Zero trust in Cybersecurity

Zero Trust: A Comprehensive Overview

Leave a Comment / Technology / By

Zero Trust is a cybersecurity model that assumes no user or device should be inherently trusted, even if it is inside the network perimeter. Every access request must be verified, and trust is never assumed based on network location or device ownership. In traditional “castle-and-moat” security, anything inside the corporate LAN was considered trustworthy; Zero Trust, by contrast, treats every network interaction as if it originates from an untrusted environment. As NIST describes, Zero Trust shifts defenses from static, network-based perimeters to focus on users, assets, and resources, with authentication and authorization required before any session to a resource is established. In essence, the Zero Trust model follows the mantra “never trust, always verify,” operating under the expectation of breach rather than an assumption of safety.

Core Principles of Zero Trust

1. Never Trust, Always Verify

No implicit trust is granted to any user, device, or system. Every access request is authenticated, authorized, and encrypted every single time, using all available signals (user identity, device health, location, etc.). Even if a user has connected before, each new request is treated as untrusted by default and must be verified explicitly.

2. Least Privilege Access

Users and systems are given the minimum level of access needed to perform their tasks and no more. Account privileges are limited with just-in-time (JIT) and just-enough-access methodologies to reduce exposure. This containment ensures that even if an account is compromised, the potential damage is restricted because the account cannot access anything beyond its minimal scope.

3. Micro-Segmentation

The IT environment is divided into many small network segments or micro-perimeters so that even once authenticated, a user or device only reaches a narrow slice of the network. Access to resources is segmented on a granular level (such as by application, data type, or workload) to minimize the “blast radius” of any breach. If an attacker gains a foothold in one segment, micro-segmentation prevents them from freely moving laterally to other servers or data. This goes hand-in-hand with an “assume breach” mindset: designing the network as if an attacker is already inside, and limiting the damage they can do.

4. Continuous Verification and Monitoring

Zero Trust is not a one-time check at login – it requires ongoing verification of trust. Sessions are often short-lived and re-validated frequently. User behaviors, device posture, and other contexts are continuously monitored to detect anomalies. Analytics and threat intelligence are used to adapt trust decisions in real-time. The system assumes breach, meaning it operates as though any component might already be compromised, and thus it constantly looks for signs of malicious activity and enforces re-authentication when risk changes.

By adhering to these principles, Zero Trust ensures that being inside an organization’s network offers no inherent trust advantage. Every user, device, and application is treated as a potential threat until proven otherwise on a per-request basis. This philosophy helps organizations protect assets in modern environments – including cloud services, mobile devices, and remote work setups – where the traditional network perimeter is no longer a reliable boundary.

Architecture & Key Components

The NIST SP 800-207 reference architecture illustrates core components of a Zero Trust system, including a Policy Engine, Policy Administrator, and Policy Enforcement Point (PEP), that make up a control plane governing access decisions. In this model, whenever a subject (user or device) attempts to access an enterprise resource, it must be authenticated and authorized by the policy engine (often via an identity system) and have its request approved by the policy administrator before the PEP permits access to the resource. The policy engine evaluates trust based on dynamic inputs like device posture, user identity, behavior analytics, threat intelligence feeds, and compliance requirements. Access is granted on a per-session basis – meaning each request is evaluated in isolation, with no blanket trust from previous authentications. Even after a session is established, continuous monitoring is in place: activity logs, security telemetry, and system state are collected and fed back into the policy engine, allowing it to revoke or adjust access in real time if risk levels change. This architecture ensures that Zero Trust principles are enforced uniformly across the enterprise, in what NIST calls a “zero trust architecture (ZTA).”

In Practical Terms: Implementing Zero Trust

Implementing Zero Trust involves multiple security layers working together:

Strong Identity Verification

Robust Identity and Access Management (IAM) is the cornerstone of Zero Trust. Every user (human or machine) must be positively identified and authenticated using multiple factors (MFA) before accessing resources. Identity providers (IdPs) and directory services (like Azure AD, Okta, etc.) play the role of verifying credentials, device certificates, and attributes. Access decisions also consider user roles, permissions, and context (for example, time of request or geolocation) each time. Authentication and authorization are continuous processes – having logged in once does not guarantee unlimited access. If a session becomes high-risk (e.g., user behavior deviates or device posture deteriorates), the system may require re-authentication or block access.

