Section 06

Zero Trust Architecture

Zero Trust is a security model based on the principle "never trust, always verify." It assumes that threats exist both outside and inside the network, and every access request must be authenticated, authorized, and encrypted.

The End of Perimeter Security

Traditional security assumed everything inside the network was trusted. Zero Trust recognizes that attackers breach perimetersβ€”the internal network is not safe.

Core Principles

1. Verify Explicitly

Always authenticate and authorize based on all available data points: identity, location, device health, service, data classification, anomalies.

2. Use Least Privilege Access

Limit user access with just-in-time (JIT) and just-enough-access (JEA). Risk-based adaptive policies that respond to context.

3. Assume Breach

Minimize blast radius with segmentation. Verify end-to-end encryption. Use analytics to detect threats and improve defenses.

Zero Trust Pillars

πŸ‘€

Identities

  • β€’ Strong authentication (MFA)
  • β€’ Passwordless when possible
  • β€’ Conditional access policies
  • β€’ Identity governance
πŸ’»

Devices

  • β€’ Device inventory
  • β€’ Compliance checking
  • β€’ Endpoint detection
  • β€’ Mobile device management
πŸ“±

Applications

  • β€’ Shadow IT discovery
  • β€’ In-app permissions
  • β€’ Runtime monitoring
  • β€’ API security
πŸ“Š

Data

  • β€’ Data classification
  • β€’ Encryption everywhere
  • β€’ DLP policies
  • β€’ Access tracking
πŸ—οΈ

Infrastructure

  • β€’ JIT VM access
  • β€’ Micro-segmentation
  • β€’ Threat detection
  • β€’ Config management
🌐

Networks

  • β€’ Network segmentation
  • β€’ Encrypt all traffic
  • β€’ Real-time threat protection
  • β€’ No implicit trust zones

Zero Trust Network Access (ZTNA)

ZTNA replaces VPNs with identity-aware, context-aware access to specific applications rather than entire network segments.

❌ Traditional VPN

  • β€’ Full network access after auth
  • β€’ Implicit trust of VPN users
  • β€’ Lateral movement possible
  • β€’ Performance bottlenecks
  • β€’ Binary access model

βœ“ ZTNA

  • β€’ App-specific access only
  • β€’ Continuous verification
  • β€’ No lateral movement
  • β€’ Cloud-native scaling
  • β€’ Granular policies

Policy Engine Architecture

Zero Trust Policy Engine Architecture

graph LR Subject["πŸ‘€ Subject (User / App)"] subgraph PDP["Policy Engine (PDP)"] IdP["πŸ”‘ Identity Provider (Entra ID / Okta)"] PolicyAdmin["πŸ“‹ Policy Decision Point β€’ Evaluate policy β€’ Risk score β€’ Device trust β€’ User behavior"] Threat["πŸ” Threat Intel Feeds"] DataPolicy["πŸ“Š Data Access Policy"] end PEP["πŸ›‘οΈ Policy Enforcement Point (PEP)"] Resource["πŸ–₯️ Resource (Data / App)"] Signals["πŸ“‘ Signals β€’ Identity β€’ Device health β€’ Location β€’ Behavior β€’ Data sensitivity"] Subject --> PDP Signals --> PDP PDP -->|"Allow / Deny + Context"| PEP Subject --> PEP PEP --> Resource

Implementation Steps

1

Identify Protected Surfaces

Map critical data, applications, assets, and services (DAAS).

2

Map Transaction Flows

Understand how users and apps access protected surfaces.

3

Architect Zero Trust Network

Deploy micro-perimeters around each protected surface.

4

Create Zero Trust Policies

Define who/what/when/where/why/how for access (Kipling Method).

5

Monitor and Maintain

Continuous logging, analytics, and policy refinement.

NIST SP 800-207

NIST Special Publication 800-207 defines the authoritative Zero Trust Architecture reference. It describes three deployment approaches: Enhanced Identity Governance, Micro-Segmentation, and Software Defined Perimeters (SDP). Most enterprises blend all three.

