What is Zero Trust Architecture? 9 Steps to Implementation

As more companies migrate to the cloud, the way that they protect data changes as well. In a traditional on-premises network architecture, companies could follow the “trust but verify” philosophy. However, protecting cloud data needs to take the “never trust, always verify” approach. Understanding what a zero trust architecture is and how to implement one can help enhance security.

What is zero trust cybersecurity model?

The zero trust cybersecurity model requires that all users, devices, and applications connected to an organization’s network are continuously authenticated, authorized, and monitored to ensure appropriate configurations and posture before granting them access to networks and data, regardless of whether they are on-site or remote.

The origins of zero trust security

The concept of zero trust was first introduced by John Kindervag, former Principal Analyst at Forrester Research, who recognized that traditional perimeter security models were no longer sufficient in protecting modern organizations. His revolutionary security model challenged the conventional wisdom of trusting entities inside the network perimeter while treating everything outside as potentially malicious.

Why traditional security models are failing

In traditional on-premises network architectures, users and devices connecting to networks were considered “trusted” because their activity could be limited using hardwired connections and firewalls. However, with the rise of wireless networks, cloud environments, and remote workers, the concept of trust eroded. 

Companies now face an expanded attack surface due to the proliferation of cloud workloads, mobile devices, and distributed work environments. This expanded threat landscape requires a comprehensive cybersecurity strategy that goes beyond traditional network security approaches to include robust identity security posture management and continuous monitoring.

Zero trust is a way that companies can reduce risk by continuously requiring authentication and authorization.

What are the basic principles of Zero Trust?

Zero trust means what it says and says what it means. Trust no one. According to the National Institute of Standards and Technology Special Publication (NIST SP 800-207), the basic principles of a Zero Trust enterprise cybersecurity architecture include:

• Assuming there’s been a breach
• Assuming an enterprise-owned environment is no different or more trustworthy than a non-enterprise-owned environment
• Continuously analyzing and evaluating risk
• Continuously enacting risk mitigation protections
• Minimizing user and asset access to resources
• Continually authenticating and authorizing identity and security for each access request

These security principles form the foundation of any effective cybersecurity plan and represent a fundamental shift from traditional security framework models.

What are the different approaches to Zero Trust Architecture?

As with everything in cybersecurity, there is no “one size fits all” approach to zero trust. Although three variations on the theme exist, many companies take a “mix and match” approach to all three.

Enhanced identity governance

Identity governance is managing the identity lifecycle from when you first grant a user identity access to systems, networks, and software until you terminate that access.

As a best practice, you should limit access according to the principle of least privilege access, providing the least amount of access necessary for a person, device, or software to complete its job function. Additionally, you should consider incorporating the following as additional attributes when considering permissions:

• Network location
• Device used
• Resource risk

Enhanced identity governance includes restricting network access according to the principle of least privilege and requiring multi-factor authentication (MFA).

Effective identity authentication processes must include end-to-end encryption and robust access control policies that adapt to changing threat landscapes. Enterprises using least privilege access as part of their security strategy often see significant reductions in data breaches and unauthorized access incidents. This identity security posture management approach ensures that remote access requests are thoroughly validated before granting system permissions.

How micro-segmentation protects network resources

Micro-segmentation protects resources, either in groups or individually, by placing them on a unique network segment using a switch, firewall, or another gateway device.

Although this approach incorporates identity governance, it also relies on network devices to prevent unauthorized access. When using micro-segmentation to protect data, organizations need to ensure that the devices can respond to threats or changes in workflow.

Micro-segmentation represents a critical security model for protecting cloud workloads and sensitive data repositories. By implementing granular security controls at the network level, organizations can create isolated environments that limit threat actors’ lateral movement. This approach is particularly effective in cloud environments where traditional network perimeter controls may not be sufficient.

Network infrastructure and software-defined perimeters

Often referred to as a software-defined perimeter, this approach often uses technologies like Software-Defined Networks (SDN) and intent-based networking (IBN). Under this approach, the organization deploys a gateway at the application layer that establishes a secure channel between the user and resource.

Software-defined perimeters represent an evolution in network security architecture, particularly effective for organizations with legacy systems that require modernization.

What is the difference between Zero Trust Access (ZTA) and Zero Trust Network Architecture (ZTNA)?

When discussing zero trust, people often use the terms ZTA and ZTNA. Both enable zero trust, but they do it differently.

Zero Trust Access (ZTA)

ZTA relies on the organization’s Identity and Access Management (IAM) policies, often requiring MFA to verify that users are who they say they are. Additionally, ZTA usually includes maintaining a continuous inventory of devices and users connecting to the network while continuously scanning for new access.

Zero trust network access solutions provide granular control over remote access requests and integrate threat intelligence feeds to make real-time access decisions.

