What is Zero-Trust Architecture2023-05-16T16:04:37-04:00

What is Zero-Trust Architecture?

Zero-trust architecture (ZTA)—or zero-trust security—is a security approach designed to prevent unauthorized access to data and computing services by enforcing fine-grained access controls between users, systems, applications, and data.

Demystifying zero-trust

The term "zero-trust" has become a bit of a buzzword in the world of cybersecurity. It's become the most recent “solution to all of our security problems." And, like all buzzwords, it can be hard to understand what it all means, how it works, if it’s even real, or what to do with it. Let's demystify some of this.

Unfortunately, there is no simple checklist or set of requirements for zero-trust compliance. Instead, zero-trust requires IT professionals to rethink their approach to infrastructure and network security by assuming that all users are malicious actors and that all networks, systems, and applications are compromised. Instead, it’s up to each entity to verify that it’s trustworthy.

The implications of this paradigm shift are not always obvious.

The traditional security model approach

The traditional approach to security is perimeter-based. Organizations would secure their network perimeter and, once inside a datacenter, users, devices, workloads, and apps would be trusted by default. However, this approach has become outdated as organizations move away from centralization to distributed services in the cloud, and adopt mobile / remote working. This opens up a host of potential vulnerabilities.

Zero-trust is a significant departure from traditional security models, which rely on perimeter-based defenses. In these models, security is focused on protecting the network perimeter, with the assumption that everything inside the perimeter is trusted. However, with the rise of cloud computing, mobile devices, and remote work, the traditional perimeter-based approach is no longer sufficient. Zero-trust architecture is designed to provide a more comprehensive approach to security that addresses the challenges of modern computing environments.

At its core, zero-trust security is about creating a security model based on the principle of: never trust, always verify. All users and devices, whether inside or outside of your network, are considered potentially hostile and must be authenticated and authorized before they are allowed to access any resources.

Gartner® Report

The 6 Principles of Successful Network Segmentation Strategies

Common zero-trust principles

Implementing zero-trust security requires a shift in mindset. It's not just about implementing new technology but also about changing the way you think about security.

Least privilege access

The first principle of a zero-trust security model is to limit access to resources to the minimum necessary to perform a specific task. This is known as least privilege access and is part of a zero-trust approach often called zero-trust network access (ZTNA). By limiting access, you reduce the attack surface and the potential for damage if a user, device or application is compromised.

Continuous authentication

Users, devices, and applications authenticate and authorize every resource or endpoint access attempt. Authentication and authorization are not one-time events, but part of ongoing processes.

Network segmentation

By segmenting your network, you can limit the potential impact of a security breach. If an attacker manages to compromise one segment of your network, they will be unable to access other segments. This is often accomplished through the use of firewalls, ACLs (Access Control Lists), and VLANs (Virtual Local Area Networks).

Learn more about network segmentation >


Microsegmentation goes beyond network segmentation and breaks down your network into even smaller segments. This means you can limit access to resources even further and reduce the potential impact of a security breach, containing the issue to an even smaller zone.


To further protect resources, sensitive data is encrypted in-transit and at rest. Encryption is especially useful when resource access occurs across potentially insecure networks within an organization, or via the internet.

Continuous monitoring

By monitoring all network activity, you can detect potential threats and respond to them quickly. This allows you to identify and contain threats before they can cause significant damage. This is where monitoring tools like OpenNMS Meridian are especially helpful.

Identity and access management

Identity and access management (IAM) is a critical component of zero-trust, as it’s used to manage user and device identities and access to resources. IAM solutions can help to enforce least privilege policies by limiting access to resources based on a user's role or job function.

Multi-factor authentication

Multi-factor authentication (MFA) is another critical component of zero-trust security, as it requires users to provide multiple forms of authentication before they are granted access to resources. This can include something the user knows (such as a password), something they have (such as a smart card or token), or something they are (such as biometric data).

Zero-trust & OpenNMS products

Many legacy network monitoring protocols were design in the era when perimeter-based security was sufficient to protect sensitive resources. Of course, OpenNMS products understand and can use these legacy protocols in environments that still rely on traditional SNMP, ICMP, and other protocols.

However, OpenNMS has also evolved over the years to support newer protocols that use SNMPv3, TLS, HTTPS, and NTPv4 (with NTS) to enforce authentication and network encryption. The OpenNMS support team can provide guidance on how to harden an OpenNMS Horizon or Meridian installation to take advantage of these secure options.

OpenNMS Appliance mini network data collector
OpenNMS Appliance mini network data collector

OpenNMS Appliance comes preconfigured with these zero-trust features:

  • Network Time Protocol v4 with Security (NTPv4/NTS) to protect against time synchronization tampering
  • Encrypted transport using TLS 1.2/1.3 for all back-end communications
  • Disk encryption to protect against software tampering
  • OpenNMS and Linux software is digitally signed and automatically updated from cloud-based servers that use strong authentication to ensure software integrity
  • Secure boot using TPM features to access an encrypted disk
  • Certificate, token, and password-based multi-factor authentication where possible
  • Authorization used to validate access to message queues and back-end OpenNMS servers

These allow the OpenNMS Appliance to communicate from a remote network to a core OpenNMS Meridian installation without requiring a VPN.

OpenNMS in the cloud

The OpenNMS Appliance service is one component of the overall OpenNMS cloud environment.

All OpenNMS cloud services are built following similar zero-trust principles:

  • Encrypted transport using TLS 1.2/1.3 for all customer communications
  • Multi-factor authentication for customers and their self-hosted OpenNMS components that communicate to OpenNMS Cloud
  • Mutual authentication using TLS 1.2/1.3 for gRPC application-to-application communications
  • Encrypted data storage in our cloud environment

How to get started with zero-trust

  • 1

    Start with a pilot project. Implementing zero-trust security can be a daunting task. Start with a small pilot project to test the waters and gain some experience.

  • 2

    Develop a zero-trust security strategy. Develop a strategy for implementing zero-trust architecture in your organization. This should include a roadmap for implementation, a list of resources required, a cybersecurity response plan, and a timeline for completion.

  • 3

    Work with a trusted partner.Working with a trusted partner, like OpenNMS, can help you navigate the complex world of zero-trust security as you implement network monitoring solutions. We can provide consulting, guidance, and support as you implement your strategy.

  • 4

    Educate your employees. The human factor in security is the most difficult hurdle—and where many security policies fail. Educating your employees about zero-trust security is essential. They need to understand the principles behind it and how it affects their day-to-day work.


Keep reading


Want to learn more about OpenNMS, our products, and how they fit into your environment?

Get in touch—we're here for you.

Read the documentation

Learn how to deploy, configure, and operate OpenNMS—from first time log-ins to deep dives for technical users.

Go to Top