What Is Zero Trust Security?
Zero trust security is a cybersecurity model that requires every user, device, and application to prove its identity and authorisation before accessing any resource. There is no trusted zone. A request from the CEO’s laptop on the office network is treated with the same suspicion as a request from an unknown device in another country. The principle is often summarised as “never trust, always verify”, but the more accurate version is: verify continuously, grant minimally, assume you are already compromised.
The concept was formalised by John Kindervag at Forrester Research in 2010. It became a US federal mandate through Executive Order 14028 in 2021. By 2026, 96% of organisations say they favour a zero trust approach (CIO.com), though Gartner estimates only 10% of large enterprises have a mature, measurable programme in place. The gap between intent and execution is the central challenge.
For Swiss organisations, zero trust is not explicitly required by law. But the nFADP (new Federal Act on Data Protection), the ISA (Information Security Act), and FINMA circulars all require “appropriate technical and organisational measures” for data protection. Zero trust is increasingly what “appropriate” looks like.
How Does Zero Trust Differ from Traditional Security?
Traditional network security follows a perimeter model. A firewall separates trusted insiders from untrusted outsiders. Once you pass the perimeter (VPN, office network, firewall rules), the network trusts you. This worked when employees sat in offices, data lived on local servers, and the network boundary was clear.
That world no longer exists.
| Perimeter Security | Zero Trust | |
|---|---|---|
| Trust model | Trust anyone inside the network | Trust no one by default |
| Access control | Network location determines access | Identity, device health, context determine access |
| Lateral movement | Largely unrestricted once inside | Blocked by microsegmentation and continuous checks |
| Remote work | Requires VPN tunnel to “get inside” | Direct, verified access to individual resources |
| Breach assumption | Perimeter will keep attackers out | Attackers may already be inside |
| Monitoring | Perimeter-focused (firewall logs) | Every access request is logged and evaluated |
The Verizon 2024 DBIR found that over 80% of hacking incidents involved compromised credentials. In a perimeter model, a stolen password unlocks the entire network. In zero trust, the password alone is worthless without a verified device, a second authentication factor, and a policy that permits access to that specific resource at that specific time.
The Three Core Principles
Zero trust is built on three ideas. Everything else is implementation detail.
1. Verify Explicitly
Every access request is evaluated using all available data: user identity, device compliance, location, time of day, behavioural patterns, sensitivity of the resource. A request from a managed laptop during business hours from a known IP gets a different risk score than the same credentials used from an unmanaged phone at 3 AM in a country where the company has no operations.
This is not a one-time gate check. Verification is continuous. A session that starts normally can be terminated mid-stream if conditions change (device falls out of compliance, anomalous behaviour detected, geolocation shifts).
2. Use Least Privilege Access
Users and systems get the minimum permissions needed for the task at hand, nothing more, and only for as long as necessary. An accountant does not need access to source code. A developer does not need access to payroll. An admin should not use a privileged account to check email.
Least privilege extends beyond human users. Service accounts, APIs, machine-to-machine communications, and automated processes all operate under the same constraint. In practice, this means role-based access control (RBAC), just-in-time privilege elevation, and regular access reviews.
3. Assume Breach
The system is designed as if an attacker is already inside the network. This is not pessimism. It is architecture. When you assume breach, every internal communication is encrypted. Every system logs its activity. Network segments are isolated so that compromise of one segment does not cascade. Anomaly detection runs continuously because you expect anomalies to exist.
The IBM Cost of a Data Breach Report (2024) found that organisations with mature zero trust implementations saved an average of USD 1.76 million per breach compared to those without. The saving comes from faster detection (assume breach drives monitoring investments) and smaller blast radius (microsegmentation limits lateral movement).
The Seven Pillars of Zero Trust Architecture
NIST SP 800-207 provides the foundational framework. The current industry consensus (2026) organises zero trust around seven pillars:
Identity. The new perimeter. Every user has a verified digital identity, protected by MFA, continuously evaluated for risk. Passwordless authentication (FIDO2, passkeys) eliminates the weakest link.
Devices. Every device is inventoried, managed, and checked for compliance before access is granted. An unpatched laptop with no disk encryption gets blocked regardless of who is using it.
