Zero-trust cloud security explained

Traditional corporate networks were built like castles: secure walls (firewalls and VPNs) kept threats out, and anyone inside was trusted. This castle-and-moat approach served enterprises well for decades, with corporate VPNs playing an essential role in securing remote access for employees.

As organizations shift to cloud environments, however, applications and data often live outside the traditional perimeter. This doesn’t make corporate VPNs less important; it simply means new models like zero trust are needed to strengthen those protections.

In this guide, you’ll learn why zero trust matters for corporate cloud security, how to implement it effectively, common challenges to avoid, and practical steps to get started.

What is zero trust, and why it matters in the cloud

Zero trust is an IT security model that removes the traditional assumption of trust. Instead of believing that entities inside the network are safe and outsiders are threats, it treats all users, devices, and applications as untrusted until verified.

Core principles include:

• Least-privilege access: Users get only the minimum permissions needed.
• Strict access control: Authentication and authorization at every step.
• Continuous inspection and logging: Monitoring all traffic for anomalies.

These principles address a critical gap in cloud security: perimeter-based defenses aren’t designed for distributed, cloud-native environments. Zero trust steps in to complement them with identity- and context-based controls.

You’ve probably seen zero trust principles at work outside the office. Multi-factor authentication (MFA) on your email account and fraud checks on your credit card both follow the “never trust, always verify” rule. Zero trust in the cloud uses the same idea, just applied continuously across users, devices, and data.

How zero trust applies to cloud infrastructure

Cloud adoption is nearly universal: 96% of companies use public cloud services, with roughly 50% of workloads running there. According to Flexera’s 2024 State of the Cloud report, 65% of organizations use the cloud for data warehousing, and 41% leverage AI/ML (machine learning) capabilities from cloud providers.

While the cloud enables remote work and scalability, it also introduces:

• Loss of direct control, especially in public clouds.
• Fragmented security, as multiple tools (corporate VPNs, CASB proxies, virtual firewalls) are used for different environments.
• Reduced visibility: it's harder to track who’s accessing what, from which devices, and how data is being used.

Zero trust strengthens existing tools here. For example, where a corporate VPN secures the tunnel, zero trust ensures every request inside the tunnel is checked against identity, context, and policy.

Key differences between perimeter-based security and zero trust

The biggest difference between perimeter-based security and zero trust comes down to how each one handles trust and access.Perimeter-based security follows the classic “castle-and-moat” approach. Everyone outside the castle walls (your network) is treated as a potential threat, while everyone inside is assumed to be safe. Once you’re inside, you can roam freely, straight into the palace, treasury, gold mines, or warehouses.

The problem? If a spy (cybercriminal) sneaks past the moat or a rogue insider turns against you, they get the same open access as everyone else.

Zero trust adds another layer: it assumes that attackers could already be inside, and it continuously verifies identities and enforces least-privilege access. Using the same castle analogy, zero trust means:

• Constant identity checks: Even if you’re inside the castle, you have to keep proving you are who you say you are.
• Least privilege access: Everyone only gets the access they truly need. Farmers can enter the fields, but not the treasury.
• Always on guard: The castle is run as if there’s a threat lurking at all times, even when things seem calm.

Both approaches have value. Perimeter-based security remains crucial for secure connections, while zero trust modernizes internal controls.

Shared-responsibility model and zero trust

Shared responsibility in the cloud environment defines how the cloud service provider (CSP) and you, the cloud service customer (CSC), have agreed to handle security tasks related to using and managing the cloud service.

The shared responsibility model may change based on the cloud service type: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

There isn’t a one-size-fits-all approach to how cloud CSPs divide responsibility with their users. With a provider like Microsoft Azure, for example, you’re expected to handle security for devices, data and information, and accounts and identities.

Overall, knowing what responsibility falls to you helps fashion your zero-trust strategy to account for the right resources.

Core components of a zero-trust cloud architecture

A comprehensive zero-trust architecture was outlined in guidance developed by the National Security Agency (NSA) to help federal agencies such as the Department of Defense strengthen their cybersecurity defenses. This guidance proposed several pillars of zero-trust security, such as:

Identity and access management (IAM)

Zero-trust security enforces identity verification and authentication before granting users access to an organization’s resources in the cloud. This identity verification can be done with a combination of the following:

• Usernames and passwords
• Multi-factor authentication
• Biometric authentication
• Behavioral analytics

Furthermore, zero-trust security still doesn’t allow verified users access to all cloud resources, only granting every user the least access they need to complete their tasks. This means that someone from the accounting department can access financial spreadsheets but won’t see customer data or intellectual property being worked on by the engineering department.

This way, even if a cybercriminal gains access to the network via breached credentials, their movement (and therefore, the damage they can do) is limited.

In practice, many organizations deploy zero trust network access (ZTNA) solutions that can work alongside corporate VPNs. While a corporate VPN encrypts the channel, ZTNA verifies and limits what a user can do inside.

