Skip to main content
Application Security Standards
Category: Threat Modeling

Zero Trust Architecture

Also known as: ZTA, Zero Trust Network, Zero Trust Security Model, Zero Trust
Simply put

Zero Trust Architecture is a security approach that treats no user, device, or system as trustworthy by default, regardless of whether they are inside or outside the network. Every access request must be verified before access is granted. It is designed to reduce the risk of breaches by eliminating the assumption that anything inside a network perimeter can be trusted.

Formal definition

Zero Trust Architecture (ZTA) is a security framework and design strategy for enterprise infrastructure and workflows that applies zero trust principles: continuous verification of identity and device posture for every access request, least-privilege access enforcement, and the assumption that no implicit trust is granted based on network location or prior authentication state. ZTA replaces perimeter-based trust models by requiring explicit authentication and authorization for all subjects and resources, typically enforced through policy decision points and policy enforcement points across users, devices, applications, and data flows. As defined in NIST SP 800-207, ZTA uses these principles to plan industrial and enterprise infrastructure such that trust is never assumed and must be continuously evaluated.

Why it matters

Traditional perimeter-based security models operate on the assumption that entities inside a corporate network can be trusted by default. This assumption has proven repeatedly problematic as organizations adopt cloud services, remote work, and third-party integrations that dissolve clear network boundaries. When an attacker or malicious insider gains access to the internal network, perimeter-focused defenses typically offer little resistance to lateral movement across systems and data stores.

Who it's relevant to

Enterprise Security Architects
Security architects are responsible for designing the infrastructure and workflows that implement Zero Trust principles. This includes defining trust boundaries, selecting and configuring policy decision points and enforcement points, and ensuring that identity, device, and data flow controls are integrated across the environment. Adopting ZTA typically requires significant architectural changes to how applications, networks, and identity systems are structured and interconnected.
Application Security Engineers
Application security engineers must account for ZTA principles when designing and reviewing applications, particularly around authentication, authorization, and service-to-service communication. In a Zero Trust model, applications cannot rely on network location as a trust signal, which means every API call, microservice interaction, and data access must carry verifiable credentials and be subject to policy enforcement. This has direct implications for how secrets are managed, how service identities are issued, and how access controls are implemented within the application layer.
DevOps and Platform Engineers
DevOps and platform engineers who build and operate CI/CD pipelines, cloud infrastructure, and deployment environments are affected by ZTA because these systems frequently access sensitive resources and credentials. Applying Zero Trust to the software supply chain means that pipeline components, build agents, and deployment tools must authenticate and be authorized explicitly rather than inheriting broad trust from their network position or a shared service account.
Identity and Access Management (IAM) Teams
IAM teams play a central role in Zero Trust implementations because identity verification is the primary mechanism through which trust is established for any access request. ZTA requires robust identity infrastructure including strong authentication, continuous session validation, and fine-grained authorization policies. IAM teams must ensure that user identities, device identities, and workload identities are consistently managed and that access decisions reflect current posture rather than historical authentication state.
Compliance and Risk Officers
Zero Trust Architecture aligns closely with regulatory and compliance requirements that mandate least-privilege access, auditability of access decisions, and controls against unauthorized data access. Compliance and risk officers benefit from ZTA's emphasis on continuous verification and logging, which supports demonstrating control effectiveness to auditors. They are typically involved in defining the risk thresholds and access policies that inform how policy decision points are configured across the organization.

Inside ZTA

Identity Verification
Continuous authentication and authorization of every user, device, and service attempting to access resources, regardless of network location. Identity becomes the primary security perimeter in place of network boundaries.
Least Privilege Access
Granting subjects only the minimum permissions required to perform their intended function, scoped to the specific resource and time window needed, reducing the blast radius of compromised credentials or accounts.
Micro-Segmentation
Dividing networks and application environments into small, isolated zones so that lateral movement by an attacker who has gained initial access is limited and contained rather than able to traverse the broader environment freely.
Continuous Validation
Ongoing re-evaluation of trust signals at runtime rather than a one-time check at the point of initial access. Trust is never assumed to persist and is reassessed based on context such as device posture, behavior, and risk signals.
Device Health and Posture Assessment
Evaluation of the security state of endpoints and devices before and during access, including patch level, configuration compliance, and the presence of endpoint detection controls, used as an input to access decisions.
Policy Enforcement Points
Inline components that intercept access requests and apply access control decisions made by a policy engine. These enforce the outcome of trust evaluation before allowing or denying access to protected resources.
Explicit Access Control for Applications
Treating internal applications with the same access control rigor applied to externally exposed services, eliminating implicit trust granted solely because a request originates from inside a corporate network perimeter.
Comprehensive Logging and Telemetry
Collection and analysis of access logs, behavioral signals, and audit trails across all resources and sessions to support anomaly detection, incident investigation, and continuous improvement of policy decisions.