Zero Trust Network Architecture (ZTNA)

While ZTA focuses on who and what connects to a zero trust network, ZTNA focuses on who and what can connect to applications located on the network. ZTNA places the applications behind a “proxy point” gate, creating a secure, encrypted tunnel that data travels across. This makes it easier to secure remote users and entities without using a VPN.

ZTNA solutions are particularly valuable for organizations implementing comprehensive data loss prevention strategies, as they provide granular visibility and control over data access patterns.

Five use cases for zero trust

If you’re considering whether zero trust is appropriate for your company, the following zero trust architecture example use cases might help you understand how it would fit into your current IT landscape.

1. Enterprise satellites

Often, organizations have a headquarters with remote offices or employees. Since the remote locations don’t connect to the enterprise local network, a company may create a portal for users who need access to resources.

This use case demonstrates the zero trust architecture benefits for distributed organizations, where traditional perimeter security models fail to provide adequate protection for remote workers. Organizations can maintain consistent security controls regardless of user location by implementing zero trust principles.

2. Multi-cloud architecture

Increasingly, organizations use more than one cloud services provider, hosting multiple applications across different clouds. A zero-trust approach enables better security for both Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) by requiring users and entities to access the resources through a portal or installed agency. This gives the company more control over how users gain access to the cloud resource and ensures better visibility into cloud security.

Multi-cloud environments present unique challenges for maintaining a consistent security framework across different platforms. The zero trust framework addresses these challenges by providing unified access control policies and threat intelligence integration that works consistently across all cloud environments.

3. Managing third-party, non-employee access

Zero trust can be used to create a portal for those who need network connectivity to perform their tasks. This enables you to offer access while obscuring enterprise resources, mitigating the risks associated with outsiders accessing enterprise resources.

4. Across enterprise boundaries

Many enterprise organizations have different databases used by various subsidiaries. Creating multiple accounts for users needing access to multiple databases across subsidiary lines becomes overwhelming.

For example, an enterprise might have Sub 1 and Sub 2 with Database A and Database B. Both Sub 1 and Sub 2 use Database A, but only Sub 2 needs access to Database B. Creating unique logins for each database increases credential theft risk. In this case, zero trust provides the same benefit as remote employees and offices.

5. Customer-facing services

In some cases, companies offer customer services that require user registration. In this case, the organization must protect internal assets and customer information. Zero trust enables enhanced security when organizations can segregate these customer services from enterprise services and use portals that drive customers to the resources they need.

Understanding the risk considerations for Zero Trust

While zero trust enables organizations to better secure data, it also comes with its own set of risks.

Secure configuration and maintenance of components

Any software or hardware component used must be securely configured and maintained. This can include monitoring for new risks arising from:

• Hardware vulnerabilities
• Software vulnerabilities
• Malware/ransomware
• Credential theft

Proper component configuration is essential for maintaining an effective security model and requires ongoing attention to threat intelligence feeds and vulnerability assessments. Organizations must regularly update all security controls to address emerging threats and maintain optimal endpoint security.

Denial-of-Service (DoS) attack or network outage

All technologies enabling a zero trust architecture rely on network connectivity. A network outage due to a DoS attack or cloud service provider downtime can undermine the core technologies protecting the digital assets. 

Additionally, unexpected heavy usage can lead to slower service, which can lead to business disruption. Any of these scenarios can lead to users being unable to access resources. This means that employees or customers may be unable to connect to resources, decreasing productivity or interrupting customer services.

Stolen credentials/insider threat

No matter your chosen deployment method, zero trust relies entirely on authenticating users and entities to networks or applications. Stolen credentials or a malicious insider can undermine your zero trust goals.

To mitigate this risk, you should consider:

• Assigning additional attributes to access control policies, including geolocation and IP address
• MFA to mitigate the use of stolen credentials
• User and entity behavior analytics (UEBA) to determine abnormal behaviors indicating malicious resource use
• Network segmentation to prevent lateral movement

Cyber attackers increasingly target user identity credentials as a primary attack vector, making robust identity authentication processes critical for any security strategy.

9 Steps to a Zero Trust Architecture

While establishing a Zero Trust Architecture can enhance security, many organizations find the implementation challenging. Understanding the steps involved can help move toward a zero trust security approach.

Taking a rip-and-replace approach is not the most likely path, but some organizations can do it. This approach requires:

• Knowing all applications/services
• Understanding all workflows
• Deciding on the technologies to use
• Mapping how the technologies interact
• Building the infrastructure
• Configuring all technologies

It’s more likely that you already have a network infrastructure in place. Ultimately, this means taking a perimeter-based approach, which requires engaging in the following eight steps.