Device Security & Posture Checking

Zero Trust also verifies the security posture of devices (endpoints) that request access. This means ensuring the device is known, managed, and meets security requirements (up-to-date patches, not jailbroken, running an endpoint protection agent, etc.). Access can be conditioned on device health; for example, only devices that are compliant with security policy are allowed to connect. Endpoint security tools (EDR/XDR) and mobile device management (MDM) solutions feed posture data into the Zero Trust policy engine. This prevents compromised or non-compliant devices from becoming stepping stones into the network.

Network Segmentation and Software-Defined Perimeters

Zero Trust architecture uses logical network segmentation to isolate resources. Instead of a flat network where an insider can reach many systems, Zero Trust creates micro-perimeters around individual applications or services. Technologies like software-defined perimeters (SDP) and micro-segmentation enforce that a user with access to one application cannot automatically reach others without separate authorization. For example, an authenticated user might get access to a specific database but nothing else on that same server or network segment. This limits lateral movement, containing any potential intruder to a very small segment of the environment. In cloud and modern data center environments, micro-segmentation is often implemented via virtual network policies or host-based firewalls, ensuring that even within the same subnet or VM cluster, each service trusts no other service by default.

Policy Engine and Enforcement Points

At the heart of Zero Trust architecture is a policy decision engine (sometimes called a controller or trust evaluator) that decides who or what can access which resource under what conditions. It uses a combination of context and rules — for instance, allowing access to a finance application only if the user is in the finance group, using a company-issued device with a certain patch level, and coming from an approved location. The policy engine’s decisions are carried out by policy enforcement points (which could be gateways, proxies, or agents on applications) that actually allow or block the traffic. NIST’s framework formalizes this as a Policy Engine (PE) that makes decisions, a Policy Administrator that communicates decisions to enforcement mechanisms, and the PEP that intercepts and controls data flow. These components work in concert so that no request bypasses evaluation. Many Zero Trust systems also calculate a dynamic “trust score” for each session or entity based on observed behavior and context, adjusting access in real time; this concept of a dynamic trust algorithm ensures security decisions adapt continuously rather than relying on static rules.

Continuous Monitoring and Threat Detection

Zero Trust is an active model – it requires constant visibility into network traffic, user behavior, and system logs. Security analytics systems (like a SIEM or UEBA platform) gather data on all access requests and resource usage. By analyzing this data, the system can detect anomalies (such as a user account suddenly accessing an unusual resource or large data downloads at 3 AM) and respond quickly. Continuous diagnostics and monitoring (often referenced in government contexts) feed into the Zero Trust control plane. If something looks suspicious, the policy engine can revoke access or step up authentication requirements (e.g., require MFA again). The enterprise also continually assesses the security posture of its assets – patching vulnerabilities, and updating configurations – because all these factors influence trust decisions. Essentially, Zero Trust demands real-time risk assessment: each interaction is logged and evaluated so that defenses can adapt on the fly.

In summary, a Zero Trust architecture integrates identity management, endpoint security, network controls, and security monitoring into a unified, continuously functioning system. No single component is sufficient on its own; the value comes from combining these elements to enforce the “verify everything” approach at all layers. By doing so, Zero Trust significantly hardens an environment against both external attacks and insider threats, since every action is scrutinized and limited.

