Cybersecurity, identity, least privilege, policy engines, policy enforcement points, device posture, continuous verification, microsegmentation, cloud security, and access control

Zero trust architecture

Zero trust architecture is a cybersecurity approach that treats every access request as something to evaluate, authorize, and monitor instead of assuming a trusted internal network.

Core idea

Access decisions focus on users, devices, resources, context, and policy rather than simple network location.

Common phrase

Zero trust is often summarized as never trust, always verify.

Not a product

Zero trust is an architecture and operating model, not one tool that can be installed overnight.

NIST diagram of a zero trust architecture with a policy decision point, policy enforcement point, subject, resource, and policy information points. — Zero trust architecture uses policy decision and enforcement components to evaluate access to resources.View image on original site

What zero trust architecture is

Zero trust architecture is a way to design cybersecurity around explicit access decisions. Instead of assuming that users or devices are safe because they are inside a network perimeter, a zero trust system evaluates each request to a protected resource using identity, device state, policy, behavior, and other context.

Why the old perimeter is not enough

Organizations now use cloud services, remote work, mobile devices, contractors, software-as-a-service tools, and distributed applications. A hard boundary between inside and outside is harder to define. Zero trust responds by protecting resources directly and reducing broad implicit trust after someone gets network access.

Policy decision and enforcement

NIST describes core zero trust functions such as a policy engine, policy administrator, and policy enforcement point. In simple terms, one part decides whether access should be allowed, another helps set up or end the session, and an enforcement point controls the actual connection to the resource.

Signals used for access

A zero trust decision may use many signals: user identity, multi-factor authentication, device health, endpoint protection status, resource sensitivity, location, time, session behavior, threat intelligence, data labels, and current risk. The goal is to make access specific, conditional, and revocable.

Least privilege and segmentation

Zero trust favors least privilege: users, devices, and services should get only the access they need for the task. Microsegmentation, application proxies, identity-aware access, and software-defined perimeters can limit lateral movement if an account, device, or workload is compromised.

CISA maturity pillars

CISA's maturity model organizes zero trust work around identity, devices, networks, applications and workloads, and data, with visibility, automation, orchestration, governance, and analytics spanning across them. This framing helps teams avoid treating zero trust as only a network project.

Migration and limits

A zero trust transition usually starts with inventory, identity cleanup, stronger authentication, device visibility, logging, and clearer resource access policies. It can be difficult because old applications, shadow IT, incomplete asset data, vendor lock-in, and business workflows may not fit neat policy boundaries.

Why it matters

Zero trust matters because breaches often involve stolen credentials, unmanaged devices, exposed services, or movement from one system to another after the first compromise. A well-implemented architecture can reduce blast radius, improve visibility, and make access decisions more accountable.

Key concepts

Subjecta user, device, service, or other entity requesting access.
Resourcethe application, data, service, or system being protected.
Policy enginethe component that makes an access decision based on policy and signals.
Policy enforcement pointthe component that allows, monitors, or blocks a connection.
Least privilegegranting only the access needed for a specific task or role.

Implementation pieces

Identity and access management with strong authentication and lifecycle controls.
Device inventory, endpoint security, patch status, and posture checks.
Network segmentation, application gateways, proxies, or software-defined perimeter controls.
Data discovery, classification, encryption, and access monitoring.
Security analytics, logging, threat intelligence, and automated response.

Common misconceptions

Zero trust does not mean trusting nothing forever; it means trust is explicit, limited, and continuously evaluated.
Zero trust is not just multi-factor authentication, although MFA is often important.
Zero trust does not eliminate the need for networks, firewalls, monitoring, backups, or incident response.
Buying a single product does not create a complete zero trust architecture.

Open questions

How can organizations modernize legacy applications that were built around broad network trust?
Which access decisions should be fully automated, and which still need human review?
How should zero trust policies handle contractors, partners, service accounts, and machine identities?
How can teams measure whether zero trust improvements actually reduce risk?