1. Identify users who need network access

The first step is understanding who needs access to your digital resources. However, you also need to do more than just get a list of employees. When identifying users, you need to consider:

• Employees
• Third-party contractors
• Service accounts
• Robotic process automations (RPAs/bots)
• Serverless functions

Additionally, you need to consider users with privileged access, including:

• System administrators
• Developers

Companies must maintain comprehensive inventories of all entities requiring access, including remote workers who may access systems from various locations and devices. This inventory should include detailed information about each user’s role, required access levels, and associated risk factors.

2. Identify the devices that need network access

Zero trust also tracks all devices that connect to your network. The increased use of Internet of Things (IoT) devices has made identifying and cataloging devices more challenging.

When creating the asset catalog, you should include:

• Workstations (laptops/desktops)
• Smartphones
• Tablets
• IoT devices (printers, smart security cameras)
• Switches
• Routers
• Modems

As part of a zero trust architecture, you must maintain secure configurations for all these devices.

3. Identify the digital artifacts that need network access

Increasingly, applications and other non-tangible, digital artifacts require network access. As you build out your list, you should consider:

• User accounts
• Applications
• Digital certificates

Another challenge here is shadow IT, technologies connecting to the network that your IT team may not know about. As part of your zero trust migration, you want to engage in a network scan to ensure you identify all access points.

4. Identify key processes

Once you know all the applications your company uses, you need to define the ones most critical to your operations. These key business processes help you set resource access control policies.

Low-risk processes are often good candidates for the first round of migration because moving them won’t cause critical business downtime.

Meanwhile, cloud-based critical resources are good candidates because placing controls around them protects sensitive data and services. When putting the controls around these processes, however, you should engage in a cost-benefit analysis that includes:

• Performance
• User experience
• Impact on workflows
• Upstream resources (things that flow into the current asset, like ID management, systems, and databases)
• Downstream resources (things that flow out of the current asset, like event logs)
• Entities (connections to the asset, like users and services accounts)

Process prioritization should consider the potential impact of data breaches and the criticality of each system to overall business operations.

5. Establish policies

With all users, technologies, and key business processes identified, you now start establishing policies.

You must identify the items listed above in step 4 for each asset or workflow.

Policy development must reflect zero trust principles while accommodating the unique requirements of different user groups, including remote workers and third-party contractors.

6. Identify solutions

Your solution should be based on the previous steps because different tools enable different business goals. According to NIST SP 800-207, the primary questions you should ask yourself when making the decision are:

• Does the solution require that components be installed on the client asset?
• Does the solution work where the business process resources exist entirely on enterprise premises?
• Does the solution provide a means to log interactions for analysis?
• Does the solution provide broad support for different applications, services, and protocols?
• Does the solution require changes to subject behavior?

Solution selection should prioritize compatibility with existing legacy systems while providing the flexibility to scale with future cloud environments.

7. Deploy solution

Deploying your solution should be done in stages to mitigate business interruption risk. This first stage should consider:

• Initially operating in observation and monitoring mode
• Ensuring that all privileged user accounts have access
• Ensuring that all privileged user account access is appropriately limited
• Reviewing access to make sure no one has more access than they need

Deployment should include comprehensive testing of remote access capabilities and validation that data loss prevention measures are functioning correctly.

8. Monitor controls

Once you know that everything works as intended for the first round of migrated processes, you should engage in a period of monitoring. During this time, you want to make sure you set baselines for activities like:

• Asset and resource access requests
• Behaviors
• Communication patterns

Moreover, you want to monitor basic policy functionality like:

• Denying requests that fail MFA
• Denying requests from known attacker-controlled or subverted IP addresses
• Granting access for most other requests
• Ensuring that all necessary logs are generated

Continuous monitoring should leverage threat intelligence feeds to identify emerging attack patterns and adjust security controls accordingly.

9. Expand Zero Trust Architecture

With the first migration phase complete, you have baselines and logging that should give you confidence over workflows and monitoring. However, each rollout phase should follow a similar process: implementing, reviewing, monitoring, setting baselines, and ensuring documentation.

SecurityScorecard: Continuous environment scanning and monitoring

SecurityScorecard’s platform enables organizations to  detect, prioritize, and remediate vendor risk across their entire supplier ecosystem at scale. Our platform scans all IP addresses, giving you visibility into all access points, including IoT devices. With continuous monitoring and prioritized alerts, you can quickly identify security gaps and take immediate remediation steps to enhance your security posture.

The Supply Chain Detection and Response (SCDR) platform connects TPRM and SOC teams with real-time insights, facilitates vendor collaboration, and enables workflows that turn signals into action. This bridges the gap between risk ratings and resolution, helping organizations transition from passive monitoring to active remediation when threats emerge across vendor ecosystems.

Our platform provides comprehensive attack surface visibility, complementing zero-trust network access implementations by identifying potential security gaps before threat actors can exploit them. This ongoing visibility ensures that as you implement zero trust principles across your organization, you maintain a clear understanding of your evolving threat landscape.