Benefits of Zero Trust & Challenges in Adoption

Benefits

  1. Improved Security & Breach Prevention: Because every access is verified and minimal access is granted, the risk of a security breach is greatly reduced. Continuous authentication and monitoring make it much harder for an attacker to slip through undetected. Even if credentials are stolen or a device is compromised, Zero Trust limits what the attacker can do with them. This “never trust” approach has been shown to mitigate insider threats and prevent attackers from exploiting the implicit trust of internal networks. Organizations that implement Zero Trust experience enhanced protection for sensitive data and critical systems regardless of location (on-premise or cloud).
  2. Reduced Attack Surface: Micro-segmentation and least privilege together shrink the attack surface available to adversaries. By enforcing strict identity checks and fine-grained access controls, Zero Trust ensures that each user or system can only access a narrow slice of resources. This containment dramatically limits an attacker’s ability to move laterally across the network. In effect, a successful compromise of one application or account does not automatically open doors to the rest of the environment.
  3. Minimized Blast Radius: In the event that a breach does occur, Zero Trust strategies minimize its impact. Since access is segmented and compartmentalized, the potential damage (or “blast radius”) from any single compromised account or device is limited. For example, a hacked developer’s account might have access to a specific code repository but not to customer data or financial systems. This granular containment helps businesses limit losses and quickly isolate incidents before they escalate.
  4. Better Visibility and Analytics: Zero Trust implementations typically involve comprehensive logging of every access request, authentication event, and system change. This wealth of telemetry gives security teams much better visibility into who is doing what in the network at all times. Real-time analytics can flag suspicious behavior (e.g., impossible travel logins, unusual data access patterns), enabling faster detection of attacks. Over time, these insights also help in fine-tuning security policies and understanding usage patterns. In contrast to the old model where internal traffic might be lightly monitored, Zero Trust’s pervasive monitoring means fewer blind spots.
  5. Supports Modern Work Environments: Zero Trust is well-suited to cloud-first and remote work environments. It doesn’t matter if resources or users are on the corporate LAN, at home, or in a data center across the world – every connection is treated the same way. This uniform security approach enables organizations to confidently adopt cloud services, enable BYOD (bring your own device), and support mobile workforces without increasing risk. Instead of trying to extend a network perimeter to cover cloud and remote users, Zero Trust brings security controls to each user and device. Many organizations also find that Zero Trust architectures align with compliance requirements by enforcing consistent access controls and providing audit trails (helpful for demonstrating controls for regulations like GDPR, HIPAA, etc.).

Challenges

  1. Complexity and Integration: Moving from a traditional perimeter-based security model to a Zero Trust model is a significant architectural change. It typically requires deploying new technologies (like IAM platforms, MFA, micro-segmentation tools, and advanced monitoring solutions) and integrating them with legacy systems. Tying together identity management, endpoint management, network controls, and analytics into a seamless system can be complex. Many organizations have a mix of old and new systems, and not all may easily support Zero Trust principles (for example, legacy applications that don’t support modern authentication methods). Integrating Zero Trust solutions with such legacy infrastructure can be challenging.
  2. Initial Cost and Effort: Zero Trust is an approach, not a single product, which means adoption often involves multiple tools and significant reconfiguration of networks and systems. The upfront investment in new security tools (and possibly cloud services) can be high. Additionally, mapping out all enterprise assets and their access policies – a prerequisite for Zero Trust – requires substantial effort. Smaller organizations might find it daunting to dedicate resources to this transformation, and larger enterprises may find the project spans multiple years. Strong executive sponsorship and budgeting are needed to sustain a Zero Trust program.
  3. Cultural and Organizational Change: Beyond technology, Zero Trust requires a shift in mindset for IT and security staff, as well as end-users. Culturally, teams must move away from the idea of a “trusted internal network.” There can be resistance to change – system administrators and users who are accustomed to unfettered internal access may push back on new restrictions or frequent authentication prompts. Successful Zero Trust adoption often requires user education so employees understand why these changes (like more MFA prompts or losing direct network access to some systems) are necessary. Clear communication about the security benefits can help overcome this resistance.
  4. User Experience and Productivity: If not implemented thoughtfully, Zero Trust measures can frustrate users or impede workflows. For instance, if users have to constantly re-authenticate or if legitimate activities are blocked by overzealous policies, it can hurt productivity. Striking the right balance is a challenge – the goal is to be invisible to users when everything is normal but relentless when something is suspicious. Techniques like single sign-on (SSO), adaptive authentication (where low-risk actions don’t prompt MFA every time), and intelligent policy design are important to maintain usability. Achieving security without excessive friction is an ongoing challenge that requires fine-tuning.
  5. Continuous Management Overhead: Zero Trust isn’t “set and forget.” It demands continuous monitoring, tuning of policies, and responding to alerts. Organizations need mature security operations to handle the flood of telemetry and to react to incidents in real-time. This can be resource-intensive – requiring skilled analysts and possibly investments in automation or AI to cope with the data. Smaller security teams might find it challenging to keep up unless they use managed services or simplify their approach. Furthermore, maintaining an accurate inventory of all users, devices, and resources (and their trust posture) is an ongoing task. Ensuring that every new application or device is brought under Zero Trust policies (and de-provisioning access when something is retired) calls for strong IT governance.