Device and workload verification

In addition to verifying user identity, devices and their workloads (via applications) are also constantly checked and monitored. This ensures no device on the network poses a security risk, while no application behaves maliciously.

Some of the ways zero-trust systems implement this include:

• Vulnerability management: Checking the device’s operating system, application version, and other relevant data helps determine if there’s a potential backdoor or other vulnerabilities.
• Endpoint detection: Device behavior is monitored to ensure it stays consistent with defined network access control policies. For instance, data exfiltration to third-party devices may be blocked by default.
• Intrusion detection: Monitors for instances where malicious devices connect to the network, shutting them down before they infect your organization’s system.

Network segmentation and micro-segmentation

Zero-trust networks further expand on the least privilege access model by defining more access policies within the network:

• Macro-segmentation: Defines zones separating major departments in the organization from one another. For instance, the network resources allocated to the IT department are segmented from those of your finance department.
• Micro-segmentation: More granular zone definition within the same department. As an example, an intern in the finance department may have access to the petty balance sheets but not payroll and company budget forecast sheets.

Data encryption and management

With 71% of large companies and SMBs (small and medium-sized businesses) now using the cloud heavily, protecting cloud data from cybercriminals is highly essential. Zero-trust network architecture accounts for robust data protection mechanisms, such as encryption for data in motion and at rest:

But that’s not all:

• Data governance: Clear policies outlining how data is to be handled, stored, migrated, and exported.
• Data encryption: Encryption ensures that even if attackers steal your data, it’s unreadable without the decryption keys. Looking ahead, consider post-quantum encryption to guard against “harvest now, decrypt later” attacks, where criminals collect encrypted data today hoping to break it with quantum computing in the future.
• Data inspection: Continuous monitoring to ensure data confidentiality and protection against corruption.

In addition, least privilege access also ensures data security, as users and devices only have access to the data they need, not everything on the network.

Continuous monitoring and threat response

Usage data is collected and logged from all devices, users, containers, workloads, applications, and other resources present on your network. That way, you can monitor your network’s security health profile, see user activity, and identify anomalous behavior from centralized dashboards.

It’s also easier to implement automated threat responses based on defined security policies. On top of that, predictive analytics can help spot threat-like behavior on the network. This way, you combat potential breaches before they become a serious concern.

Learn more: Read our guide to the zero trust pillars, where we explore how the “trust-no-one” approach can be applied in practical ways to strengthen cloud security and protect privacy.

Zero trust vs. corporate VPN: What’s the difference?

A corporate VPN encrypts and secures the connection between employees and company systems. This remains a cornerstone of enterprise security, especially for distributed workforces.

However, corporate VPNs are tied to perimeter models, which often grant broad access once connected. Zero trust complements corporate VPNs by narrowing that access and verifying every request continuously.

Reminder: This discussion is about corporate VPNs, which are built for businesses to securely connect employees to internal company systems. Commercial VPNs like ExpressVPN, on the other hand, are made for individual users. They don’t connect you to a workplace network; instead, they focus on privacy, anonymity, and internet freedom by encrypting your traffic and hiding your IP address when you go online.

While a corporate VPN encrypts traffic, it primarily secures the path into the network. Network administrators can confirm who has logged in, but VPNs are not designed to provide detailed visibility into which resources are accessed once inside. That’s where zero trust adds value, by verifying identity continuously and enforcing least-privilege access across the network.

The table below summarizes these key differences:

The two models aren’t mutually exclusive. Corporate VPNs secure the communication channel, while zero trust governs access and enforces least-privilege policies.

Strengthening corporate VPNs with zero trust

Zero trust isn’t about eliminating corporate VPNs but about building on them to modernize enterprise security. In fact, many enterprises run both:

• During migration: Corporate VPNs handle access while zero trust policies are phased in.
• For specific teams: Some groups still benefit from corporate VPN-based workflows.
• For redundancy: Corporate VPNs provide continuity if zero trust enforcement causes hiccups.

In practice, corporate VPNs remain valuable, while zero trust provides the future-proof model for modern, cloud-first environments.

Best practices and tips for zero trust in the cloud

Here are some practical zero trust implementation steps, best practices, and challenges:

Align zero trust with business goals

Zero-trust systems shouldn’t just be adopted into your network but strategically aligned to help meet your business goals.

For example, your zero-trust system may be defined to accommodate secure access for remote workers globally, to meet local and global data compliance requirements, or to simplify complex IT environments with a lot of non-connected moving parts.

Automate asset discovery and monitoring

Auditing and identifying all resources (user, device, application, workloads, containers, etc.) on your network is a crucial first step to actual implementation, especially to avoid security gaps.

That said, it’ll be challenging for large organizations and SMBs with a lot of distributed properties to manually track all network resources. Instead, you can automate the process by filtering your network to identify all interacting devices.

This gives you a very good overview of your network assets and allows you to automatically find new network assets with minimal effort.

