zero-trust: CDA.Wiki (Print)

# Zero Trust Architecture

Zero Trust Architecture (ZTA) is a security model built on the premise that no user, device, or network segment should be trusted by default, regardless of physical or logical location. The model emerged as a direct response to the failure of perimeter-based security, which assumed that anything inside the corporate firewall was inherently safe. As workforces became distributed, cloud adoption accelerated, and attackers demonstrated the ability to move laterally inside "trusted" networks for months without detection, the perimeter model collapsed under its own assumptions. Zero Trust replaces location-based trust with identity-based, context-aware, continuously verified access controls applied to every resource request, every session, and every data transaction.

---

Definition and Scope

Zero Trust Architecture is a set of design principles, policies, and technologies that remove implicit trust from all components of a computing environment and replace it with continuous, explicit verification. The term was coined by John Kindervag at Forrester Research in 2010 and later formalized by the National Institute of Standards and Technology in Special Publication 800-207, published in 2020. NIST defines Zero Trust as "a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services."

Zero Trust exists because perimeter-based security models became obsolete. Traditional network architectures assumed that anything inside the corporate firewall was trusted, while everything outside was untrusted. This worked when employees sat at desks connected to corporate LANs and applications ran on servers in controlled data centers. It fails catastrophically when users work from coffee shops, applications run in public clouds, and data lives in SaaS platforms managed by third parties.

Zero Trust is not a single product, a vendor checkbox, or a firewall configuration. It is not the same as multi-factor authentication alone, nor is it equivalent to micro-segmentation by itself. Those are components that can support a Zero Trust model, but neither one, in isolation, constitutes ZTA. Zero Trust is also not an endpoint detection tool or a SIEM deployment. It is an architectural philosophy that must be embedded into identity systems, network controls, application access layers, and data governance simultaneously.

The model fits within the broader evolution of security architectures from castle-and-moat to defense-in-depth to assume-breach models. Zero Trust assumes the breach has already occurred and designs controls to limit the blast radius and speed of lateral movement. This assumption aligns with the reality that determined attackers will eventually find a way inside the perimeter through phishing, credential theft, supply chain compromise, or insider threats.

---

How It Works

Zero Trust operates through a control plane and data plane separation, where policy decisions are made centrally and enforced at distributed points throughout the infrastructure. The NIST SP 800-207 model identifies three core logical components: the Policy Engine (PE), the Policy Administrator (PA), and the Policy Enforcement Point (PEP).

Policy Engine: The PE is the decision-making component. When a subject (a user, device, or service) requests access to a resource, the PE evaluates the request against a set of enterprise policies. Those policies incorporate inputs from multiple data sources: identity provider attributes, device compliance status, behavioral analytics, threat intelligence feeds, and contextual signals such as time of day, geographic location, and request frequency. The PE outputs a grant, deny, or conditional access decision.

Policy Administrator: The PA receives the PE's decision and translates it into session-specific tokens or credentials. If access is granted, the PA instructs the PEP to open a communication path between the subject and the resource. If access is denied or revoked mid-session, the PA instructs the PEP to terminate that path immediately.

Policy Enforcement Point: The PEP is the component that actually controls the flow of traffic. It sits between the subject and the resource, enforcing the PA's instructions in real time. The PEP monitors the session for anomalies and can trigger re-evaluation of the access decision at any point during the session, not just at initial authentication.

Supporting Components: The system is fed by Continuous Diagnostics and Mitigation (CDM) systems that report device health, patch status, and configuration posture. Security Information and Event Management (SIEM) platforms provide behavioral context. Threat intelligence platforms supply indicators of compromise and risk scores. Identity Governance and Administration (IGA) systems manage attribute accuracy for the identity store.

Step-by-Step Access Flow:

A user on a managed laptop attempts to access a cloud-hosted financial application from a coffee shop.
The request reaches the PEP before any connection to the application is established.
The PEP passes the request to the PA, which queries the PE.
The PE checks: Is the user identity verified via MFA? Is the device enrolled and compliant with endpoint policy? Does the device have current patches and no active malware detections? Is the user's role authorized for this application? Is this access request consistent with the user's historical behavior patterns? Is there any active threat intelligence associated with the source IP range?
All checks pass. The PE grants access. The PA issues a short-lived session token. The PEP opens a proxied connection to the application for the duration of the session.
Mid-session, the CDM system reports that the device's endpoint agent has been disabled. The PE is notified, re-evaluates the trust score, and downgrades it below the access threshold. The PA instructs the PEP to terminate the session.