Despite these challenges, many organizations find that the security gains far outweigh the hurdles. With careful planning and phased implementation, the transition to Zero Trust can be managed in a way that minimizes disruption. Many vendors and frameworks now exist to guide this journey, helping to address technical and cultural challenges.

Implementation Strategies for Adopting Zero Trust

Adopting Zero Trust is a strategic process that should be approached in phases. There is no one-size-fits-all roadmap, but there are best practices and frameworks that can guide organizations through the transition. A successful Zero Trust implementation often involves the following steps and strategies:

  1. Assess and Identify Critical Assets: Begin with a thorough assessment of your current security posture and infrastructure. Identify your “crown jewels” – the critical data, applications, and systems that need the highest level of protection. Map out the network architecture and data flows: understand which users access which resources, and how those interactions occur. This stage may involve auditing existing access controls, pinpointing weaknesses (like overly broad network access or lack of MFA), and identifying gaps between current state and Zero Trust principles. The output of this assessment is a clear picture of what needs to be protected and potential risk areas, which will inform your Zero Trust architecture plan.
  2. Define Segmentation and Micro-Perimeters: Using the insights from the assessment, design a segmentation strategy for your network and cloud environments. Group resources into segments or micro-perimeters based on sensitivity and function (for example, separate segments for HR systems, finance databases, production environments, etc.). Implement network segmentation gradually – this could be done with virtual networks, VLANs, cloud security groups, or micro-segmentation tools that create host-level firewalls. The goal is to enforce effective access control boundaries so that compromise of one segment does not easily grant access to others. Start with high-value asset areas: for instance, you might first isolate your critical servers or customer data environments from the rest of the corporate network. Over time, refine the segmentation to smaller units as needed.
  3. Strengthen Identity and Access Management: Invest in robust identity management and authentication mechanisms. Ensure every user (and service account) is tied to an identity provider and subject to strong authentication. Implement multi-factor authentication (MFA) everywhere feasible, especially for access to important resources. Integrate single sign-on (SSO) solutions to centralize authentication and improve user convenience. Apply the principle of least privilege by reviewing user and admin access roles – remove excessive privileges and set up role-based access control (RBAC) or attribute-based access control (ABAC) policies that only grant what is necessary. Modern IAM solutions also allow policies based on device compliance and risk factors (often called conditional access policies).
  4. Implement Device Trust and Endpoint Security: Parallel to user identity, establish device identity and trust. Deploy endpoint security solutions and/or device management agents that can attest to a device’s security posture. Maintain an inventory of authorized devices. You might choose to only allow corporate-managed devices to access certain sensitive resources, or use solutions that give unmanaged BYOD devices limited access with browser-isolation or VDI techniques. Ensuring every device meets minimum security hygiene (patched OS, encryption enabled, running antivirus/EDR, etc.) before it’s allowed on the network is key. This step closes a common gap where an otherwise authenticated user could be using an insecure device.
  5. Establish Centralized Policy Enforcement and Security Monitoring: Set up the technical infrastructure that will enforce Zero Trust decisions. This may involve deploying Zero Trust Network Access (ZTNA) solutions or gateways that act as the policy enforcement points for application access (replacing or supplementing traditional VPNs). These solutions ensure that when users request access to an application, they are brokered through a controller that verifies their identity and context before connecting them. Simultaneously, deploy or enhance monitoring and logging systems. Ensure all authentication attempts, network connections, and data access events are logged in a SIEM or analytics platform. Implement continuous monitoring tools (for example, an IDS/IPS, UEBA for user behavior analytics, and endpoint monitoring). The aim is to have a feedback loop: use the logs and alerts to adjust policies. If certain patterns indicate risk (say, an IP address showing malicious activity), the policy engine can adapt by temporarily blocking that IP or requiring additional verification for requests from that context.
  6. Start Small with Phased Implementation: Rather than attempting a big-bang rollout, it’s usually wise to implement Zero Trust in phases. You might start with one domain or project – for example, protect a particular sensitive application with Zero Trust principles first. Early wins could include implementing MFA enterprise-wide, migrating VPN access to a ZTNA solution for remote users, or micro-segmenting a critical data center environment. Learn from these pilots and expand gradually. This phased approach helps iron out kinks and demonstrate value, which in turn can build support across the organization.
  7. Educate and Enforce Policy Changes: Update security policies and educate users and IT staff on the new model. Zero Trust may require changes in how people request access to resources (perhaps using new tools or portals), how administrators grant permissions, and how exceptions are handled. Provide training sessions and clear documentation. Make sure executives and employees understand that Zero Trust isn’t about restricting productivity – it’s about enabling the business to operate securely in a hostile cyber environment. Additionally, put in place governance to periodically review and update access policies.
  8. Leverage Frameworks and Maturity Models: Utilize industry frameworks to guide the implementation. NIST SP 800-207 is a widely respected guideline that provides an overall reference architecture and tenets for Zero Trust. It doesn’t prescribe specific products but helps set a baseline for what a complete Zero Trust architecture should consider. Additionally, maturity models like the CISA Zero Trust Maturity Model can help organizations gauge their progress across different pillars (identity, devices, network, applications, data, etc.) and plan next steps. Aligning to a known framework also helps communicate your strategy to auditors, leadership, and vendors in a common language.

