What Is Zero Trust Data Security? Definition, Principles & How It Works
Summary
Definition: Zero trust data security is a cybersecurity model that assumes no user, device, network, or application should be trusted by default — even inside the organisation's own perimeter. Every access request must be explicitly authenticated, authorised, and continuously verified before data access is granted.
Core principle: "Never trust, always verify" — coined by John Kindervag of Forrester. Zero trust eliminates implicit trust in networks and applies least-privilege access, continuous verification, and assume-breach posture across all users and systems.
3 pillars: 1) Never Trust, Always Verify — authenticate every request regardless of origin. 2) Least-Privilege Access — grant only the minimum permissions required. 3) Assume Breach — operate as if an attacker is already inside.
Cohesity: Cohesity implements Zero Trust across data protection and management via DataLock immutable snapshots, RBAC, MFA, Quorum authorisation, AI anomaly detection, DSPM, and FortKnox cyber vaulting — applied to backup, recovery, and unstructured data environments.
Table of Contents
What is Zero Trust data security?
Quick Answer: Zero trust data security is a cybersecurity model that treats every access request — regardless of whether it originates inside or outside the organisation's network — as untrusted until explicitly verified. It is built on the principle of "never trust, always verify" and requires continuous authentication, least-privilege access, and an assume-breach posture across all users, devices, and applications.
Zero trust data security is a cybersecurity model that assumes no actor, system, network, or service operating near a security perimeter should be trusted by default. Everything attempting to establish access to users, assets, and resources must validate its identity and authenticity before access is granted — every time, without exception.
The model represents a fundamental departure from traditional perimeter-based security, which assumed that anything inside the corporate network could be trusted. Zero trust data security eliminates that assumption. All traffic — internal and external — must be encrypted and authenticated, with access limited strictly to what each identity requires to perform its function.
This shift is driven by the reality of modern enterprise environments: users work from anywhere, data lives across multiple clouds and edge locations, and attackers routinely bypass perimeter defences by compromising trusted credentials. Zero trust data security closes these gaps by making verification continuous rather than one-time.
Why is Zero Trust data security important?
The traditional perimeter security model is no longer sufficient. Attackers today routinely operate inside enterprise networks using stolen credentials, compromised insiders, and supply chain vulnerabilities — all of which bypass perimeter defences entirely.
The scale of the threat makes this urgent. Cybersecurity Ventures projects a ransomware attack on a business every two seconds by 2031. Cybercriminals steal data for fraud, identity theft, and extortion — and a single compromised credential or errant user click can give attackers access to an entire network.
Zero trust data security addresses this by removing the implicit trust that makes credential theft and insider threats so damaging. Even if an attacker obtains valid credentials, least-privilege access and continuous verification limit how far they can move and what data they can reach.
The consequences of ignoring this shift are severe: data loss, operational disruption, ransom payments, regulatory penalties, and lasting reputational damage. Zero trust data security is increasingly a baseline expectation for cyber-resilient organisations — not an advanced capability.
Zero trust vs perimeter security: key differences
Traditional perimeter security operates on the assumption that the network boundary can be defended and that everything inside it is safe. Zero trust rejects both assumptions:
| Perimeter Security | Zero Trust |
Trust model | Implicit trust for users inside the perimeter | No implicit trust — verify every request, every time |
Insider threats | Poorly addressed — insiders are already "trusted" | Treated as equivalent risk to external threats |
Credential compromise | Single stolen credential can traverse the network freely | Least-privilege + MFA limits lateral movement |
Backup protection | Backups accessible to anyone with network access | Immutable, WORM-locked — cannot be altered by any user |
Attack blast radius | Wide — attackers can move laterally unchecked | Contained — each segment requires separate verification |
Compliance posture | Reactive; hard to prove access controls | Proactive; continuous audit logs and access records |
The shift from perimeter to zero trust is not simply a technology upgrade — it is a change in architectural philosophy. Where perimeter security asks "are you inside the wall?", zero trust asks "can you prove who you are and why you need this access, right now?"
What is meant by Zero Trust Security?
Zero Trust Security means that all network traffic must follow the tenet of “never trust, always verify” coined by John Kindervag of Forrester—even if the devices or users in question belong to the organization’s network or have been previously verified.
This approach to cybersecurity creates a defensible architecture for organizations working to simultaneously:
- Protect against cyberattacks
- Keep data secure
- Ensure organizational objectives are achieved
The three core principles of Zero Trust Security
Principle | What It Means | Why It Matters |
Never Trust, Always Verify | Every access request — regardless of whether it comes from inside or outside the network — must be authenticated and authorised before access is granted. | Eliminates the "trusted network" assumption. A compromised insider or credential is just as dangerous as an external attacker. |
Least-Privilege Access | Users, applications, and services receive only the minimum permissions required to perform their specific function. Access is time-limited where possible. | Dramatically reduces the blast radius of a compromised account — attackers can only reach what that identity was permitted to touch. |
Assume Breach | The model operates as though a breach has already occurred or is imminent. Every access request is treated as potentially hostile. | Shifts posture from perimeter defence to continuous verification — detecting and containing attackers who are already inside. |
Together, these three principles create a security posture where no single point of failure — whether a compromised password, a rogue admin, or a misconfigured network segment — can result in unrestricted access to data.
