Adaptive network security using zero trust microsegmentation

We claim: 1 . A zero-trust microsegmentation method comprising: determining, based on information associated with devices of a network, a zero-trust security policy in which communication permissions for the devices of the network are denied by default unless otherwise allowed, each device of the network being a respective network-of-one causing all device traffic to traverse a gatekeeper configured as a default gateway for the devices; and iteratively performing: analyzing network traffic under the zero-trust security policy; adapting the zero-trust security policy, based on the analysis of the network traffic, to adjust the communication permissions by modifying a communication dimension to provide the zero-trust security policy including one or more modifications to the communication permissions; and implementing the zero-trust security policy including the one or more modifications to the communication permissions. 2 . The method of claim 1 , wherein, the one or more communication dimensions includes an internet-intranet dimension defining a restrictiveness distinction between internet traffic and intranet traffic. 3 . The method of claim 1 , wherein, the one or more communication dimensions includes an input-output dimension defining a restrictiveness distinction between input traffic and output traffic. 4 . The method of claim 1 , wherein, the one or more communication dimensions includes a segment dimension defining a restrictiveness distinction between inter-segment traffic and intra-segment traffic. 5 . The method of claim 1 , wherein, the one or more communication dimensions includes a port dimension defining a port-based traffic restrictiveness distinction. 6 . The method of claim 1 , wherein, the one or more communication dimensions includes a path dimension defining a communication path-based traffic restrictiveness distinction. 7 . The method of claim 1 , wherein, the one or more communication dimensions includes a user dimension defining a user-based traffic restrictiveness distinction and/or a user group-based traffic restrictiveness distinction. 8 . The method of claim 1 , wherein, the one or more communication dimensions includes: an inter-group dimension defining an inter-group traffic restrictiveness distinction, and/or an intra-group dimension defining an intra-group traffic restrictiveness distinction. 9 . The method of claim 1 , wherein, the one or more communication dimensions includes an application dimension defining an application-based traffic restrictiveness distinction. 10 . The method of claim 1 , wherein adapting the zero-trust security policy comprises progressively increasing a restrictiveness of one or more of the communication permissions for the zero-trust security policy to provide the zero-trust security policy including the one or more modifications to the communication permissions. 11 . The method of claim 1 , wherein adapting the zero-trust security policy comprises adjusting a degree of enforcement of the communication permissions. 12 . The method of claim 1 , further comprising continually observing denied network traffic and providing a notification of the denied network traffic to a user, wherein feedback is receivable in response to the notification. 13 . The method of claim 1 , wherein one or more of the devices of the network comprise a respective local zero-trust agent configured to provide zero-trust least-privilege network management. 14 . The method of claim 2 , wherein the internet traffic is subject to more restrictions than intranet traffic. 15 . An apparatus comprising: one or more processors; and a memory for storing computer readable instructions that, when executed by the one or more processors, cause the apparatus to: determine, based on information associated with devices of a network, a zero-trust security policy in which communication permissions for the devices of the network are denied by default unless otherwise allowed, each device of the network being a respective network-of-one configured to cause all device traffic to traverse a gatekeeper configured as a default gateway for the devices; and iteratively: analyze network traffic under the zero-trust security policy; and adapt the zero-trust security policy, based on the analysis of the network traffic, to adjust the communication permissions by modifying a communication dimension to provide the zero-trust security policy including one or more modifications to the communication permissions, wherein the gatekeeper is configured to apply the zero-trust security policy to the device traffic traversing the gatekeeper. 16 . The method of claim 1 , further comprising determining, based on the information associated with one or more devices of the network, a plurality of network microsegments, wherein one or more of the plurality of network microsegments comprises at least one of the devices within the respective network-of-one. 17 . The method of claim 1 , further comprising analyzing, by the gatekeeper, the device traffic traversing the gatekeeper to determine the information associated with the devices. 18 . The method of claim 1 , further comprising applying, by the gatekeeper, the zero-trust security policy to the device traffic traversing the gatekeeper. 19 . The method of claim 1 , wherein establishing each device as a respective network-of-one comprises: assigning an individualized subnet to each device, wherein the individualized subnets cause all of the device traffic to traverse the gatekeeper. 20 . The method of claim 19 , wherein assigning the individualized subnet comprises assigning a /32 subnet or a 255.255.255.255 subnet mask to each device.