Skip to content

Zero Trust

Zero Trust

Zero Trust Architecture (ZTA)

1. Overview: Never Trust, Always Verify — Zero Trust

    flowchart LR
    A["Perimeter-centric security"] -- "Transition to never-trusting<br/>and continuous verification" --> B["Zero Trust"]
  

Definition: A security model built on the principle of “Never Trust, Always Verify,” which applies least privilege and continuous authentication to every access request, regardless of whether it originates inside or outside the network.

Characteristics: (Dissolving the perimeter) Overcomes the limits of perimeter security through the Never Trust, Always Verify principle, which does not even trust the internal network. (Least privilege) The Principle of Least Privilege (PoLP) grants only the minimum access needed to a resource, limiting the blast radius of a breach. (Contextual authentication) Dynamically analyzes user, device, location, and behavioral context to re-verify trust on every request.


2. Zero Trust Architecture and Key Guidelines

A. The Zero Trust Logical Model (NIST SP 800-207)

    flowchart LR
    subgraph REQUEST["Access request subject"]
        USER["User / device / app"]
    end

    subgraph CP["Control Plane"]
        PE["Policy Engine<br/>(decision)"]
        PA["Policy Administrator<br/>(execution directive)"]
    end

    subgraph DP["Data Plane"]
        PEP["Policy Enforcement Point<br/>(access gateway)"]
    end

    RESOURCES["Enterprise resources / data / SaaS"]

    USER --> PEP
    PEP <--> CP
    PEP --> RESOURCES

    style CP fill:#E3F2FD,stroke:#1976D2
    style PEP fill:#1E3A5F,color:#fff
  
ComponentRoleRelated Technology
Policy EngineMakes the final decision on whether to allow accessIAM, risk-analysis AI
Policy AdminOpens/closes the communication channel based on the decisionToken issuance, authentication control
PEPActs as the gateway for actual data trafficSDP, next-gen firewall, proxy

B. Perimeter Security vs. Zero Trust (an Evolutionary View)

    flowchart LR
    subgraph A["Traditional perimeter security"]
        A1["Trust-based access<br/>(VPN/firewall)"]
    end

    subgraph TRANS["Evolution"]
        direction TB
        T1["Continuous verification"]
        T2["Micro-segmentation"]
    end

    subgraph B["Zero Trust"]
        B1["Identity-based access control<br/>(Never Trust)"]
    end

    A -- "Block insider threats/lateral movement" --> TRANS
    TRANS --> B
  
Comparison ItemTraditional Perimeter SecurityZero Trust
Basic principleCastle-and-moat (trust-but-verify)Zero Trust (never trust)
Access controlNetwork perimeter (IP/VLAN)Identity- and context-based
Security scopeTrusts the internal networkProtects every resource (micro-segmentation)

3. Expected Benefits and Implementation Strategy for Zero Trust

CategoryKey Expected BenefitApplication & Practical Use
Remote work securitySecure access with no location constraintsCompensates for VPN security gaps and strengthens cloud-native security
Insider threat preventionBlocks lateral movementPrevents internal spread by attackers through network segmentation
VisibilityUnified management of access history across enterprise resourcesStrengthens threat-detection capability by gaining visibility into all traffic
Flexible infrastructureOptimized for cloud/hybrid environmentsAdapts to environment changes with identity-based, rather than IP-based, security policy