What Is Zero Trust Architecture?

At a time when remote work is becoming more prevalent, a growing number of bad actors are stealing data, implanting malware, and launching ransomware attacks. Establishing zero trust architecture in cyber networks is crucial to preserving data integrity and protecting data access.

What is zero trust architecture, and how is it better? Traditional network cybersecurity architecture can allow unwelcome incursions by assuming the trust of inquirers before verifying the right to access applications and data. Conversely, zero trust security solutions deny user access to any inquirer—whether people or software systems—up front. Trust must be gained and is achieved internally via systems that rely on trust algorithms.


How Architecture for Zero Trust Works

The zero trust security model moves cybersecurity paradigms from defense of unchanging network-based perimeters to users, assets, and data seeking secure access to enterprise resources. A zero trust framework offers no implicit trust to assets or user accounts based only on physical location or asset ownership.

Where Did the Zero Trust Architecture Model for Cybersecurity Originate?

The recognized need for strong authentication on cybersecurity frameworks predates the term “zero trust.” The Defense Information Systems Agency and the Department of Defense published a report on cybersecurity strategy dubbed “black core.” BCORE called for focusing on the security of each transaction instead of adhering to a perimeter-based security model for systems at enterprise locations.

As cloud computing evolved, the Jericho Forum in 2004 publicized limiting implicit trust based on network location. Later, John Kindervap, then at Forrester Research, coined the phrase “zero trust” to describe cybersecurity solutions that moved away from implied trust based on network locations to evaluating trust for each transaction. The National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence published SP 800-207, Zero Trust Architecture to define zero trust principles. In 2021, President Joe Biden issued Executive Order 14028, requiring federal agencies to deploy it.

Why Adopt a Zero Trust Security Model?

More computers, tablets, and phones seek access to resources housed at enterprise locations. Consequently, organizations should consider adopting a zero trust security model to prevent unauthorized access. The zero trust framework makes it difficult for cybercriminals to succeed in their attempts to deploy ransomware attacks or otherwise compromise systems and steal data. Zero trust architecture is crucial to protecting 5G telecommunications networks (PDF, 3 MB) and cloud infrastructure.

Hackers are increasingly adept at stealing usernames, passwords, and PINs. Also, automated software can be mimicked easily. Anonymity in software allows exact duplicates to be mapped and modeled with no indication that duplicates are imitations. The sheer computing power needed to monitor traditional systems further complicates protection for the cybersecurity team.

Servers at large companies may process one hundred thousand communications a minute or more, and traffic growth makes trust establishment more difficult. Thus, more processing power and computational analysis are needed to block unauthorized inquiries. The greater the processing need, the less time systems serve legitimate clients.

The Impact of Zero Trust Security for Organizations

For comprehensive protection, you can install a zero trust strategy for internal systems, vendor networks, cyber-physical systems, and the cloud. In fact, zero trust architecture protects the cloud through stringent monitoring of cloud infrastructure instead of only guarding the business perimeter. Thus, you can weave the principle of “trust no one” throughout your organization’s entire zero trust security system.

Systems optimization (PDF, 2 MB) and the idea of self-organizing systems heightens the need to transition to zero trust solutions on a number of levels. The zero trust journey can begin simply by switching to cloud-based single sign-on (SSO), in which vendors also provide multi-factor authentication. In addition to MFA, SSO enhances password security.


Developing a Zero Trust Architecture

Logistical components of zero trust architecture operated on-site or through a cloud-based service include a policy engine (PE), policy administrator (PA), and policy enforcement point (PEP). Guided by policy and external input (e.g., threat intelligence services) to a trust algorithm, the PE grants, denies, or revokes access. The PA executes the decision, and the PEP enables, monitors, and terminates connections between a user and an enterprise resource. The PE is essentially the brain, and its trust algorithm is the thought process used to grant or deny access.

Basic Zero Trust Principles

A zero trust model that guards remote access, shields client confidentiality, and protects communications between servers requires a new thought process. You should adhere to zero trust tenets (PDF, 944 KB) that govern design and deployment. For starters, consider all data sources and computing services resources. Secure all communication, regardless of network location.

Zero trust principles, determined by dynamic policy, grant access on a per-session basis. The enterprise monitors and measures the integrity and security of all owned and associated assets. Consider all resource authentications and authorizations to be dynamic and strictly enforce them before allowing access. Collect as much information as possible about the state of assets, network infrastructure, and communications, and use it to improve security posture.

Different Approaches to Zero Trust Architecture

A complete zero trust solution contains elements of three approaches. The enhanced identity governance-driven approach includes a user’s identity as the key element of policy creation. In micro-segmentation, resources can be placed on a unique network segment protected by a gateway security component, including intelligent switches or routers, next generation firewalls, or special purpose gateway devices.

In network-based segmentation, or a software-defined parameter approach, you can achieve zero trust by using an overlay network. The PA acts as the controller that sets up and reconfigures the network based on the decisions made by the PE.

Technologies and Infrastructure Needed to Develop Zero Trust Systems

Zero trust systems encompass identity, credentials, access management, operations, endpoints, hosting environments, and interconnecting infrastructure. Network and environment components must have adequate technical and processing capabilities. Enterprise assets should have basic network connectivity.

