← Home

Field Guide · Security Operations

Zero
Trust

"Never trust, always verify." Zero trust removes the one assumption the old perimeter model was built on — that being inside the network means you can be trusted — and replaces it with an explicit, per-request decision made on identity, device, and context. This guide is the mental model and the architecture behind the slogan: what it actually claims, how NIST SP 800-207 realizes it, how CISA's maturity model stages the rollout, and — just as important — what it does not do.

NIST SP 800-207 5 CISA pillars assume breach

Zero trust is a strategy, not a product — an architecture you design and a program you run, not a box you buy. The core move is simple to state and hard to implement: stop using network location as a proxy for trust, and make every access to every resource prove itself, every time. Everything below follows from that.

01

Trust as a Vulnerability

The perimeter model is a hard shell around a soft interior: authenticate once at the edge — the VPN, the firewall — and then move freely, because "inside" is trusted. It fails wherever the shell is bypassed rather than broken: a stolen credential walks straight through the front door, an insider was never outside, and lateral movement lets one compromised host reach the rest. Remote work and cloud dissolved the shell entirely — the resources and the users are no longer inside anything.

Zero trust starts from the opposite assumption. Assume the attacker is already on the network, and treat the enterprise network as no more trustworthy than the open internet. Trust is not granted by where a request comes from; it is earned, per request, by what can be proven about the identity, the device, and the context — and it is never permanent. The term is John Kindervag's (Forrester, around 2010); the idea that "trust is a vulnerability" is the whole thesis.

What it does and doesn't claim

Zero trust does not make a system "secure." It removes network location as a basis for trust and forces an explicit, signal-based decision at each resource. That directly addresses stolen-credential reuse, flat-network lateral movement, and the dissolved perimeter. The residual risk it leaves: the decision is only as good as the signals feeding it and the policy behind it — a valid credential on a device that looks healthy still passes.

02

The Three Principles

The slogan "never trust, always verify" is usually operationalized as three principles. They are worth stating separately because most failed "zero trust" programs are strong on one and silent on the others.

  1. Verify explicitly. Authenticate and authorize every request on all the signals available — identity strength, device posture, location, behaviour — not once at a boundary and never again.
  2. Least privilege, per session. Grant the minimum access the task needs, scoped and time-bound to this session, rather than standing broad rights. (The discipline of sizing and expiring access is the subject of the Access Decision Handbook.)
  3. Assume breach. Design as though the adversary is already inside: segment to limit blast radius, encrypt end to end, and log everything — because the value of assuming breach is realized only if you can detect the intruder you assumed was there.
03

The Seven Tenets (NIST SP 800-207)

NIST Special Publication 800-207, Zero Trust Architecture (Final, August 2020), is the reference definition. It frames zero trust as seven tenets — the abstract requirements a real architecture then has to satisfy. Paraphrased:

#Tenet — what it requires
1All data sources and computing services are treated as resources to be protected — no exceptions for location or perceived importance.
2All communication is secured regardless of network location — being on the internal network earns no exemption from authentication or encryption.
3Access to individual resources is granted on a per-session basis, with least privilege for that session.
4Access is determined by dynamic policy — client identity, application/service, the requesting asset's state, and behavioural and environmental attributes.
5The enterprise monitors and measures the integrity and security posture of all owned and associated assets — no asset is inherently trusted.
6All resource authentication and authorization are dynamic and strictly enforced before access is allowed — and re-evaluated continuously.
7The enterprise collects all it can about the current state of assets, infrastructure, and communications, and uses it to improve its posture.

Underlying these are 800-207's working assumptions about the modern estate: the private network is not an implicit trust zone; devices on it may not be enterprise-owned or configurable; no resource is inherently trusted; and remote subjects cannot trust their local network. The tenets are what you must achieve; the next section is the machinery that achieves them.

04

The Logical Architecture: PDP & PEP

SP 800-207 splits the system into two planes. The control plane decides; the data plane carries traffic and does what it is told. Three logical components do the work:

The Policy Engine (PE) makes the access decision, running a trust algorithm over the available signals. The Policy Administrator (PA) executes that decision — it establishes or tears down the session, issuing or revoking the credential the enforcement point needs. Together, PE and PA form the Policy Decision Point (PDP). The Policy Enforcement Point (PEP) sits in the data path between the subject and the resource and enables, monitors, and terminates the connection on the PA's instruction.

