{"slug":"zero-trust-networking-definition","title":"'Zero Trust Networking' definition","tags":["tailscale","networking"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# \"Zero Trust Networking\" definition\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nZero Trust Networking (ZTN) is an architecture descended from Google's\r\n[BeyondCorp](https://research.google/pubs/pub43231) design.\r\n\r\nAlthough many products now advertise \"zero trust,\" it is not always clear\r\nexactly what it means. We summarize it this way: zero trust means that you\r\ncan't trust the physical network anymore.\r\n\r\n## [History](https://tailscale.com/docs/concepts/zero-trust\\#history)\r\n\r\nTraditional network security has a \"hard crunchy outside, soft chewy\r\ninside.\" In that design, you put a corporate firewall at the edge between\r\nyour \"private\" network and \"the internet.\" But inside the firewall, security\r\nis usually much more lax. If an attacker gets access to the private network, it's\r\ngame over.\r\n\r\nThat old architecture had been known to be problematic for many years, but\r\nthe Snowden revelations about how they infiltrated Google's and Yahoo's\r\nprivate networks—the famous [SSL added and removed here :)](https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html)\r\npost-it note—brought the problem into focus.\r\n\r\nGovernments and persistent attackers were actively breaching the physical\r\nnetworks of major corporations. To say nothing of unencrypted DNS, and\r\nwide-open public Wi-Fi in your neighborhood cafe.\r\n\r\n## [Solution: end-to-end encryption](https://tailscale.com/docs/concepts/zero-trust\\#solution-end-to-end-encryption)\r\n\r\nConceptually, the solution is simple: instead of \"adding and removing\"\r\nencryption at the firewall, put a firewall around every device and every\r\nservice, and ensure that sessions are always encrypted between every pair of\r\nendpoints. Then if an attacker has physical access to the network, all they\r\ncan get is meaningless encrypted packets.\r\n\r\nFurthermore, even if they get access to one insecure device, that still only\r\ngives visibility into the traffic directly to and from that device. By\r\ncarefully restricting which encryption keys are accepted by each service on\r\nthe network, a zero trust network prevents or dramatically slows down\r\n\"lateral motion\" from one compromised device to the next.\r\n\r\n## [Incremental Zero Trust](https://tailscale.com/docs/concepts/zero-trust\\#incremental-zero-trust)\r\n\r\nEvery security team nowadays would like to migrate to a Zero Trust\r\narchitecture, but it's daunting. Encryption is easy—everything supports\r\nHTTPS nowadays—but deploying certificates and encryption keys is hard.\r\nEven though we call it \"zero trust,\" rolling out a real zero trust network\r\nrequires a lot of trusted components: certificate authorities, identity\r\nproviders, authorization and policy engines, and so on.\r\n\r\nTo make rollouts simpler, we recommend proceeding in several steps:\r\n\r\n1. First, secure individual user devices. Rather than connecting physical\r\noffice networks to your server networks (which may be in data centers or\r\nin the cloud), use an encrypted connection like WireGuard® or\r\nTailscale to connect from each end-user device to a\r\n[subnet router](https://tailscale.com/docs/features/subnet-routers)\r\non each of your various server\r\nnetworks. This eliminates your vulnerability to physical network attacks\r\nat the head office or branch offices.\r\n\r\nAt this step, you aren't quite at \"zero trust\": you don't have to trust\r\nthe physical networks in your offices, but you still trust the \"physical\"\r\n(or sometimes virtual) network in your data centers or cloud VPCs.\r\n\r\n2. Next, add end-to-end encryption to your most valuable servers, one by\r\none. User devices will be able to make encrypted links directly to the\r\nnewly configured servers, eliminating the \"SSL added and removed here\"\r\nproblem for those links.\r\n\r\nOnce end-to-end encryption is activated on a server, and you've migrated\r\nall traffic to the encrypted link, you'll want to lock down each server\r\nby disabling non-encrypted traffic to that server entirely.\r\n\r\n3. Finally, after migrating all the servers on a particular subnet entirely\r\nto the end-to-end encrypted zero trust model, disable the subnet routers for\r\nthat subnet completely.\r\n\r\n4. Repeat these steps as necessary for each subnet in each location.\r\n\r\n\r\n## [Shameless plug](https://tailscale.com/docs/concepts/zero-trust\\#shameless-plug)\r\n\r\nNaturally, we recommend gradually deploying Tailscale as part of each step.\r\n\r\n- Tailscale is available as a native client app for your users' devices\r\nrunning Windows, macOS, iOS, Android, and Linux.\r\n\r\n- Tailscale supports a mesh of [subnet routers](https://tailscale.com/docs/features/subnet-routers) using any\r\ncombination of IPv4 and [IPv6](https://tailscale.com/docs/concepts/ipv6). It minimizes latency by\r\nforming a mesh between all subnets, rather than routing through a central\r\nchoke point.\r\n\r\n- Tailscale supports a hybrid configuration of Zero Trust and subnet routes,\r\nmaking it easier to migrate huge networks cautiously and incrementally.\r\n\r\n- Tailscale integrates with your [corporate SSO](https://tailscale.com/docs/integrations/identity) and\r\nhandles all issues with login, key distribution, [key rotation](https://tailscale.com/blog/rotate-ssh-keys), packet\r\nfiltering, and [access control](https://tailscale.com/docs/features/access-control).\r\n\r\n\r\nYou can read more in [How Tailscale Works](https://tailscale.com/blog/how-tailscale-works).