Implementation Variants:

Zero Trust Network Access (ZTNA) applies Zero Trust principles specifically to remote access scenarios as a replacement for traditional VPNs. Instead of granting network-level access based on successful VPN authentication, ZTNA creates application-specific tunnels after verifying user identity, device posture, and access policy for each individual application. Software-Defined Perimeter (SDP) is a related model that creates dynamic, identity-verified micro-perimeters around individual resources. Identity-Aware Proxy (IAP) is a Google-developed implementation that enforces access decisions at the application layer rather than the network layer.

Concrete Implementation Requirements:

Micro-segmentation is a prerequisite for meaningful Zero Trust implementation. If the internal network allows east-west traffic to flow freely between workloads, a compromised account or device can move laterally even after the initial access decision is made correctly. Micro-segmentation divides the network into small zones with explicit allow-lists between them, ensuring that a breach in one zone does not automatically grant access to adjacent systems.

Identity is the new control plane in Zero Trust. Directory health, attribute accuracy, and privileged access management are foundational. Organizations that have not cleaned up stale accounts, excessive group memberships, and service account sprawl will find that Zero Trust policies are only as accurate as the identity data they consume.

Just-in-time (JIT) access provisioning removes standing privileges from privileged accounts. Instead of an administrator having permanent access to a production database, access is requested for a specific task, approved through an automated workflow, granted for a defined time window, and automatically revoked when the window closes. This eliminates the attack surface created by dormant privileged credentials.

Continuous monitoring and adaptive response are what differentiate Zero Trust from static access control lists. The system must be capable of revoking access mid-session based on changed circumstances. This requires integration between the policy engine and security monitoring tools, with automated workflows that can terminate sessions without human intervention.

---

Why It Matters

The business and security case for Zero Trust is grounded in the documented failure of perimeter-based controls against modern attack patterns. Attackers who gain an initial foothold through phishing, credential theft, or supply chain compromise routinely spend weeks or months moving laterally through flat networks, escalating privileges, and staging data exfiltration without triggering perimeter defenses, because they are already inside the trusted zone.

The 2020 SolarWinds supply chain attack illustrates this failure directly. Attackers compromised the SolarWinds Orion build pipeline and distributed malicious updates to approximately 18,000 organizations, including multiple U.S. federal agencies. Once inside, the attacker moved laterally using legitimate credentials and trusted software processes for months. Perimeter controls were irrelevant because the attacker was operating as a trusted insider. A mature Zero Trust implementation, with micro-segmentation, continuous behavioral monitoring, and JIT privilege access, would have significantly constrained lateral movement and reduced the blast radius of the intrusion, even if the initial compromise could not have been prevented entirely.

Without Zero Trust, the consequences of a single compromised credential are severe. Flat network architectures allow a threat actor to pivot from a single endpoint to domain controllers, backup systems, and sensitive data stores within hours. The 2021 Colonial Pipeline ransomware incident, attributed in part to an exposed VPN account with no MFA, demonstrated how a single set of credentials could become the entry point for an attack that disrupted fuel supplies across the eastern United States.

The shift to hybrid work models and cloud infrastructure makes perimeter-based security impossible to maintain. When applications run in public clouds, data lives in SaaS platforms, and users connect from home networks, coffee shops, and hotel wifi, there is no meaningful network perimeter to defend. Organizations that attempt to force all remote traffic through a centralized VPN concentrator create performance bottlenecks and single points of failure while providing minimal security benefit.

Common Misconceptions:

Zero Trust does not mean zero usability. A well-implemented ZTA uses risk-based adaptive authentication, which means low-risk access requests from recognized devices and locations complete with minimal friction, while high-risk or anomalous requests trigger additional verification steps. The friction is proportional to risk.