Practical: OPA Policy for Zero Trust Access

zero-trust-policy.rego
rego 
package zerotrust.access

import rego.v1

default allow := false

# Require ALL conditions for access (never trust, always verify)
allow if {
    identity_verified
    device_compliant
    context_acceptable
    permission_granted
}

# Identity must be authenticated with MFA
identity_verified if {
    input.identity.authenticated == true
    input.identity.mfa_verified == true
    time.now_ns() < input.identity.token_expiry_ns
}

# Device must meet compliance baseline
device_compliant if {
    input.device.managed == true
    input.device.os_patched == true
    input.device.encryption_enabled == true
    input.device.edr_running == true
    input.device.risk_score < 50
}

# Context checks: location, time, behavior
context_acceptable if {
    not input.context.impossible_travel
    input.context.risk_score < 70
}

# RBAC + resource-level check
permission_granted if {
    required_role := data.resource_roles[input.resource.path][input.method]
    required_role == input.identity.roles[_]
}
package zerotrust.access

import rego.v1

default allow := false

# Require ALL conditions for access (never trust, always verify)
allow if {
    identity_verified
    device_compliant
    context_acceptable
    permission_granted
}

# Identity must be authenticated with MFA
identity_verified if {
    input.identity.authenticated == true
    input.identity.mfa_verified == true
    time.now_ns() < input.identity.token_expiry_ns
}

# Device must meet compliance baseline
device_compliant if {
    input.device.managed == true
    input.device.os_patched == true
    input.device.encryption_enabled == true
    input.device.edr_running == true
    input.device.risk_score < 50
}

# Context checks: location, time, behavior
context_acceptable if {
    not input.context.impossible_travel
    input.context.risk_score < 70
}

# RBAC + resource-level check
permission_granted if {
    required_role := data.resource_roles[input.resource.path][input.method]
    required_role == input.identity.roles[_]
}

CISA Zero Trust Maturity Model

Pillar Traditional Advanced Optimal
Identity Passwords, basic MFA Phishing-resistant MFA Continuous validation, passwordless
Devices Inventory exists Compliance enforced Real-time risk scoring, auto-remediation
Networks Macro-segmentation Micro-segmentation Encrypted everywhere, no implicit trust
Applications Some cloud integration SSO + context-aware access Per-request authz, runtime monitoring
Data Basic classification Auto-classification, DLP Granular controls per datum, full lineage

Migration Strategy: VPN to Zero Trust

Phase 1: Foundation (Months 1-3)

  • β€’ Inventory all users, devices, and applications
  • β€’ Deploy centralized identity provider with MFA
  • β€’ Map application access patterns and dependencies
  • β€’ Start with low-risk applications (e.g., SaaS apps)

Phase 2: Expand (Months 4-8)

  • β€’ Deploy ZTNA proxy for internal web apps
  • β€’ Implement device compliance checking
  • β€’ Add conditional access policies (location, risk)
  • β€’ Run VPN and ZTNA in parallel β€” migrate app by app

Phase 3: Optimize (Months 9-12)

  • β€’ Decommission VPN for migrated apps
  • β€’ Enable micro-segmentation in production
  • β€’ Deploy continuous verification and adaptive policies
  • β€’ Measure: mean time to detect (MTTD), mean time to contain (MTTC)

Zero Trust Tools & Platforms

Identity Providers

Okta, Azure AD, Google Workspace, Ping Identity

ZTNA Solutions

Zscaler, Cloudflare Access, Palo Alto Prisma, Akamai EAA

Micro-Segmentation

Illumio, VMware NSX, Guardicore, Cisco Tetration

Policy Engines

Open Policy Agent (OPA), AWS Cedar, Styra DAS

Framework Alignment

NIST SP 800-207: Zero Trust Architecture reference standard
NIST CSF 2.0: PR.AC (Access Control), PR.DS (Data Security), DE.CM (Continuous Monitoring)
CISA: Zero Trust Maturity Model v2.0 (5 pillars: Identity, Devices, Networks, Applications, Data)
CIS Controls v8.1: 6 (Access Control), 12 (Network), 13 (Monitoring)
Related: Security Frameworks β†’ | Reference Architectures β†’
← Previous: Secure by Design Next: Cloud-Native Security β†’