Key Takeaways: Zero Trust Architecture

A one-page reference. Reread before an exam or before moving on. Dense by design.

The one idea

Never trust, always verify. Trust is never granted because of where a request comes from (network location) and never granted permanently. Every request to a resource is evaluated, every time, against identity + device posture + context, and granted as a least-privilege session. Trust based on network location is the vulnerability.

Perimeter model vs. zero trust

Perimeter (castle) Zero trust
Trust basis Network location (inside = trusted) Per-request verification of identity/device/context
Interior Flat implicit trust zone No implicit trust zone; every access decided
One stolen credential Reaches the whole interior One app, on a healthy device, in-context, briefly
Lateral movement Free and invisible Blocked and logged (denials = signal)
Boundary One wall, few gates Software-defined, drawn per authorized connection

NIST SP 800-207 — the seven tenets (memorize)

  1. All data sources and computing services are resources.
  2. All communication is secured regardless of network location. ← kills the implicit trust zone.
  3. Access is per-session and least-privilege. ← kills "one credential reaches everything."
  4. Access is determined by dynamic policy (identity + device + context + behavior).
  5. The enterprise measures asset integrity/posture continuously.
  6. Authentication & authorization are dynamic and strictly enforced before access = continuous verification.
  7. The enterprise collects all the data it can and uses it to improve posture.

The three signals

Signal Question Built on Key term
Identity Who is asking? Ch.16 (authN), 17 (authZ), 18 (governance) identity is the new perimeter
Device From what, and is it healthy? Ch.11, 14 (MDM/EDR/posture) device posture
Context Under what circumstances? time, location, risk score, behavior context-aware access

Rule: valid credentials are necessary but not sufficient. A verified identity is still checked against device and context, every time. Grant = a least-privilege session (minimal, time-bound, scoped to one resource, non-propagating).

The machinery (SP 800-207 components)

Component Role Chapter 17 analogue
Policy Engine (PE) Decides grant/deny/conditional using the signals the "brain" of the PDP
Policy Administrator (PA) Executes the decision; sets up/tears down session; configures the PEP (new in ZT)
Policy Enforcement Point (PEP) Enforces in the data path; allows only the granted session the PEP

PE + PA = the policy decision point (PDP). The subject never reaches the resource directly — every request flows through a PEP that opens only PA-authorized sessions. That is what removes the implicit trust zone.

ZTNA vs. legacy VPN (high-yield exam contrast)

Dimension VPN ZTNA
On connection A network address on the LAN A connection to one authorized app
Trust model Authenticate once → broad access Per-request decision per resource
Lateral movement Easy (you're on the network) Blocked (one app only)
Resource visibility Reachable/scannable Hidden (software-defined perimeter)
Device posture Often none/login-only Required + continuously re-checked
Blast radius of stolen cred Whole LAN One app, healthy device, in-context, brief

Adding MFA to a VPN ≠ zero trust — it strengthens the front door but still dumps you on a flat network.

Microsegmentation (east-west containment)

  • Draws default-deny policy boundaries around individual workloads (vs. Ch.7 perimeter segmentation, which guards only the edge of a large zone and leaves the interior flat).
  • A compromised workload reaches only explicitly-allowed flows → blast radius collapses.
  • Prefer identity-based policy (workload identity, Ch.20) over IP rules — survives dynamic cloud IPs; resists IP spoofing.
  • Every denied flow is a high-signal detection event → feeds SIEM (Ch.21) and detection (Ch.22). A flat network produced no such signal.
  • Roll out carefully: map real flows first → segment crown jewels first → tighten iteratively.

The migration roadmap (sequence by dependency)

IDENTITY  →  DEVICE  →  ZTNA (apps)  →  MICROSEGMENTATION (crown jewels)
(Ph.1)       (Ph.2)      (Ph.3)          (Ph.4 — hardest, riskiest, last)
  • Identity first (phishing-resistant MFA, entitlement cleanup): every later decision needs a trustworthy identity signal.
  • Device next: now two of three signals are real.
  • ZTNA: replace the VPN by parallel running + phased migration, riskiest apps first (never big-bang).
  • Microsegment crown jewels last: CDE/AD/core first; map flows before default-deny.
  • Legacy that can't participate? Wrap behind a PEP/broker, segment tightly, monitor heavily, compensate around it. (This is also the OT playbook, Ch.33.)
  • CISA Zero Trust Maturity Model = the yardstick. Pillars: Identity, Devices, Networks, Applications & Workloads, Data (+ Visibility/Analytics, Automation, Governance). Stages: Traditional → Initial → Advanced → Optimal.
  • Frame to the board as a maturity direction, not a finish line. Each phase = independently-valuable risk reduction with a metric.

"When to use what" decision aid

Goal Reach for
Stop credential phishing → broad access Phishing-resistant MFA + ZTNA (kill the VPN)
Hide internal apps from attackers ZTNA + software-defined perimeter
Make access contingent on endpoint health Device posture gate + continuous verification
Vary access by risk/time/location Context-aware (ABAC) policy in the PE
Contain workload-to-workload lateral movement Microsegmentation (default-deny)
Decide what to do first Maturity assessment → identity → device → ZTNA → microsegmentation

Common pitfalls

  • Buying a "zero-trust product" and declaring victory (no SKU delivers all seven tenets).
  • Calling an MFA-protected VPN "zero trust" (still a flat network after login).
  • Checking device posture only at login (rebuilds a mini implicit trust zone per session).
  • Microsegmenting a flat network by hand on day one (break production; recreate broad "allow" rules).
  • Promising the board a zero-trust "finish line" (rushed cutover; premature victory; defunding).
  • Treating orphaned/over-privileged accounts (Ch.18) as hygiene — in ZT they are open doors with badges.

Certification crosswalk

Concept CompTIA Security+ (ISC)² CISSP domain
Zero-trust principle; never trust, always verify 1.0 General Security Concepts Security Architecture & Engineering
NIST SP 800-207 tenets; PE/PA/PEP; implicit trust zone 1.0; 3.0 Security Architecture Security Architecture & Engineering
Identity/device/context; least-privilege session 1.0; 4.0 Security Operations Identity & Access Management; Sec. Architecture
ZTNA vs VPN; software-defined perimeter 3.0 Security Architecture Communication & Network Security
Microsegmentation 3.0 Security Architecture Communication & Network Security
Continuous verification; device posture 1.0; 4.0 Security Operations; IAM
Maturity model / roadmap sequencing 5.0 Governance, Risk & Compliance Security & Risk Management

Project additions this chapter

  • Meridian program: zero-trust target architecture + 3-year phased roadmap (CISA pillars), framed for the board as a maturity direction.
  • bluekit toolkit: zerotrust.pypolicy_decision(subject, resource, context) (a miniature policy engine blending identity, device, and context → GRANT / STEP_UP / DENY with a reason).

Cross-references

  • Builds on: Ch.3 (zero-trust principle, least privilege, defense in depth), Ch.6 (segmentation/DMZ), Ch.7 (microsegmentation, the vanishing perimeter), Ch.16 (phishing-resistant authN), Ch.17 (RBAC/ABAC, PDP/PEP), Ch.18 (identity governance).
  • Sets up: Ch.33 (OT — the legacy-accommodation playbook applied to ICS/SCADA).