Throughout the implementation, it’s important to continuously measure and adjust. Metrics such as the number of incidents, time to detect/respond, or percentage of assets covered by Zero Trust controls can indicate how security is improving. Adopting Zero Trust is a journey – organizations should be prepared to iterate and improve the controls as threats evolve and as the IT environment changes. Over time, a successfully implemented Zero Trust architecture becomes ingrained in the organization’s IT DNA: security is “built-in” to every access decision, rather than an afterthought.

Case Studies & Real-World Examples

Google (BeyondCorp Initiative)

One of the earliest and most famous Zero Trust case studies is Google’s internal BeyondCorp program. After experiencing sophisticated cyber attacks about a decade ago, Google moved away from the traditional VPN-based perimeter model and embraced Zero Trust for employee access. The result was BeyondCorp, Google’s internal Zero Trust architecture that shifts access control from the network perimeter to individual users and devices. In practice, Google’s employees can securely work from any location without a VPN – they authenticate to applications directly through a Zero Trust proxy that verifies their identity and device each time. This initiative dramatically improved Google’s security: it eliminated implicit trust for on-campus networks, reducing the risk that a compromised machine or malicious insider could pivot across the environment. Over several years, Google refined BeyondCorp into a robust, scalable system and eventually turned it into a commercial product (BeyondCorp Enterprise) for Google Cloud customers. The BeyondCorp case study demonstrated that a large global enterprise could successfully implement Zero Trust at scale, yielding benefits in both security and agility. It inspired many other companies to pursue similar “perimeter-less” security models.

Financial Institutions (JPMorgan Chase & Goldman Sachs)

The financial sector has been among the leaders in Zero Trust adoption due to the high stakes of banking security. For example, JPMorgan Chase and Goldman Sachs – two of the world’s largest financial institutions – were early adopters of Zero Trust frameworks to safeguard their operations. These organizations implemented continuous verification of user identities and strict access controls across their vast networks, which significantly strengthened their cybersecurity defenses. By enforcing principles like least privilege and micro-segmentation, they reduced the likelihood that a single compromised account could lead to a large-scale breach of sensitive financial data. The impact has been a more resilient infrastructure: even as these banks embrace cloud services and remote work, Zero Trust has helped protect customer information and critical systems from modern threats.

U.S. Federal Government Agencies

Government agencies are adopting Zero Trust at an accelerating pace, spurred by federal directives. In May 2021, a U.S. Executive Order on cybersecurity (EO 14028) mandated that federal agencies develop plans to implement Zero Trust architectures, leading to a government-wide Zero Trust strategy. By early 2022, the Office of Management and Budget (OMB) issued a detailed memo requiring agencies to meet specific Zero Trust goals by 2024, such as enabling MFA, encrypting data, and segmenting networks. This push was a response to major breaches that revealed weaknesses in perimeter-based defenses. Agencies ranging from the Department of Defense to civilian departments are now following frameworks (based on NIST 800-207 and CISA guidelines) to rebuild their security around Zero Trust principles. The impact is already evident in a stronger federal security posture: for instance, phishing-resistant MFA is being deployed to millions of government accounts, drastically reducing successful phishing attacks, and agencies report much greater visibility into network traffic and anomalies. The Department of Defense has even published a Zero Trust Reference Architecture and set a goal to achieve an enterprise-wide Zero Trust environment by 2027.

