Adaptive network security using zero trust microsegmentation

We claim: 1 . A zero-trust microsegmentation method comprising: collecting information associated with devices of a network; determining, based on the collected information, a plurality of network microsegments; determining an initial zero-trust security policy in which communication permissions for the devices of the network are denied by default unless otherwise allowed, the communication permissions including one or more communication dimensions; analyzing network traffic under the initial zero-trust security policy; and adapting the initial zero-trust security policy, based on the analysis of the network traffic, to adjust the communication permissions for the one or more communication dimensions to generate an adapted zero-trust security policy including one or more modifications to the one or more communication dimensions. 2 . The method of claim 1 , further comprising: analyzing network traffic under the adapted zero-trust security policy; and adapting the adapted zero-trust security policy, based on the analysis of the network traffic under the adapted zero-trust security policy, to adjust the communication permissions for another of the one or more communication dimensions to generate a further adapted zero-trust security policy including one or more modifications to the other of the one or more communication dimensions; and implementing the further adapted zero-trust security policy. 3 . The method of claim 2 , further comprising iteratively performing: the analyzing network traffic under the adapted zero-trust security policy, the adapting the adapted zero-trust security policy, and the implementing the further adapted zero-trust security policy. 4 . The method of claim 1 , wherein the one or more communication dimensions include an internet-intranet dimension defining a restrictiveness distinction between internet traffic and intranet traffic. 5 . The method of claim 4 , wherein the internet traffic is subject to more restrictions than intranet traffic. 6 . The method of claim 1 , wherein the one or more communication dimensions include an input-output dimension defining a restrictiveness distinction between input traffic and output traffic. 7 . The method of claim 1 , wherein the one or more communication dimensions include a segment dimension defining a restrictiveness distinction between inter-segment traffic and intra-segment traffic. 8 . The method of claim 1 , wherein the one or more communication dimensions include a port dimension defining a port-based traffic restrictiveness distinction. 9 . The method of claim 1 , wherein the one or more communication dimensions include a path dimension defining a communication path-based traffic restrictiveness distinction. 10 . The method of claim 1 , wherein the one or more communication dimensions include a user dimension defining a user-based traffic restrictiveness distinction and/or a user group-based traffic restrictiveness distinction. 11 . The method of claim 1 , wherein the one or more communication dimensions include an inter-group dimension defining am inter-group traffic restrictiveness distinction. 12 . The method of claim 1 , wherein the one or more communication dimensions include an intra-group dimension defining an intra-group traffic restrictiveness distinction. 13 . The method of claim 1 , wherein the one or more communication dimensions include an application dimension defining an application-based traffic restrictiveness distinction. 14 . The method of claim 1 , wherein adapting the initial zero-trust security policy comprises progressively increasing a restrictiveness of the one or more communication dimensions for the initial zero-trust security policy to generate the adapted zero-trust security policy, wherein between each progressive increase in restrictiveness, an incremental zero-trust security policy is implemented for a current progression, network traffic under the incremental zero-trust security policy is analyzed, and a next progression with increased restrictiveness is based on the analysis of the network traffic under the incremental zero-trust security policy. 15 . The method of claim 1 , wherein adapting the initial zero-trust security policy comprises adjusting a degree of enforcement of the communication permissions. 16 . The method of claim 1 , further comprising continually observing denied network traffic and providing a notification of the denied network traffic to a user, wherein feedback is receivable in response to the notification. 17 . The method of claim 1 , further comprising establishing the network, wherein each device of the network is in its own network of one. 18 . The method of claim 17 , wherein the networks of one are configured to cause all device traffic to traverse a gatekeeper configured as a default gateway for the devices. 19 . The method of claim 1 , wherein one or more of the devices of the network comprise a respective local zero-trust agent configured to provide zero-trust least-privilege network management. 20 . An apparatus comprising: one or more processors; and a memory for storing computer readable instructions that, when executed by the one or more processors, cause the apparatus to: collect information associated with devices of a network; determine, based on the collected information, a plurality of network microsegments; determine an initial zero-trust security policy in which communication permissions for the devices of the network are denied by default unless otherwise allowed, the communication permissions including one or more communication dimensions; analyze network traffic under the initial zero-trust security policy; and adapt the initial zero-trust security policy, based on the analysis of the network traffic. to adjust the communication permissions for the one or more communication dimensions to generate an adapted zero-trust security policy including one or more modifications to the one or more communication dimensions.