Zero Trust
Zero Trust
Zero Trust Architecture (ZTA)
1. Overview: Never Trust, Always Verify — Zero Trust
flowchart LR
A["Perimeter-centric security"] -- "Transition to never-trusting<br/>and continuous verification" --> B["Zero Trust"]
Definition: A security model built on the principle of “Never Trust, Always Verify,” which applies least privilege and continuous authentication to every access request, regardless of whether it originates inside or outside the network.
Characteristics: (Dissolving the perimeter) Overcomes the limits of perimeter security through the Never Trust, Always Verify principle, which does not even trust the internal network. (Least privilege) The Principle of Least Privilege (PoLP) grants only the minimum access needed to a resource, limiting the blast radius of a breach. (Contextual authentication) Dynamically analyzes user, device, location, and behavioral context to re-verify trust on every request.
2. Zero Trust Architecture and Key Guidelines
A. The Zero Trust Logical Model (NIST SP 800-207)
flowchart LR
subgraph REQUEST["Access request subject"]
USER["User / device / app"]
end
subgraph CP["Control Plane"]
PE["Policy Engine<br/>(decision)"]
PA["Policy Administrator<br/>(execution directive)"]
end
subgraph DP["Data Plane"]
PEP["Policy Enforcement Point<br/>(access gateway)"]
end
RESOURCES["Enterprise resources / data / SaaS"]
USER --> PEP
PEP <--> CP
PEP --> RESOURCES
style CP fill:#E3F2FD,stroke:#1976D2
style PEP fill:#1E3A5F,color:#fff
| Component | Role | Related Technology |
|---|---|---|
| Policy Engine | Makes the final decision on whether to allow access | IAM, risk-analysis AI |
| Policy Admin | Opens/closes the communication channel based on the decision | Token issuance, authentication control |
| PEP | Acts as the gateway for actual data traffic | SDP, next-gen firewall, proxy |
B. Perimeter Security vs. Zero Trust (an Evolutionary View)
flowchart LR
subgraph A["Traditional perimeter security"]
A1["Trust-based access<br/>(VPN/firewall)"]
end
subgraph TRANS["Evolution"]
direction TB
T1["Continuous verification"]
T2["Micro-segmentation"]
end
subgraph B["Zero Trust"]
B1["Identity-based access control<br/>(Never Trust)"]
end
A -- "Block insider threats/lateral movement" --> TRANS
TRANS --> B
| Comparison Item | Traditional Perimeter Security | Zero Trust |
|---|---|---|
| Basic principle | Castle-and-moat (trust-but-verify) | Zero Trust (never trust) |
| Access control | Network perimeter (IP/VLAN) | Identity- and context-based |
| Security scope | Trusts the internal network | Protects every resource (micro-segmentation) |
3. Expected Benefits and Implementation Strategy for Zero Trust
| Category | Key Expected Benefit | Application & Practical Use |
|---|---|---|
| Remote work security | Secure access with no location constraints | Compensates for VPN security gaps and strengthens cloud-native security |
| Insider threat prevention | Blocks lateral movement | Prevents internal spread by attackers through network segmentation |
| Visibility | Unified management of access history across enterprise resources | Strengthens threat-detection capability by gaining visibility into all traffic |
| Flexible infrastructure | Optimized for cloud/hybrid environments | Adapts to environment changes with identity-based, rather than IP-based, security policy |