The point of the shape: the subject and its device never reach the resource directly. They reach a PEP, which only opens the specific path the PDP has authorized for that one session — and can close it again the moment the decision changes.

identity / IdP device / CDM threat intel activity logs data policy POLICY DECISION POINT Policy Engine decides · Administrator executes grant / revoke session SUBJECT + DEVICEuser or workload POLICY ENFORCEMENTenables · monitors · terminates RESOURCEapp, data, service
Signals feed the decision; the enforcement point, not the subject, holds the only path to the resource.

Two consequences follow immediately, and the second is the subject of §09: the decision is only as current as the signals, and the PDP and the identity provider become the highest-value targets in the estate — compromise there subverts every decision made downstream.

05

The Access Decision

Inside the Policy Engine is a trust algorithm that weighs, per request, how strongly the identity is proven (a password is not a passkey), whether the device is managed and healthy, whether the behaviour or environment is anomalous, how sensitive the resource is, and what current threat intelligence says. The output is richer than allow/deny: the engine can step up — demand re-authentication or stronger MFA — or grant reduced access, and because the decision is per-session and re-evaluated, a session already open can be revoked when the signals change.

identity assurance device posture behaviour / anomaly resource sensitivity threat intelligence TRUST ALGORITHM Policy Engine weigh · decide ALLOW — this session STEP-UP — re-verify DENY + log
A per-session decision, not a one-time gate — and "deny" is a logged detection signal, not just a block.

Two guides carry the detail: how identities are proven and how strong each factor is lives in Identity & Authentication; the discipline of sizing, granting, and expiring the access itself is the Access Decision Handbook. The threat this addresses is stolen-credential reuse and lateral movement — re-checking context at every request, not once. The residual risk: a decision built on stale or fooled signals — a compromised device that still reports healthy — is granted anyway. It narrows the window; it does not read intent.

06

ZTNA vs the VPN Model

The clearest place zero trust changes day-to-day practice is remote access. The traditional answer is a VPN: authenticate once, receive a network-level tunnel, and land on a segment — often a broad one — where you are then implicitly trusted. A compromised client reaches everything the tunnel exposes. Zero Trust Network Access (ZTNA) inverts this: a broker, acting as a PEP, authenticates identity and context and connects the user to a specific application, per session, without ever placing the client on the network.

PERIMETER / VPN user VPN gw app A app B data once inside — broad reach, flat trust ZERO TRUST / ZTNA user brokerPEP app B app A data each request brokered to one resource
"Network location grants no trust": the VPN puts you on the network; ZTNA connects you to a resource.

The VPN/IPsec & Tunneling guide covers the tunnel mechanics — and why a tunnel encrypts the path but never makes the endpoints, or the concentrator, trustworthy. ZTNA is the access-model answer to exactly that gap. What it addresses: lateral movement and over-broad network exposure. What it leaves: a legitimately authorized but compromised identity still reaches its one permitted app, and the broker is now a critical dependency and a chokepoint of its own.

07

The CISA Maturity Model

If SP 800-207 is the architecture, CISA's Zero Trust Maturity Model (v2.0, April 2023) is the roadmap for reaching it. It organizes the work into five pillars — Identity, Devices, Networks, Applications & Workloads, and Data — each assessed and advanced independently across four maturity stages: Traditional, Initial, Advanced, Optimal (v2.0 added "Initial" to mark the first move off the manual baseline). Three cross-cutting capabilities run through all five.

MATURITY IdentityDevicesNetworksApps & WorkloadsData TraditionalInitialAdvancedOptimal cross-cutting: Visibility & Analytics · Automation & Orchestration · Governance
Five pillars, four stages, three cross-cutting capabilities — each pillar climbs the stages on its own schedule.

The model aligns to OMB M-22-09 (January 2022), the US federal zero-trust strategy. Keep the register straight: for federal civilian agencies that memo is a mandate with deadlines; for everyone else CISA's model is recommended practice, not a requirement. Identity is the near-universal starting pillar — it is where attackers concentrate, and one improvement there (phishing-resistant MFA, centralized identity) strengthens every other pillar. These documents revise; align to a named version rather than "zero trust" in the abstract.

08

Microsegmentation & Cloud-Native

"Assume breach" has a structural consequence: shrink the blast radius so one foothold doesn't become the whole estate. Microsegmentation replaces one flat network with many small zones and enforces policy on the traffic between them (east-west), not just at the perimeter. A compromise in one zone then reaches only what that zone's identity is authorized to reach.