\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>\"Zero Trust Networking\" definition</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>Zero Trust Networking (ZTN) is an architecture descended from Google's\r\n<a href=\"https://research.google/pubs/pub43231\">BeyondCorp</a> design.</p>\n<p>Although many products now advertise \"zero trust,\" it is not always clear\r\nexactly what it means. We summarize it this way: zero trust means that you\r\ncan't trust the physical network anymore.</p>\n<h2><a href=\"https://tailscale.com/docs/concepts/zero-trust#history\">History</a></h2>\n<p>Traditional network security has a \"hard crunchy outside, soft chewy\r\ninside.\" In that design, you put a corporate firewall at the edge between\r\nyour \"private\" network and \"the internet.\" But inside the firewall, security\r\nis usually much more lax. If an attacker gets access to the private network, it's\r\ngame over.</p>\n<p>That old architecture had been known to be problematic for many years, but\r\nthe Snowden revelations about how they infiltrated Google's and Yahoo's\r\nprivate networks—the famous <a href=\"https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html\">SSL added and removed here :)</a>\r\npost-it note—brought the problem into focus.</p>\n<p>Governments and persistent attackers were actively breaching the physical\r\nnetworks of major corporations. To say nothing of unencrypted DNS, and\r\nwide-open public Wi-Fi in your neighborhood cafe.</p>\n<h2><a href=\"https://tailscale.com/docs/concepts/zero-trust#solution-end-to-end-encryption\">Solution: end-to-end encryption</a></h2>\n<p>Conceptually, the solution is simple: instead of \"adding and removing\"\r\nencryption at the firewall, put a firewall around every device and every\r\nservice, and ensure that sessions are always encrypted between every pair of\r\nendpoints. Then if an attacker has physical access to the network, all they\r\ncan get is meaningless encrypted packets.</p>\n<p>Furthermore, even if they get access to one insecure device, that still only\r\ngives visibility into the traffic directly to and from that device. By\r\ncarefully restricting which encryption keys are accepted by each service on\r\nthe network, a zero trust network prevents or dramatically slows down\r\n\"lateral motion\" from one compromised device to the next.</p>\n<h2><a href=\"https://tailscale.com/docs/concepts/zero-trust#incremental-zero-trust\">Incremental Zero Trust</a></h2>\n<p>Every security team nowadays would like to migrate to a Zero Trust\r\narchitecture, but it's daunting. Encryption is easy—everything supports\r\nHTTPS nowadays—but deploying certificates and encryption keys is hard.\r\nEven though we call it \"zero trust,\" rolling out a real zero trust network\r\nrequires a lot of trusted components: certificate authorities, identity\r\nproviders, authorization and policy engines, and so on.</p>\n<p>To make rollouts simpler, we recommend proceeding in several steps:</p>\n<ol>\n<li>First, secure individual user devices. Rather than connecting physical\r\noffice networks to your server networks (which may be in data centers or\r\nin the cloud), use an encrypted connection like WireGuard® or\r\nTailscale to connect from each end-user device to a\r\n<a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet router</a>\r\non each of your various server\r\nnetworks. This eliminates your vulnerability to physical network attacks\r\nat the head office or branch offices.</li>\n</ol>\n<p>At this step, you aren't quite at \"zero trust\": you don't have to trust\r\nthe physical networks in your offices, but you still trust the \"physical\"\r\n(or sometimes virtual) network in your data centers or cloud VPCs.</p>\n<ol start=\"2\">\n<li>Next, add end-to-end encryption to your most valuable servers, one by\r\none. User devices will be able to make encrypted links directly to the\r\nnewly configured servers, eliminating the \"SSL added and removed here\"\r\nproblem for those links.</li>\n</ol>\n<p>Once end-to-end encryption is activated on a server, and you've migrated\r\nall traffic to the encrypted link, you'll want to lock down each server\r\nby disabling non-encrypted traffic to that server entirely.</p>\n<ol start=\"3\">\n<li>\n<p>Finally, after migrating all the servers on a particular subnet entirely\r\nto the end-to-end encrypted zero trust model, disable the subnet routers for\r\nthat subnet completely.</p>\n</li>\n<li>\n<p>Repeat these steps as necessary for each subnet in each location.</p>\n</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/concepts/zero-trust#shameless-plug\">Shameless plug</a></h2>\n<p>Naturally, we recommend gradually deploying Tailscale as part of each step.</p>\n<ul>\n<li>\n<p>Tailscale is available as a native client app for your users' devices\r\nrunning Windows, macOS, iOS, Android, and Linux.</p>\n</li>\n<li>\n<p>Tailscale supports a mesh of <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routers</a> using any\r\ncombination of IPv4 and <a href=\"https://tailscale.com/docs/concepts/ipv6\">IPv6</a>. It minimizes latency by\r\nforming a mesh between all subnets, rather than routing through a central\r\nchoke point.</p>\n</li>\n<li>\n<p>Tailscale supports a hybrid configuration of Zero Trust and subnet routes,\r\nmaking it easier to migrate huge networks cautiously and incrementally.</p>\n</li>\n<li>\n<p>Tailscale integrates with your <a href=\"https://tailscale.com/docs/integrations/identity\">corporate SSO</a> and\r\nhandles all issues with login, key distribution, <a href=\"https://tailscale.com/blog/rotate-ssh-keys\">key rotation</a>, packet\r\nfiltering, and <a href=\"https://tailscale.com/docs/features/access-control\">access control</a>.</p>\n</li>\n</ul>\n<p>You can read more in <a href=\"https://tailscale.com/blog/how-tailscale-works\">How Tailscale Works</a>.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}