Networks. Microsegmentation replaces flat networks. Each segment enforces its own access policies. East-west traffic (server to server) is as scrutinised as north-south traffic (external to internal).
Applications and Workloads. Applications authenticate to each other. APIs validate every request. Workloads run with minimal permissions in hardened environments.
Data. Data is classified, encrypted at rest and in transit, and accessed only through authorised channels. Data loss prevention (DLP) monitors for exfiltration attempts.
Infrastructure. Cloud, on-premise, and hybrid infrastructure all enforce zero trust policies. Infrastructure-as-code ensures consistent security configuration.
Visibility and Analytics. Every pillar generates telemetry. SIEM, SOAR, and XDR platforms aggregate and correlate signals. You cannot enforce zero trust if you cannot see what is happening.
Zero Trust in Switzerland: Regulatory Context
Switzerland has no zero trust mandate. But multiple regulations create obligations that zero trust directly addresses.
nFADP (new Federal Act on Data Protection). In force since September 2023. Requires “appropriate technical and organisational measures” to protect personal data. Privacy by design and by default are mandatory. Zero trust’s least-privilege and data-classification pillars map directly to these requirements.
ISA (Information Security Act). Revised version effective since April 2025. Requires critical infrastructure operators to report cyberattacks to the NCSC within 24 hours. Non-compliance carries fines up to CHF 100,000. Zero trust’s monitoring and assume-breach principles support rapid detection and reporting.
FINMA Circular 2023/1. For banks and financial institutions. Requires operational resilience and cyber-incident reporting within 24 hours. FINMA’s 2024 Risk Monitor flagged supply chain attacks as nearly one-third of reported incidents. Zero trust’s verification of every access request, including third-party and vendor access, directly addresses this vector.
NCSC SME Checklist. The Swiss National Cyber Security Centre publishes cybersecurity guidelines for SMEs. While it does not mention zero trust by name, its recommendations (access control, network segmentation, monitoring, MFA, device management) are individual zero trust controls. Implementing zero trust means implementing the NCSC checklist with architectural coherence.
Implementation: Where to Start
The most common mistake is treating zero trust as a product you buy. It is not. It is a design principle applied incrementally.
Phase 1: Identity (weeks 1-4). Enable MFA on every account. Deploy a password manager. Separate admin accounts from daily-use accounts. If you use Microsoft 365, activate Conditional Access. If Google Workspace, enforce context-aware access. Cost: typically CHF 0 to CHF 20 per user per month using existing licences.
Phase 2: Device compliance (weeks 4-8). Enrol devices in MDM (Microsoft Intune, Jamf). Block access from devices without current OS versions, disk encryption, or endpoint protection. Cost: often included in existing M365 Business Premium subscriptions.
Phase 3: Access governance (weeks 8-12). Audit all user accounts and permissions. Remove access for former employees. Implement RBAC. Review quarterly. Eliminate shared accounts. Cost: labour, not licencing.
Phase 4: Network segmentation (weeks 12-16). Separate guest WiFi, IoT devices, production systems, and corporate endpoints into VLANs. Evaluate ZTNA solutions (Cloudflare Zero Trust is free for up to 50 users) as VPN replacements. Cost: CHF 0 to CHF 7 per user per month.
Phase 5: Monitoring (ongoing). Enable audit logs across all platforms. Set up alerts for anomalous behaviour. Consider a SIEM (Microsoft Sentinel integrates natively with M365). Even weekly manual log reviews catch threats that automated systems miss.
This phased approach works for organisations with 10 employees or 10,000. The difference is scope, not principle.
The Business Case
Zero trust is an investment. Here is what the data shows.
The median enterprise implementation cost across 18 months is approximately USD 680,000 (Forrester Total Economic Impact study). However, 89% of organisations achieve positive ROI by month 20, with an average return of 340% within 24 months. The returns come from three sources:
Breach cost avoidance. Organisations with zero trust save an average of USD 1.8 million per breach incident (IBM, 2024). For Swiss organisations, where the average breach cost is higher than the global average, the savings are proportionally larger.
VPN elimination. Replacing legacy VPN infrastructure with ZTNA solutions saves an average of USD 340,000 annually. VPN-related CVEs increased 82.5% between 2020 and 2024, making VPNs a growing liability.