Embed zero trust into DevOps and CI/CD pipelines

Your DevOps environment is highly sensitive because it’s closely tied to the continuous integration (CI) and continuous deployment (CD) cycle for testing and rolling out code. These environments often contain source code, configuration files, credentials, and other sensitive assets, making them a prime target for cybercriminals.

Thankfully, zero trust helps solve potential breaches and data leaks from a DevOps environment with its several pillars:

• User identity verification: The user identity is verified before and after access is granted into the DevOps environment. Least privilege access is also enabled.
• Device verification: Zero trust checks the device posture (operating system, known vulnerabilities, etc.) to decide whether or not it’s safe for the DevOps environment.
• Network segmentation: The network environment is segregated into bits to prevent lateral movement. For instance, the development cycle can be segmented from implementation and testing, ensuring critical DevOps data is never in one place.
• Data protection: Checks at multiple endpoints can prevent data egress and corruption, disrupting the work of cybercriminals and malicious insiders. ZT also prioritizes data encryption, ensuring any copied data remains unusable (as long as the security keys aren’t known to the attacker).

Scale policies as your cloud environment evolves

As your cloud environment grows, whether you’re adding resources, onboarding more users, or adjusting privileges, zero trust makes it easier to scale securely and efficiently.

Even in mature setups that use AI and ML within ZTNA, well-defined policies ensure automation runs smoothly and keep security controls effective. This way, your defenses stay flexible and adaptive, ready to respond to an ever-changing threat landscape.

Common challenges when adopting zero trust in the cloud

Zero trust is an excellent security model, but its implementation may pose some unique challenges, which you should anticipate and prepare against.

Legacy systems and integration issues

Not all systems (hardware, software, applications, etc.) have been developed with the zero-trust model in mind, making their adaptation to the new network more challenging.

As an example, consider older computers or network servers that can’t handle the extra processing load from zero-trust systems.

In this case, you can start by securing your high-level assets with a zero-trust model. Then, maintain a hybrid system approach that combines zero trust with traditional security while you migrate the rest of the system.

User resistance and training gaps

Network users and defenders (employees, IT staff, C-suite executives, etc.) must be willing to adopt the zero-trust model. Otherwise, there may be pushback to return to your traditional security approaches for convenience, rather than security.

Here’s what you can do:

• Migrate slowly: Migrating your entire cloud infrastructure at once could lead to bugs (such as from wrong configurations or compatibility issues), which impacts the user experience. So, start by implementing ZT on a small part of the network first, testing and learning from it, before deploying it network-wide for other users.
• Adopt single sign-on (SSO): Manually verifying each access request puts an extra time and effort burden on the verifier (IT staff) and the requester (employee). This can be solved by using SSO to make the experience feel more natural.
• Invest in training: Network analysts may not want to change their analysis habits, and employees may find authenticating every request cumbersome. This is why you should invest in training to bridge the knowledge and user resistance gap.

Cloud visibility and shadow IT

You need the full picture of everything running on your cloud environment to evaluate possible threats and vulnerabilities. One of the biggest issues impacting cloud visibility is shadow IT, where employees use unsanctioned apps.

For instance, your company has authorized Gmail for email interactions, but an employee uses Apple Mail for convenience. Since your systems aren’t configured to work with Apple Mail, your IT department doesn’t get visibility into the data exchanges or security issues that the new email suite may pose.

You can address this issue in the following ways:

• Be intentional: Get a cloud architect to map out and build a cloud visibility profile that aligns with your company’s goals.
• Employee training: Train employees on how to use the cloud, best practices to follow, common mistakes to avoid, and the dangers of shadow IT.
• Enforce policies: Review every deployment of non-approved apps so they’re not allowed to linger on the network. This can be automated after a while.
• Ongoing monitoring: This is also built into the zero-trust system, allowing you to quickly note and react to changes in cloud application behavior.

Budget and ROI constraints

Migrating to zero trust isn’t cheap, especially if you’re coming from a predominantly perimeter-based security. Just for starters, you might have to contend with:

• Hardware and software changes.
• Training investment for employees and IT staff.
• Network server upgrade to handle zero trust performance loads.
• Investment in AI and ML infrastructure.

These may make it challenging to sell the idea to stakeholders and other decision makers. However, third-party research suggests that a Zero Trust approach can deliver measurable returns. For instance, a Forrester Total Economic Impact study commissioned by Microsoft reported a 92% ROI, alongside a 50% reduction in breach risk.

With that in mind, consider the following potential cost offsets:

• Regulatory compliance: Uber was fined approximately $332 million in 2024, under the GDPR, for merely transferring user data unsafely between its European and U.S. branches.
• Financial cost of data breaches: A 2025 IBM report estimates that breached data costs companies around $4.4 million. Interestingly, companies that used AI and automation security (included in zero trust) saved $1.9 million yearly in cybersecurity issues, compared to those who didn’t.
• Operational cost of data breaches: In 2020, Travelex estimated a £25 million hit to its first-quarter core earnings following a ransomware attack. The disruption came on top of the coronavirus slump in travel demand and contributed to the company’s later restructuring and job cuts.