Enterprises need to distinguish between owned and managed assets and device security arrangements. Observe all network traffic. Resources should not be available without accessing a PEP, which alone accesses the PA. Remote assets should be able to access resources without first going through enterprise network infrastructure. Infrastructure that supports the zero trust decision process should be scalable to account for changes in process load.


How to Achieve Zero Trust

Implementing zero trust architecture often occurs incrementally. Because of budget constraints, organizations rarely build systems consisting only of zero trust from the ground up, and they choose instead to modify systems over time. Consider a hybrid approach alongside perimeter-based architecture while investing in ongoing IT modernization. A plan can guide the process of moving to zero trust architecture by identifying and scheduling incremental workflow shifts.

Achieving Zero Trust

Before installing zero trust architecture, establish a knowledge baseline. Identify and catalog assets, subjects, business processes, traffic flows, and mappings that show how systems, processes, and teams are interdependent. Verify all users, devices, and access privileges. When evaluating access requests, the PE requires information on physical and virtual assets, human or software systems subjects, user privileges, and allowed processes. Incomplete knowledge leads to access denial. Developers and system administrators require additional scrutiny that involves logs and audits.

Machine identities need to be established, identified, and cataloged. Identify employee laptops and mobile devices, and internal, remote, and vendor software. Log multifactor authentication (MFA), including passwords and PINs, coupled with authentication via identified mobile phone or other devices.

Enterprise Policy to Implement Zero Trust Architecture

To implement zero trust, organizations should adhere to established policies. For example, maintain and continually revise a log on asset connections, updates, and any changes. Identify and rank business processes, data flows, and the role of each in the organization’s mission. Business processes should detail circumstances for granting or denying access.

Policies must establish qualifications for privileged access and specific, accessible resources in any privileged access management program. Access depends on user identification, the authentication process, and host information profiles that block unauthorized users. A firewall blocks any network traffic that fails to comply with policy.

Once the security team develops a list of business processes for conversion to zero trust, enterprise architects can make plans to install needed solutions. Plans should include logging interactions for analysis, providing broad support for different applications, services, and protocols, and requiring necessary changes to subject behavior. The nature of cyberattacks drives policy-supported modernization. Most cyberattacks and systems breaches, including virus implants for ransomware attacks, occur in off hours.

Consequently, consider granting access within certain timeframes, such as during a typical workday. Consider restricting access by physical location as well. Adopt a principle of least privilege, with access authorized and granted only to complete specific tasks. Once the conversion process starts, teams can operate new zero trust business workflow in reporting-only mode to ensure effective, workable policies.


Implementing and Managing Zero Trust

Every zero trust journey should include continual oversight of policies, strategies, and systems deployments. The security team should consistently assess the zero trust framework. Appraise on an ongoing basis the suitability of hardware and software systems and the security of any connected network perimeter and cloud infrastructure.

Zero Trust Management

After policy is set and the operational phase begins, monitor networks and assets and log traffic for overall zero trust management and management of segments during transitions. After establishing zero trust in one segment, start planning the next phase of zero trust deployment.

Discuss ongoing needs to modernize and upgrade cybersecurity, hardware and software systems, and network resources. New devices, major updates to software, and shifts in organizational structure can require changes to workflow or policies. Constant and consistent assessment of overall attack surface—meaning the total number of all possible entry points for unauthorized access—should be a staple of any cybersecurity program.

Avoiding Duplication

Prudent approaches to implementing, assessing, and updating zero trust solutions need not be duplicative. A single asset may perform the duties of multiple logical components such as enhanced identity governance, micro-segmentation, and network infrastructure and software defined perimeters. Similarly, a logical component may consist of multiple hardware or software elements.

A public key infrastructure (PKI) system that protects sensitive data via encryption and sign data may consist of one component for issuing certificates for devices. Another component may issue certificates to end users. Both use intermediate certificates issued from the same certificate authority.

Some available products combine the PE and PA components in a single service. Deployment of selected components may vary. Depending on enterprise network setup, numerous zero trust architecture deployment models can be used for different business processes in one enterprise. The device agent/gateway deployment model divides the PEP into two components.

Zero Trust Journey

Zero trust architecture can be implemented within existing systems capabilities. In fact, organizations may have solutions in place that support zero trust. For example, existing multifactor authentication (MFA) and cloud-based single sign-on (SSO) are not zero trust but can be a part of establishing an overall zero trust solution.

Zero trust includes a variety of security technologies besides MFA. Others include identity and access management (IAM), role-based access control (RBAC), network access control (NAC), encryption, policy enforcement engines, policy orchestration, logging, analytics, and scoring and file system permissions. The Cloud Security Alliance (CSA) has developed a security framework called a software-defined perimeter (SDP). The Internet Engineering Task Force (IETF) sanctioned the Host Identity Protocol (HIP).


Zero trust includes the overarching belief that organizations should not automatically trust but verify ever user, every device, and every access request every time. Although data and service protection are key, a zero trust approach can protect all enterprise assets. Zero trust security models assume that an attacker is present and allows an enterprise to assume no implicit trust.

Interested in joining IEEE Digital Privacy? IEEE Digital Privacy is an IEEE-wide effort dedicated to champion the digital privacy needs of the individuals. This initiative strives to bring the voice of technologists to the digital privacy discussion and solutions, incorporating a holistic approach to address privacy that also includes economic, legal, and social perspectives. Join the IEEE Digital Privacy Community to stay involved with the initiative program activities and connect with others in the field.