What is an example of Zero Trust data security
Example 1: Multi-Factor Authentication (MFA)
Multi-factor authentication is one of the most widely deployed zero trust controls. It requires users to prove both that they know something (a password) and that they have something (a mobile device or hardware token) before access is granted. This prevents attackers who have stolen a username and password from logging in — because they cannot also provide the second factor.
In practice, MFA is applied to all user-facing interfaces: cloud consoles, VPN access, backup management portals, and administrative tools. Time-based one-time passwords (TOTP) and push-notification approvals are common implementations.
Example 2: Immutable Backup with Quorum Authorisation
A more advanced zero trust example is the combination of immutable backup storage with quorum-based authorisation. In this model, backup data is written in a WORM-locked state — no single user, including an administrator, can delete or modify it. Any attempt to change retention policies or delete snapshots requires approval from a defined quorum of authorised individuals.
This directly implements the zero trust principle of 'never trust' applied to privileged users: even legitimate administrators are not implicitly trusted to make unilateral changes to backup data.
What are the Zero Trust principles?
Zero Trust principles follow the tenet of “never trust, always verify” that John Kindervag of Forrester introduced. Furthermore, they dictate that an organization must explicitly verify those attempting to access or modify any of its data, services, or networks. They also follow least-privileged access which limits employees’ access strictly to what they need to do their jobs in the organization. Finally, they assume the worst-case scenario, which is a breach which is why verifying every request for access is done as though the request originated from an open network. Together, these deliver significant Zero Trust security benefits to improve cyber resilience.
What technologies does Zero Trust require
Zero trust data security is not a single product — it is an architecture implemented through a combination of layered technologies. Each addresses a different attack surface:
Technology | How It Works | Zero Trust Role |
Multi-Factor Authentication (MFA) | Requires users to prove both knowledge (password) and possession (phone prompt, TOTP) before access is granted. | Blocks brute-force attacks and credential theft — the most common initial access vector in ransomware incidents. |
Role-Based Access Control (RBAC) | Grants permissions based on job function, not individual identity. Access is limited strictly to what each role requires. | Enforces least-privilege at scale across large user populations and complex environments. |
Quorum / Multi-Person Authorisation | Sensitive operations — such as deleting backup data or changing security policies — require approval from multiple authorised individuals. | Prevents a single compromised or rogue administrator from causing catastrophic damage unilaterally. |
Immutable Data Storage | Backup data is written in a WORM (write-once, read-many) state and cannot be modified or deleted during the retention period. | Eliminates the ability of ransomware or insiders to destroy backup copies, ensuring recovery is always possible. |
Continuous Monitoring & Anomaly Detection | AI/ML models analyse data access patterns in real time, flagging unusual behaviour that may indicate an active attack or insider threat. | Provides early warning before the full impact of an attack is realised — compressing response time and blast radius. |
Auditing & Immutable Logs | Every action on the platform is logged in a tamper-evident audit trail that can be produced for forensic investigation or compliance. | Creates accountability and provides the evidence chain needed for incident response and regulatory reporting. |
The three stages of Zero Trust data security model
Stage 1: Data Resiliency
Data resiliency requires that all data be encrypted and that immutable copies exist — ensuring data is protected at rest and recoverable in the event of an attack or disaster. In practice, this means storing backups in a WORM-locked state that no user, administrator, or external application can modify or delete during the retention period.
Data resiliency is the foundation of zero trust data security: if backups can be destroyed, every other control layer can be defeated by simply targeting the recovery infrastructure.
Stage 2: Data Access
The data access stage enforces precise control over who can access or modify data through multifactor authentication (MFA) and granular role-based access controls (RBAC). Access is granted on a least-privilege basis — users and applications receive only the permissions required for their specific role, for the minimum time necessary.
Quorum-based authorisation adds a further control layer for high-impact operations: actions such as deleting backup data or changing security policies require approval from multiple authorised individuals, eliminating single points of administrative compromise.
Stage 3: Detection and Analytics
The detection and analytics stage ensures that data environments are continuously monitored for signs of active attack, anomalous behaviour, or insider threats. AI and ML models analyse access patterns, file entropy changes, and system behaviour in real time — flagging suspicious activity before an attack achieves its full impact.
This stage transforms security from a reactive posture (detecting attacks after damage is done) to a proactive one (detecting and containing attacks while they are still in progress).
