Further Reading: Zero Trust Architecture

Annotated resources, grouped by purpose. Tier 1 sources are canonical standards and primary documents you can rely on; Tier 2 are reputable, attributed sources whose exact figures may vary by edition. Each item is tagged with the learning path it best serves: 🏗️ Engineer, 🛡️ SOC, 📋 GRC, 📜 Cert.

A suggested reading order is at the end.

Standards & primary documents (Tier 1)

NIST Special Publication 800-207, Zero Trust Architecture (National Institute of Standards and Technology, 2020). 🏗️📋📜 The single canonical, vendor-neutral definition of zero trust. Read the seven tenets and the logical architecture (policy engine / policy administrator / policy enforcement point) in the source — they are the foundation of this entire chapter and appear verbatim on certification exams. The deployment-model section (device-agent/gateway, enclave, resource-portal, sandboxing) is excellent for engineers choosing an implementation pattern. The first thing to read after this chapter.

CISA, Zero Trust Maturity Model (Cybersecurity and Infrastructure Security Agency, current version). 📋🏗️📜 The practical companion to 800-207. Where NIST defines the architecture, CISA gives the yardstick: five pillars (Identity, Devices, Networks, Applications & Workloads, Data) plus cross-cutting capabilities (Visibility & Analytics, Automation & Orchestration, Governance), each rated across maturity stages (Traditional → Initial → Advanced → Optimal). This is the framework Meridian's roadmap (Case Study 1) is built on; use it to run your own maturity assessment and sequence a migration.

U.S. Office of Management and Budget, Federal Zero Trust Strategy (OMB M-22-09) (2022). 📋📜 The U.S. federal mandate that pushed zero trust from concept to requirement across government agencies, with concrete goals for identity (phishing-resistant MFA), devices, networks, applications, and data. Valuable for GRC readers because it shows how zero trust becomes a compliance expectation, and because its specific, dated goals make the abstract tenets concrete.

NIST SP 1800-35, Implementing a Zero Trust Architecture (NIST National Cybersecurity Center of Excellence). 🏗️ A practical, build-oriented companion to 800-207, documenting reference implementations assembled from real commercial products mapped back to the tenets. The best bridge from "what zero trust is" to "what a working deployment actually looks like," and a useful antidote to vendor over-claiming.

Foundational industry sources (Tier 1 / Tier 2)

Google, BeyondCorp papers (Google, multiple papers beginning 2014). 🏗️📜 The original, influential real-world zero-trust implementation — Google's decision to "remove trust from the network" and shift it to authenticated users and managed devices, so employees could work from any network without a VPN. BeyondCorp: A New Approach to Enterprise Security is the seminal first paper. Required reading to understand where the modern model came from and why "identity + device, not network" is the core move. (Tier 1 as primary-source papers.)

Evan Gilman & Doug Barth, Zero Trust Networks: Building Secure Systems in Untrusted Networks (O'Reilly). 🏗️🛡️ The standard book-length treatment for engineers. Goes deep on trust establishment, device and user trust, policy, and the data/control-plane split, with implementation detail beyond what any standard provides. The best single book if you are actually building a zero-trust system. (Tier 2 — a respected practitioner text.)

John Kindervag, No More Chewy Centers: Introducing the Zero Trust Model of Information Security (originating analyst research, 2010 onward). 📋📜 Kindervag coined "zero trust" and the memorable "chewy center" critique of the hard-shell/soft-interior perimeter model. Worth reading for the origin of the concept and the original framing of why network location must stop conferring trust. (Tier 2 — foundational analyst work; exact publication details vary.)

Supporting standards you already use (Tier 1)

NIST SP 800-63 series, Digital Identity Guidelines. 🏗️📜 The identity foundation zero trust consumes (you met it in Chapter 16). Since zero trust is only as strong as the proof of identity behind each request, the authentication-assurance-level guidance here is effectively a prerequisite standard for the identity signal.

NIST SP 800-53, Security and Privacy Controls (the AC access-control and IA identification-and-authentication families especially). 🏗️📋📜 The control catalog that maps to zero-trust capabilities. Useful for GRC readers crosswalking a zero-trust program to a formal control framework, and for engineers grounding each tenet in named controls.

Talks, labs, and vendor architecture docs (Tier 1 / Tier 2)

Cloud-provider zero-trust architecture guidance (AWS, Microsoft, Google Cloud security documentation). 🏗️🛡️ Each major cloud publishes zero-trust reference architectures mapping their identity, device, and network services to the 800-207 model (e.g., conditional-access policy engines, identity-aware proxies, workload-identity-based microsegmentation). Read your own provider's guidance when implementing — but keep the seven tenets as your independent yardstick so you can tell a component from a complete architecture. (Tier 1 as vendor security docs; treat capability claims critically.)

MITRE ATT&CK — Lateral Movement tactic (TA0008). 🛡️📜 Not a zero-trust document, but the indispensable companion: the catalog of the lateral-movement techniques zero trust exists to stop. Read the tactic alongside this chapter and map each technique to the zero-trust control (microsegmentation, per-resource verification, least-privilege session) that denies it — exactly the analytical exercise in Case Study 2.

Further Reading: Zero Trust Architecture

Standards & primary documents (Tier 1)

Foundational industry sources (Tier 1 / Tier 2)

Supporting standards you already use (Tier 1)

Talks, labs, and vendor architecture docs (Tier 1 / Tier 2)

Suggested reading order