Technology and Security Companies

It’s worth noting that many tech firms, including those who build security products, also practice Zero Trust internally. Cloud security companies and large technology vendors (like Microsoft and Google) have reported using a Zero Trust approach internally, which not only improves their own security but also provides a testing ground for their products and best practices. These internal deployments often serve as showcases: for example, Microsoft and Google frequently share lessons from their Zero Trust journeys to help customers. The common theme across these cases is that organizations see a marked improvement in their security posture – fewer incidents, better detection of anomalies, and more confidence in accommodating business changes securely.

Vendor Solutions & Tools Supporting Zero Trust

Because Zero Trust is a strategy rather than a single product, organizations often leverage a combination of tools and services. In recent years, major cybersecurity vendors have developed solutions explicitly to help implement Zero Trust principles. Below are some of the key vendors and their Zero Trust offerings:

  • Microsoft: Microsoft’s approach to Zero Trust spans identity, devices, applications, infrastructure, and networking. A centerpiece is Microsoft Azure Entra ID (formerly Azure Active Directory), which provides cloud-based identity and access management with capabilities like single sign-on, conditional access policies, and multi-factor authentication. Beyond identity, Microsoft integrates Zero Trust into its broader ecosystem: Windows 10/11 and Microsoft Endpoint Manager support device health attestation; Microsoft Defender for Endpoint provides risk-based device scoring; and Azure cloud offers micro-segmentation through network security groups and Azure Firewall.
  • Google: Google offers Zero Trust capabilities primarily through its BeyondCorp Enterprise product, which is the commercial incarnation of Google’s own Zero Trust model. BeyondCorp Enterprise allows organizations to enable context-aware, identity-centric access to applications without relying on a traditional VPN. It uses the principles Google tested internally: granular access control based on attributes like user identity, group, device security status, and location. Google’s platform is cloud-native and leverages their global network for low-latency secure access.
  • Palo Alto Networks: Palo Alto Networks has been a vocal proponent of Zero Trust, and its product portfolio supports Zero Trust implementations across network, cloud, and endpoint. Palo Alto’s Zero Trust framework often leverages its Prisma Access (a cloud-delivered security platform), Prisma Cloud (for cloud and workload security), and Next-Generation Firewalls (NGFWs) for segmentation. Together, these provide a unified management and policy layer to enforce Zero Trust policies. For example, Prisma Access can serve as a ZTNA solution, ensuring users only connect to applications after authenticating and meeting posture checks.
  • Zscaler: Zscaler is a cloud-security provider whose platform was built from the ground up with Zero Trust in mind. The Zscaler Zero Trust Exchange is a cloud-based proxy architecture that sits between users and applications to broker secure connections. It encompasses multiple security functions: secure web gateway, Zero Trust Network Access (ZTNA), data loss prevention (DLP), and cloud access security broker (CASB) features. All user traffic is routed through Zscaler’s cloud where policies are applied based on user identity, device, content, etc. This solution is delivered as a service, often speeding up Zero Trust adoption.
  • Other Notable Vendors: Okta (and other IAM providers like Ping Identity) is widely used for centralizing identity and enabling MFA/SSO, a foundational element of Zero Trust. Cisco offers a Zero Trust portfolio including Duo Security (MFA and device trust) and software-defined segmentation solutions. VMware provides endpoint and network micro-segmentation capabilities geared toward Zero Trust in data centers and virtualized environments. Cloudflare offers a cloud-based Zero Trust network access service. Many startups and niche players are also innovating in areas like identity analytics, micro-segmentation, and continuous authentication.

When choosing vendor solutions, organizations typically mix and match based on their requirements. What’s crucial is that the tools integrate well to share signals (identity info, device posture, threat intel) so that the Zero Trust policy engine has a complete picture. Many leading vendors collaborate on integration – for instance, tying Azure AD conditional access with Zscaler’s platform. Organizations should reference architectures like NIST’s and consider vendor-neutral frameworks when planning, then evaluate which vendor’s tools can implement the necessary capabilities in their environment. Today’s cybersecurity market provides a rich ecosystem of Zero Trust solutions, making it possible for organizations of all sizes to embrace the Zero Trust model and significantly enhance their security.

Leave a Comment

Your email address will not be published. Required fields are marked *

DMCA.com Protection Status