Common questions

Answers to the questions practitioners most commonly ask about ZTA.

Does adopting Zero Trust Architecture mean we no longer need a perimeter firewall or network segmentation?
No. Zero Trust Architecture does not eliminate the value of network controls. It reframes them as one layer among many rather than the primary or sole trust boundary. Perimeter firewalls and network segmentation typically remain in place but are no longer treated as sufficient on their own. Zero Trust extends controls to cover identity, device health, application-layer policy, and data access, regardless of whether traffic originates inside or outside the traditional network perimeter.
Is Zero Trust Architecture a product you can purchase and deploy?
No. Zero Trust Architecture is a security model and design philosophy, not a product or a single technology. Vendors may offer products that support Zero Trust principles, such as identity providers, policy enforcement points, or microsegmentation tools, but no single product implements Zero Trust Architecture in full. Achieving Zero Trust requires integrating multiple controls, updating policies and processes, and making ongoing architectural decisions across an organization's environment.
How should an organization prioritize where to start implementing Zero Trust?
Most organizations begin by identifying their most sensitive data, systems, and workflows, then applying Zero Trust controls to those areas first. Common starting points include enforcing strong identity verification and multi-factor authentication, inventorying devices to assess health and compliance, and mapping access paths to critical applications. Incremental adoption is typical, with controls expanded over time rather than deployed all at once.
How does Zero Trust Architecture apply to third-party and supply chain access?
Zero Trust principles apply to third-party access in the same way they apply to internal users: access is never granted based on network location or assumed trust. Third-party identities should be authenticated through the same policy enforcement mechanisms, granted only the minimum privileges necessary for their specific tasks, and subject to continuous verification. Device health checks may be scoped or adjusted depending on whether the organization manages the third party's endpoints.
What role does continuous monitoring play in a Zero Trust Architecture?
Continuous monitoring is a foundational component rather than an optional addition. Because Zero Trust Architecture does not grant persistent implicit trust, it depends on ongoing verification of identity, device posture, and behavior to make dynamic access decisions. Monitoring typically feeds into policy engines that can revoke or restrict access when anomalies are detected. Without continuous monitoring, a Zero Trust model may enforce controls at initial authentication but fail to respond to changes in risk during an active session.
How does microsegmentation relate to Zero Trust Architecture, and is it required?
Microsegmentation is a commonly used technique within Zero Trust Architecture that limits lateral movement by dividing networks or workloads into smaller segments with explicit access controls between them. It supports the Zero Trust principle of least-privilege access at the network layer. Whether it is strictly required depends on the organization's environment and threat model. In some implementations, application-layer controls and identity-based policies may partially substitute for network microsegmentation, though the two approaches are often used together for defense in depth.

Common misconceptions

Zero Trust means eliminating the network perimeter entirely and removing all existing network controls.
Zero Trust reframes where trust is rooted, shifting it from network location to verified identity and device posture. Existing network controls may remain as one layer of defense, but they are no longer treated as sufficient on their own. The network perimeter is supplemented and in some cases replaced, but the transition is typically incremental rather than an immediate removal of all boundary controls.
Deploying a single Zero Trust product or platform achieves Zero Trust Architecture.
Zero Trust is an architectural strategy and a set of principles rather than a product category. Implementing it typically requires coordinated changes across identity management, device management, network segmentation, application access controls, and monitoring. No single vendor tool delivers Zero Trust in full; most tools address specific components of the model.
Zero Trust assumes all users and devices inside the organization are malicious and treats them as adversaries.
Zero Trust does not assume malice. It assumes that trust should not be granted implicitly based on network location alone, because credentials may be compromised, devices may be misconfigured, and insider threats are a realistic risk category. Access decisions are based on verified signals rather than assumed safety, which differs from treating all internal actors as hostile.

Best practices

Inventory and classify all applications, services, and data stores before defining access policies, so that policy enforcement is grounded in an accurate understanding of what resources exist and who legitimately needs access to them.
Enforce multi-factor authentication for all user access to sensitive resources and integrate device posture signals into access decisions, so that a stolen credential alone is insufficient to grant access.
Implement micro-segmentation progressively, starting with the highest-risk or most sensitive application tiers, and validate that lateral movement between segments is blocked before expanding segmentation to broader environment zones.
Apply least privilege access controls to service-to-service communication within application architectures, including internal APIs and service mesh configurations, not only to human user access paths.
Establish continuous monitoring and alerting on access telemetry so that anomalous patterns, such as access from unexpected locations or unusual resource request volumes, trigger re-evaluation of active sessions rather than waiting until the next authentication event.
Treat Zero Trust adoption as an iterative program with defined maturity milestones rather than a binary state, and regularly audit policy enforcement points to confirm that defined policies are being applied consistently across all access paths.