Zero Trust Network Architecture
Zero Trust Network Architecture (ZTNA) is a security framework that eliminates implicit trust from network design, requiring continuous verification of every user, device, and session regardless of network location. This page covers the structural mechanics of Zero Trust, its regulatory standing under federal mandates, classification boundaries across implementation variants, and the operational tradeoffs that affect enterprise adoption. The treatment is reference-grade, structured for security architects, compliance officers, and procurement professionals evaluating Zero Trust deployments.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
- References
Definition and scope
Zero Trust is an architectural philosophy codified by NIST Special Publication 800-207, published in August 2020, which defines Zero Trust as "a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services." The publication establishes that Zero Trust assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location — including assets inside the traditional enterprise perimeter.
The scope of Zero Trust architecture encompasses identity verification infrastructure, device health attestation, network segmentation strategies, policy enforcement points, data classification controls, and continuous monitoring pipelines. The framework applies across on-premises environments, hybrid cloud deployments, and fully cloud-native architectures. Federal application of this framework is governed by Executive Order 14028 (May 2021), which directed federal agencies to develop plans to advance Zero Trust architecture, and by the Office of Management and Budget's Memorandum M-22-09, which established specific Zero Trust maturity targets for federal civilian executive branch agencies by fiscal year 2024.
The Cybersecurity and Infrastructure Security Agency (CISA) publishes a Zero Trust Maturity Model that organizes the architecture across 5 pillars: Identity, Devices, Networks, Applications and Workloads, and Data. Each pillar spans 4 maturity stages: Traditional, Initial, Advanced, and Optimal.
Core mechanics or structure
Zero Trust operates through 3 foundational mechanisms: continuous authentication, micro-authorization, and encrypted lateral controls.
Policy Decision Point / Policy Enforcement Point (PDP/PEP) architecture is the operational core. The Policy Decision Point evaluates access requests against a defined policy engine, ingesting signals from identity providers, device posture assessments, behavioral analytics, and threat intelligence feeds. The Policy Enforcement Point — positioned between the requester and the resource — grants, denies, or revokes session access based on PDP output. NIST SP 800-207 diagrams this as the logical architecture underlying all Zero Trust implementations.
Identity as the new perimeter means every access request is tied to a verified principal — human user, service account, or device identity. This is operationalized through multi-factor authentication (MFA), federated identity protocols (SAML 2.0, OpenID Connect), and privileged access management systems. The National Institute of Standards and Technology's SP 800-63B defines authenticator assurance levels that map directly to Zero Trust identity requirements.
Microsegmentation divides the network into isolated workload segments, limiting the blast radius of a breach. Unlike traditional VLAN-based segmentation, Zero Trust microsegmentation enforces policies at the workload level — typically through software-defined networking controls or host-based agents — preventing lateral movement between compromised segments even within the same subnet.
Continuous validation replaces the traditional one-time authentication model. Sessions are re-evaluated dynamically based on behavioral signals: access time anomalies, geolocation shifts, device posture degradation, or privilege escalation patterns. This requires integration between the policy engine and security information and event management (SIEM) systems, as covered in the SIEM for network security reference.
Causal relationships or drivers
The adoption of Zero Trust architecture is driven by 4 documented structural failures in perimeter-based security models.
Perimeter collapse is the primary driver. The proliferation of cloud workloads, remote endpoints, and SaaS applications means the traditional network boundary no longer defines the attack surface. The 2020 SolarWinds supply chain compromise — in which threat actors moved laterally across federal agency networks for months after initial access — demonstrated that perimeter controls alone cannot contain post-authentication threats. The CISA Alert AA20-352A documented the techniques used, which Zero Trust architectures are specifically designed to interrupt.
Credential-based attack prevalence is the second driver. The Verizon Data Breach Investigations Report consistently identifies stolen or misused credentials as the leading attack vector — the 2023 DBIR attributed 74% of breaches to the human element, including credential theft and social engineering. Zero Trust's continuous re-authentication and anomaly detection directly counters this attack class.
Regulatory mandate pressure accelerated enterprise adoption beyond voluntary adoption. OMB M-22-09 set a firm requirement for federal agencies, and the broader federal network security requirements landscape now treats Zero Trust as a baseline expectation rather than an advanced practice.
Hybrid work normalization created environments where the majority of enterprise traffic originates outside any controlled perimeter, rendering firewall-centric models structurally insufficient.