Zero Trust is not only for large enterprises. The principles scale down to small organizations through cloud-native identity providers, ZTNA-as-a-service products, and application-layer proxy controls. The architectural principles are universally applicable even if the specific technology stack differs.

Zero Trust is not a project with a completion date. It is an ongoing operational discipline. Trust decisions depend on the accuracy of continuously updated data: device posture, user behavior baselines, threat intelligence, and access policy. Organizations that treat ZTA as a one-time deployment rather than a continuous operational practice will find their trust decisions degrading in accuracy over time.

---

CDA Perspective

The Cyber Defense Alliance approaches Zero Trust through its Planetary Defense Model (PDM) under the Identity and Access Trust (IAT) domain. CDA's operational methodology, called Zero Possession Architecture (ZPA), extends Zero Trust principles to their logical conclusion: "Trust nothing. Possess nothing. Verify everything."

Where conventional Zero Trust implementations focus on controlling access to resources that organizations own and operate, ZPA addresses the reality that defenders operating in contested environments often cannot own the infrastructure they depend on. CDA's ZPA methodology treats every component of the operational stack as potentially adversary-influenced and designs access and data flows accordingly. Verification is not performed once at session initiation; it is continuous, automated, and tied to behavioral baselines that are updated in near-real time.

In practice, CDA applies ZPA through several specific operational controls. First, no persistent credentials are issued to human operators or automated systems. All access tokens are ephemeral, cryptographically bound to the requesting identity and device, and scoped to the minimum required operation. Second, data in transit and at rest is treated as if the transport and storage layers are compromised. Encryption keys are managed outside the systems that hold the data, and key access follows the same JIT provisioning model applied to privileged accounts. Third, all access decisions are logged immutably and reviewed through automated behavioral analysis. Anomalies trigger automated session termination and alert queuing, not just logging.

CDA's IAT domain incorporates threat intelligence directly into the policy engine, meaning that indicators of compromise from active campaigns are translated into access policy adjustments within minutes of ingestion. This creates a dynamic trust model that responds to the threat environment rather than waiting for scheduled policy reviews.

The distinction between CDA's ZPA and standard ZTA implementations is operational tempo and scope. Standard ZTA frameworks establish the architecture for trust decisions. ZPA operationalizes those decisions at the speed of the threat, integrating intelligence, identity, and enforcement into a continuous feedback loop across every layer of the defended environment.

---

Key Takeaways

Audit identity before architecture: Zero Trust policies are only as accurate as the identity data they consume. Before deploying ZTA tooling, audit directory hygiene, remove stale accounts, and rationalize group memberships.
Micro-segment the network first: Without east-west traffic controls, a correct initial access decision still leaves lateral movement paths open. Micro-segmentation is not optional; it is the enforcement layer that makes ZTA meaningful after the initial grant.
Implement JIT access for all privileged accounts: Remove standing privileges from every administrative account. Access should be requested, approved, time-bound, and automatically revoked. Dormant privileged credentials are a primary target for attackers operating inside the perimeter.
Treat device posture as a dynamic trust input: Device compliance is not a one-time enrollment check. Integrate endpoint detection and CDM data into the policy engine so that a device that fails compliance mid-session triggers immediate re-evaluation and potential termination.
Define blast radius reduction metrics before deployment: Establish measurable thresholds for lateral movement containment and data access scope. Zero Trust implementation should be validated against those metrics, not against vendor feature checklists.

---

Identity and Access Trust (IAT) Domain Overview
Zero Possession Architecture (ZPA)
Micro-Segmentation Principles and Implementation
Privileged Access Management in Contested Environments
Continuous Diagnostics and Mitigation (CDM) Frameworks

---

Sources

National Institute of Standards and Technology. Zero Trust Architecture. NIST Special Publication 800-207. August 2020. https://doi.org/10.6028/NIST.SP.800-207

Cybersecurity and Infrastructure Security Agency. Zero Trust Maturity Model. Version 2.0. April 2023. https://www.cisa.gov/zero-trust-maturity-model

MITRE ATT&CK. Lateral Movement (TA0008). MITRE Corporation. https://attack.mitre.org/tactics/TA0008/

Office of Management and Budget. Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. OMB Memorandum M-22-09. January 2022. https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf

Zero Trust Architecture