NIST SP 800-207A (2023) carries the model into cloud-native and multi-cloud environments, where the "network" is a mesh of microservices that cannot be separated by IP address and subnet. It pushes the decision to the application layer: service-to-service calls authenticate and authorize using workload identities (for example, SPIFFE), enforced by API gateways and service-mesh sidecar proxies — the same per-request logic as user access, applied to machines.

Threat & residual

Microsegmentation addresses lateral movement — it is the control that most directly limits how far a breach spreads. What it does not do: segmentation is not isolation. A compromised identity or workload still moves freely within its authorized grants, and over-segmentation adds operational complexity that, under pressure, tends to be relaxed or to fail open. The gain is real; the perimeter it draws is only as tight as the policy behind it.

09

What Zero Trust Does Not Do

Because "zero trust" is sold as much as it is engineered, the honest limits matter as much as the model:

  1. It relocates trust; it does not remove it. The PDP, the identity provider, and the PEP now concentrate the trust the perimeter used to spread around. Their compromise subverts every decision downstream — so they become the crown jewels, protected accordingly.
  2. It does not read intent. A valid, authorized identity on a device that looks healthy still gets in. Insider abuse and stolen sessions or tokens pass straight through a correct zero-trust decision.
  3. It is not a product. "We bought a ZTNA licence" is not zero trust. The tool enforces a policy you still have to design, on signals you still have to supply.
  4. Uneven maturity fails open. Advancing Identity to Advanced while Devices sits at Traditional means a valid credential on an unmanaged, compromised endpoint still passes. Pillars have to advance together.
  5. Enforcement without telemetry wastes the best signal. Denied requests and anomalous sessions are early warning; if they never reach the SOC you have thrown away your strongest detection source. (See Detection Engineering and Logging & Evidence.)
The assurance caveat

No architecture is "secure" in the abstract, and zero trust is no exception. It is evaluable only against a stated adversary — the assume-breach threat model of credential theft, lateral movement, and a dissolved perimeter. Against that adversary it is strong. It does comparatively little against a supply-chain compromise of a component you already trust, a policy that is simply wrong, or a compromised PDP or IdP. State the threat model, or the phrase "zero trust" is decoration.

10

Adopting It, in Stages

It is a multi-year program, not a deployment, and a half-built one can fail open — so the order is deliberate.

  1. Inventory and baseline. Map identities, devices, data flows, and resources — you cannot protect or segment what you have not mapped — and assess current maturity per pillar.
  2. Lead with identity and device. Phishing-resistant MFA, centralized identity, and device health as an access signal are the highest-leverage pillars; advance them together.
  3. Move to per-application access. Replace network-level VPN with brokered, per-resource access, and write policy per resource rather than per network.
  4. Segment and encrypt. Shrink the blast radius and secure communication regardless of location.
  5. Wire in the telemetry. Feed decisions — and especially denials — to the SIEM. The control plane is also a detection source.
  6. Prove each rung in production before the next. Advance pillars in priority order, and don't mistake a purchase order for progress.

Zero trust on one card

Principles

Verify explicitly · least privilege, per session · assume breach. ("Never trust, always verify.")

Components — NIST SP 800-207 (Aug 2020)

Policy Engine + Policy Administrator = the PDP (decides, then executes); the PEP enforces in the data path. The subject never reaches the resource directly — only the path the PDP authorizes, for that one session, revocable at any time.

Roadmap — CISA ZTMM v2.0 (Apr 2023)

5 pillars (Identity · Devices · Networks · Apps & Workloads · Data) across 4 stages (Traditional → Initial → Advanced → Optimal), with 3 cross-cutting capabilities (Visibility & Analytics · Automation & Orchestration · Governance). Aligns to OMB M-22-09 — a federal mandate, recommended practice for everyone else.

It is not

Frameworks are cited by version — NIST SP 800-207 (Final, August 2020) and SP 800-207A (2023); CISA Zero Trust Maturity Model v2.0 (April 2023); OMB M-22-09 (January 2022) — and all of them revise, so confirm the current revision before aligning control-by-control. Zero trust is a strategy against a stated adversary (assume-breach: credential theft, lateral movement, a dissolved perimeter), not a condition a system can "be in"; it narrows and relocates trust rather than removing it, and every control named here leaves a named residual risk. Pairs with Identity & Authentication, the Access Decision Handbook, VPN/IPsec & Tunneling, Detection Engineering, and Logging & Evidence. Terms are in the Glossary; 00 · Start Here indexes the set.