Classification boundaries
Zero Trust implementations are classified along 3 primary axes: deployment model, enforcement scope, and architectural maturity.
By deployment model:
- Identity-centric Zero Trust anchors enforcement on the identity provider, using conditional access policies to evaluate user and device signals before granting application access. Microsoft Azure AD Conditional Access and Okta Identity Engine are the canonical commercial implementations of this model.
- Network-centric Zero Trust focuses on controlling traffic flows through software-defined perimeters (SDP) and microsegmentation engines. This model aligns closely with the Cloud Security Alliance's Software-Defined Perimeter specification.
- Secure Access Service Edge (SASE) converges network security functions — including Zero Trust Network Access, Cloud Access Security Broker (CASB), and Secure Web Gateway — into a cloud-delivered service fabric, as defined by Gartner's 2019 SASE framework.
By enforcement scope:
- User-to-application enforcement governs human access to specific applications without granting broad network access.
- Machine-to-machine enforcement governs service account and API-level access between workloads, typically implemented through mutual TLS (mTLS) and service mesh architectures.
- Device-to-network enforcement gates network participation on device health attestation scores, requiring endpoint detection and response (EDR) agent check-ins before session establishment.
By CISA maturity stage: The CISA Zero Trust Maturity Model defines Traditional (siloed, manual controls), Initial (partial automation, some cross-pillar integration), Advanced (automated policy enforcement across pillars), and Optimal (fully dynamic, continuously self-adjusting policy enforcement).
Tradeoffs and tensions
Zero Trust introduces 4 structural tensions that affect architecture and operations decisions.
Performance overhead vs. security assurance: Continuous per-session policy evaluation introduces latency at the Policy Enforcement Point. Organizations with sub-10ms latency requirements for high-frequency trading or industrial control systems face measurable performance degradation when inline inspection is applied to every packet flow. OT and ICS network security environments frequently require modified Zero Trust implementations that balance real-time control requirements against full policy enforcement.
Complexity vs. operational manageability: Full Zero Trust deployment across a large enterprise requires integrating identity providers, device management platforms, SIEM, microsegmentation engines, and application proxies — often from different vendors with incompatible policy languages. NIST SP 800-207 explicitly notes that Zero Trust is not a single product but an architectural philosophy requiring multi-component integration.
Legacy system compatibility: Applications built on implicit trust assumptions — including Kerberos-reliant systems, legacy ERP platforms, and mainframe-connected workloads — may not support the token-based, attribute-driven access models that Zero Trust requires without substantial re-engineering.
Visibility expansion vs. privacy constraints: Zero Trust's continuous monitoring mandate requires collecting granular telemetry on user behavior, device state, and application access patterns. In jurisdictions covered by state privacy statutes — including California's CCPA or the broader network security compliance frameworks — this telemetry collection may require additional legal basis documentation and employee notification obligations.
Common misconceptions
Misconception 1: Zero Trust means zero network access.
Zero Trust does not eliminate network connectivity — it eliminates implicit trust within that connectivity. Users and devices still access applications and services; they do so with per-session, attribute-verified authorization rather than location-based assumption of trust.
Misconception 2: VPN replacement equals Zero Trust.
Replacing a VPN with a Zero Trust Network Access (ZTNA) proxy addresses only the remote access component of the architecture. NIST SP 800-207 identifies 7 core Zero Trust tenets; ZTNA proxies address portions of 2 or 3 of those tenets. Full Zero Trust requires enforcement across all 5 CISA pillars.
Misconception 3: Zero Trust is a product category.
No single product delivers Zero Trust. The framework requires integration across identity (IAM/PAM), endpoint (EDR/MDM), network (microsegmentation/SDP), application (API gateway/WAF), and data classification systems. Vendors marketing "Zero Trust solutions" are typically addressing one pillar of the architecture.
Misconception 4: Zero Trust is only relevant to large enterprises.
OMB M-22-09 applies to federal agencies of all sizes, and the CISA maturity model explicitly addresses phased adoption paths. Organizations with as few as 50 employees can implement foundational Zero Trust controls — MFA, device health checks, and least-privilege access policies — without deploying enterprise-scale microsegmentation infrastructure.
Misconception 5: Achieving perimeter security means Zero Trust is redundant.