Operational efficiency. Reduced helpdesk tickets from password resets (passwordless authentication), faster onboarding (policy-based access), and fewer access-related incidents.
For SMEs, the absolute numbers are smaller but the ratios hold. A 50-person company implementing zero trust with existing Microsoft 365 licences and Cloudflare’s free tier may spend under CHF 15,000 in the first year, primarily on labour.
Common Failures
Zero trust initiatives fail for predictable reasons.
Buying instead of designing. Vendors sell “zero trust solutions.” No single product delivers zero trust. An organisation that buys a ZTNA gateway but does not enforce MFA, does not segment its network, and does not monitor access has not implemented zero trust. It has bought a gateway.
Starting with the network instead of identity. Identity is the foundation. Deploying microsegmentation before establishing strong identity verification is building on sand. Eighty percent of breaches start with compromised identities, not network intrusions.
Ignoring the human element. Zero trust changes how people work. MFA prompts, device compliance checks, and access denials create friction. Without communication and training, employees find workarounds. Shadow IT increases. The security architecture is undermined from within.
Incomplete enforcement. Zero trust applied to 80% of systems is not zero trust. The remaining 20% become the attack surface. Legacy systems, IoT devices, and third-party integrations are common gaps. They need compensating controls even if they cannot participate in the zero trust architecture directly.
The 2026 Frontier: Identity Over Network
The zero trust conversation is shifting. Early implementations focused on network controls: microsegmentation, ZTNA, secure web gateways. The emerging consensus for 2026 and beyond is that identity, not network topology, is the true enforcement point.
The NSA’s Zero Trust Implementation Guidelines (published January 2026) and NIST’s updated NCCoE guidance (developed with 24 industry partners) both emphasise cryptographically binding identity to every request. Static credentials and long-lived tokens are legacy patterns. The direction is request-scoped, ephemeral identity with continuous risk evaluation.
A parallel development is Zero Trust AI Access (ZTAI): applying zero trust principles to AI tool usage within organisations. As employees use ChatGPT, Copilot, and similar tools, the data they share with these systems requires the same access controls as any other data flow. This is an unsolved problem for most organisations and a growing area of concern for regulators.
How Red Teaming Validates Zero Trust
A zero trust architecture is only as strong as its implementation. Conditional Access policies can be misconfigured. MFA can be bypassed through adversary-in-the-middle attacks. Network segments can have hidden pathways. The only way to know if your zero trust controls work against real attackers is to test them with real attack techniques.
Red teaming simulates a full-scope attack against your organisation. Red team operators attempt to bypass MFA (using techniques like Evilginx2 and session hijacking), circumvent Conditional Access through compromised devices, move laterally despite network segmentation, and social-engineer identity processes. The findings show exactly where zero trust holds and where it breaks.
Frequently Asked Questions
Is zero trust a product? No. Zero trust is a security model and design philosophy. Products like ZTNA gateways, identity providers, and SIEM platforms are components, but no single product equals zero trust.
How long does it take to implement? Full maturity takes years. Meaningful security improvements (MFA, device compliance, access reviews) can be achieved in weeks. Gartner estimates that by end of 2026, only 10% of large enterprises will have mature programmes.
Can SMEs implement zero trust? Yes. SMEs are projected to have the highest growth rate in zero trust adoption through 2030. Tools like Microsoft Entra ID (included in M365), Cloudflare Zero Trust (free for up to 50 users), and Tailscale make enterprise-grade zero trust accessible at SME budgets.
Does zero trust replace firewalls? Not entirely. Firewalls remain useful at the perimeter. But zero trust means the firewall is no longer the primary trust boundary. Access decisions are made at the identity and application layer, not the network edge.
Is zero trust required by Swiss law? Not explicitly. But the nFADP, ISA, and FINMA regulations require “appropriate” security measures. Zero trust is increasingly the standard that defines what “appropriate” means.
What is the ROI of zero trust? Average ROI of 340% within 24 months. 89% of organisations achieve positive ROI by month 20. Primary value comes from breach cost avoidance (USD 1.8M average per incident) and VPN infrastructure savings.