Cohesity and Zero Trust data security
Cohesity aligns with and enhances the principles of Zero Trust Security by providing users with multiple points of protection through the Cohesity Data Cloud. The platform couples data security and management with highly secure data mobilization and configuration to detect anomalies and safeguard data across multiclouds, on-premises, and edge computing environments. Cohesity Threat Defense merges active threat intelligence and data backups with immutable capacity and isolation capabilities to deliver a proactive approach to cybersecurity that strengthens cyber resilience.
Specifically, Cohesity Zero Trust Security empowers organizations to preserve brands and keep businesses running:
- Reduce attack surfaces — Consolidate vulnerable infrastructure silos onto one secure, scalable platform.
- Rapidly recover from ransomware — Benefit from immutable snapshots. Detect suspicious activity with AI/ML, and in the worst case scenario, rapidly restore in minutes.
- Speed security ecosystem integrations — Take advantage of pre-built integrations and apps from leading 3rd-party security partners that help keep the bad actors at bay.
Every major component of the platform maps to one or more zero trust controls:
Never Trust, Always Verify
- Multi-Factor Authentication (MFA): All access to Cohesity management interfaces requires MFA, preventing credential theft from enabling unauthorised access.
- Role-Based Access Control (RBAC): Granular, role-scoped permissions ensure every user and service has only the access required for their specific function.
- Quorum-Based Authorisation: High-impact operations — including deletion of backup data and security policy changes — require multi-person approval, eliminating single-administrator risk.
- API-Only Trusted Access: Writes to backup data views are restricted to authenticated internal services. No external application or user has direct write access to backup storage.
Least-Privilege Access
- Granular RBAC: Cohesity's RBAC model supports fine-grained permission scoping down to individual data sources, backup policies, and management operations.
- DataLock (WORM Immutability): Once backup data is written, DataLock prevents modification or deletion for the defined retention period — enforcing least-privilege at the storage layer, not just the identity layer.
- Zero-Cost Cloning: Any attempt to modify a backup snapshot automatically creates a clone — the original is never altered, regardless of the user's permission level.
Assume Breach
- AI-Powered Anomaly Detection: Cohesity's ML models continuously monitor backup data patterns, flagging unusual encryption rates, deletion spikes, and access anomalies that indicate an active attack.
- Data Security Posture Management (DSPM): Cohesity DSPM continuously assesses sensitive data exposure and security posture across backup environments — identifying risk before attackers exploit it.
- FortKnox Cyber Vaulting: An air-gapped, Cohesity-managed cloud vault ensures a clean, immutable recovery point survives even if on-premises infrastructure is fully compromised.
- AES-256 Encryption: All backup data is encrypted at rest and in transit, ensuring confidentiality alongside integrity.
- Threat Defence Integrations: Cohesity integrates with leading SIEM, SOAR, and threat intelligence platforms — sharing indicators of compromise bidirectionally to accelerate incident detection and response.
Frequently asked questions: Zero Trust data security
Is zero trust a product or an architecture?
Zero trust is an architectural approach, not a single product. It is implemented through a combination of technologies — MFA, RBAC, immutable storage, continuous monitoring, and audit logging — applied consistently across an organisation's data, users, and systems. No single vendor or product delivers zero trust in isolation.
What is the difference between zero trust and zero trust data security?
Zero trust is the broader security philosophy — applied to networks, identities, endpoints, and applications. Zero trust data security applies zero trust principles specifically to data: how data is stored, who can access it, how it is protected at rest and in transit, and how it can be recovered. In a data context, this means immutable backups, encrypted storage, least-privilege access to data stores, and continuous monitoring of data access patterns.
Does zero trust prevent ransomware?
Zero trust significantly reduces ransomware risk but does not eliminate it entirely. Least-privilege access limits lateral movement; MFA blocks credential-based attacks; immutable backups ensure recovery is always possible even if ransomware executes. Zero trust applied to backup infrastructure specifically — preventing attackers from destroying recovery points — is one of the most effective ransomware mitigations available.
What is NIST's definition of zero trust?
NIST Special Publication 800-207 defines zero trust as a set of evolving cybersecurity paradigms that move defences from static, network-based perimeters to focus on users, assets, and resources. NIST identifies seven tenets of zero trust, including treating all data sources as resources, securing all communication regardless of network location, granting least-privilege access, and continuously monitoring and validating security posture.
How is zero trust applied to backup and recovery?
Applying zero trust to backup and recovery means: storing backups in an immutable, WORM-locked state; restricting backup management access via RBAC and MFA; requiring quorum authorisation for sensitive operations; encrypting backup data at rest and in transit; continuously monitoring backup environments for anomalies; and storing isolated copies in an air-gapped cyber vault. These controls ensure that backup data remains a reliable recovery option even after a full network compromise.