The SolarWinds and Kaseya incidents both demonstrated that sophisticated threat actors routinely bypass perimeter controls through trusted software update mechanisms. Perimeter security addresses external ingress; Zero Trust addresses post-compromise lateral movement — these are complementary, not substitutable, control layers.
Checklist or steps (non-advisory)
The following sequence reflects the phased implementation structure described in NIST SP 800-207 and the CISA Zero Trust Maturity Model. Steps are presented as an operational reference, not as a prescribed implementation mandate.
- Define the protect surface — Identify the 4–6 most critical data assets, applications, and services that require Zero Trust controls first. The protect surface is narrower than the traditional attack surface.
- Map transaction flows — Document how authorized users, devices, and services interact with the protect surface, including all protocols, ports, and dependency chains.
- Architect the PDP/PEP structure — Place Policy Enforcement Points between all users/devices and the protect surface. Document the policy engine data sources (IdP, MDM, SIEM, threat feeds).
- Implement identity baseline — Deploy MFA meeting NIST SP 800-63B Authenticator Assurance Level 2 (AAL2) for all human access to protected resources. Establish service account inventory.
- Establish device posture requirements — Define minimum device health criteria (OS patch level, EDR agent presence, disk encryption state) required for session authorization.
- Deploy microsegmentation — Isolate workload segments at Layer 3 or Layer 7 based on application dependency maps. Deny east-west traffic by default except where explicitly permitted.
- Implement continuous monitoring — Integrate policy engine telemetry with SIEM and behavioral analytics. Define alert thresholds for session anomalies, privilege escalation, and policy violations.
- Conduct tabletop validation — Test Zero Trust controls against the attack techniques documented in the MITRE ATT&CK framework, particularly lateral movement (TA0008) and credential access (TA0006) tactics.
- Document compliance mapping — Map implemented controls to applicable frameworks: NIST SP 800-207, CISA Zero Trust Maturity Model, and any sector-specific requirements (FedRAMP, CMMC, HIPAA Security Rule).
- Establish iterative maturity progression — Assign current maturity stage to each CISA pillar and define target maturity with measurable milestones and review cadence.
Reference table or matrix
Zero Trust Pillar Comparison Matrix (based on CISA Zero Trust Maturity Model)
| Pillar | Primary Control Mechanism | Key Standards/Frameworks | Federal Mandate Reference |
|---|---|---|---|
| Identity | MFA, conditional access, PAM | NIST SP 800-63B, SP 800-207 | OMB M-22-09, EO 14028 |
| Devices | Device posture attestation, MDM, EDR | NIST SP 800-124, SP 800-207 | OMB M-22-09 |
| Networks | Microsegmentation, SDP, ZTNA proxy | NIST SP 800-207, CSA SDP Spec | OMB M-22-09, CISA ZTMM |
| Applications & Workloads | API gateway, WAF, mTLS service mesh | NIST SP 800-207, FedRAMP | OMB M-22-09 |
| Data | Data classification, DLP, encryption at rest/transit | NIST SP 800-53 SC controls, FIPS 140-3 | OMB M-22-09, FISMA |
Zero Trust vs. Traditional Perimeter Model
| Attribute | Traditional Perimeter | Zero Trust Architecture |
|---|---|---|
| Trust basis | Network location (inside = trusted) | Continuous per-session verification |
| Authentication frequency | Once at network entry | Per-session, with ongoing re-evaluation |
| Lateral movement control | Limited (flat internal network) | Blocked by microsegmentation by default |
| Remote access model | VPN grants broad network access | ZTNA grants per-application access |
| Visibility scope | Perimeter traffic | All internal and external session telemetry |
| Failure mode | Perimeter breach = full network exposure | Breach = isolated segment exposure |
| Regulatory alignment | Pre-EO 14028 baseline | OMB M-22-09, CISA ZTMM mandated |
References
- NIST Special Publication 800-207: Zero Trust Architecture — National Institute of Standards and Technology
- NIST SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management — National Institute of Standards and Technology
- NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations — National Institute of Standards and Technology
- CISA Zero Trust Maturity Model — Cybersecurity and Infrastructure Security Agency
- OMB Memorandum M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles — Office of Management and Budget
- Executive Order 14028: Improving the Nation's Cybersecurity — The White House / Federal Register
- [CISA Advisory AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](https://www.cisa.gov/