DNS spoof sends a user to a malicious webpage?

To prevent problems like those it's essential to make sure your firewall is looking at all inbound and outbound traffic to ensure it looks legitimate for an app's purpose as well as checking it against blacklists, DNS rules, and other data described in Figure A above.

Note

MobilityData currently does not occupy a space where a local area network (LAN) is possible. We cannot adhere to these requirements since there is no advanced firewall installed in every person's home network.

Gather, and actually analyze, security log events

Zero trust, just like any other cybersecurity framework, requires constant analysis to find its weaknesses and determine where to reinforce its capabilities.

There's a lot of data generated by cybersecurity systems, and parsing it for valuable information can be difficult. It is recommended to use SEIM software to do a lot of the analytics legwork, saving time on the tedious parts so that the IT Team can do more planning for future attacks.

These five steps are the basics of implementing zero trust, and they don't touch on the more detailed elements of NIST's model or other types of fully conceived zero-trust architectures. It's somewhere to start, though, and can help organizations lay the groundwork and see how far their zero-trust journey will be.

Note

MobilityData currently only reviews Mosyle's security logs and events for now due to limited resources.

Resources

• https://www.techrepublic.com/article/zero-trust-security-a-cheat-sheet/
• https://www.techrepublic.com/article/why-companies-need-to-implement-a-zero-trust-approach-to-their-cybersecurity-model/