Zero Trust Network Architecture¶

Zero Trust Network Architecture (ZTNA) eliminates implicit trust from every network interaction. Unlike traditional perimeter-based security — where anything inside the firewall is trusted — ZTNA treats every access request as if it originates from an untrusted network. This document provides a vendor-neutral reference architecture aligned with NIST SP 800-207 and the BeyondCorp model.

Core Principles¶

Zero Trust is built on three non-negotiable principles:

Principle	Definition	Network Implication
Never trust, always verify	Every access request is fully authenticated, authorized, and encrypted regardless of origin	No network location grants implicit trust; internal traffic is treated identically to external
Least privilege	Grant minimum access required for the specific task at the specific time	Microsegmented access policies replace broad network ACLs; no flat network access
Assume breach	Design controls assuming the adversary is already inside the perimeter	Lateral movement is blocked by default; east-west traffic is inspected and logged

Traditional perimeter security assumes that once a user or device passes the firewall, it can be trusted. This assumption fails catastrophically when attackers gain initial access through phishing, supply chain compromise, or credential theft — they inherit the implicit trust of the internal network.

Zero Trust Network Reference Architecture¶

flowchart TB
    subgraph Users["Users & Devices"]
        EU[Enterprise User]
        RU[Remote User]
        SVC[Service Account]
        IOT[IoT / OT Device]
    end

    subgraph DeviceTrust["Device Trust Layer"]
        DA[Device Agent]
        DC[Device Compliance Check]
        CERT[Certificate Validation]
    end

    subgraph ControlPlane["Control Plane"]
        PAP[Policy Administration Point<br/>Policy authoring & lifecycle]
        PDP[Policy Decision Point<br/>Real-time access decisions]
        PIP[Policy Information Point<br/>Context aggregation]
    end

    subgraph DataSources["Context Sources → PIP"]
        IDM[Identity Provider / IdP]
        TI[Threat Intelligence Feed]
        SIEM_CTX[SIEM Risk Scores]
        CMDB[Asset Inventory / CMDB]
        UEBA[UEBA Behavioral Baseline]
    end

    subgraph DataPlane["Data Plane"]
        PEP[Policy Enforcement Point<br/>Inline gateway / proxy]
        MICRO[Microsegmentation Engine]
        ENCRYPT[mTLS / Encrypted Tunnels]
    end

    subgraph Resources["Protected Resources"]
        APP[Applications]
        DATA[Data Stores]
        INFRA[Infrastructure Services]
        CLOUD[Cloud Workloads]
    end

    EU --> DA
    RU --> DA
    SVC --> DA
    IOT --> DA
    DA --> DC
    DC --> CERT
    CERT --> PEP

    PEP -- "access request" --> PDP
    PDP -- "query context" --> PIP
    PIP --> IDM
    PIP --> TI
    PIP --> SIEM_CTX
    PIP --> CMDB
    PIP --> UEBA
    PAP -- "publish policy" --> PDP
    PDP -- "allow/deny" --> PEP

    PEP --> MICRO
    MICRO --> ENCRYPT
    ENCRYPT --> APP
    ENCRYPT --> DATA
    ENCRYPT --> INFRA
    ENCRYPT --> CLOUD

Core Components¶

The four pillars of a Zero Trust architecture, derived from NIST SP 800-207:

Policy Decision Point (PDP)¶

The PDP is the brain of the architecture. It receives access requests from enforcement points, evaluates them against policy, and returns an allow/deny decision.

Attribute	Detail
Function	Evaluate access request against policy using contextual signals
Inputs	User identity, device posture, resource sensitivity, behavioral risk, threat intelligence
Output	Allow, deny, or step-up authentication decision
Latency target	< 50ms per decision (P99)
Availability	99.99% — failure mode must default to deny

The PDP should never be a single point of failure. Deploy in an active-active configuration across availability zones. A PDP outage that defaults to 'allow' defeats the purpose of Zero Trust.

Policy Enforcement Point (PEP)¶

The PEP sits inline with every access request and enforces the PDP's decision. It is the only path to protected resources.

PEP deployment patterns:

Identity-aware proxy — Reverse proxy authenticating every HTTP/S request (BeyondCorp model)
Software-defined perimeter (SDP) — Single-packet authorization before connection establishment
Microsegmentation agent — Host-based firewall enforcing workload-to-workload policy
API gateway — Token validation and scope enforcement for service-to-service calls

Policy Information Point (PIP)¶

The PIP aggregates contextual signals that feed PDP decisions:

Signal Source	Data Provided	Update Frequency
Identity Provider (IdP)	User identity, group membership, authentication strength	Real-time
Device Management (MDM/EDR)	OS version, patch status, encryption state, malware status	Every 5 minutes
Threat Intelligence	Known malicious IPs, IOCs, campaign context	Every 15 minutes
SIEM / UEBA	User risk score, anomaly detection results	Near real-time
CMDB / Asset Inventory	Resource classification, owner, data sensitivity	Daily sync
Geolocation / Network	Source IP, location, impossible travel detection	Per request

Policy Administration Point (PAP)¶

The PAP is where policies are authored, tested, versioned, and published to PDPs.

Policy lifecycle:

Author policy → Peer review → Test in simulation mode → Staged rollout (5% → 25% → 100%) → Monitor → Iterate

Treat Zero Trust policies as code. Store them in version control, require peer review for changes, test in simulation mode before enforcement, and maintain rollback capability for every policy change.

Zero Trust Maturity Model¶

Organizations progress through maturity levels as they adopt Zero Trust. This model provides a self-assessment framework:

Level	Name	Identity	Network	Devices	Applications	Data	Automation
L0	Traditional Perimeter	Passwords only; VPN = trusted	Flat internal network; perimeter firewall only	No device compliance checks	No app-level auth beyond network access	No data classification	Manual firewall rules
L1	Basic Segmentation	MFA for external access	VLANs for major zones (DMZ, internal, servers)	Corporate-managed devices required	Basic SSO for major apps	Sensitivity labels on some data	Scripted ACL management
L2	Identity-Aware	MFA everywhere; SSO for all apps	Identity-aware proxy for web apps	Device compliance checked at login	Per-app authorization policies	Data classification for regulated data	Policy-as-code for identity
L3	Microsegmented	Risk-based adaptive authentication	Microsegmentation for workloads; east-west filtering	Continuous device posture assessment	Per-request authorization; no VPN	DLP policies enforced at access point	Automated policy deployment
L4	Continuous Verification	Continuous authentication; session risk scoring	Encrypted east-west; no implicit trust zones	Real-time device risk scoring; auto-quarantine	Just-in-time app access; session recording	Real-time data access auditing	Automated incident response for policy violations
L5	Full Zero Trust	Passwordless; behavioral biometrics	Full SDP; network location irrelevant	Zero-touch provisioning; hardware attestation	Every request verified; all sessions ephemeral	Automated data governance; field-level encryption	Self-healing policy; autonomous threat response

Maturity Assessment

Most organizations begin at L0–L1. A realistic 24-month goal is reaching L3 across identity and network pillars, with L2 in devices and data. Full L5 maturity typically requires 3–5 years of sustained investment.

Implementation Roadmap¶

A six-phase adoption plan aligned with the Forrester ZTX and NIST frameworks:

Phase 1: Identify Protect Surfaces (Months 1–2)¶

Define what you are protecting. The protect surface is the inverse of the attack surface — it is small, well-defined, and defensible.

Protect Surface Category	Examples	Discovery Method
Critical data (DAAS)	Customer PII, financial records, IP, credentials	Data classification scan; DLP inventory
Critical applications	ERP, CRM, SIEM, CI/CD pipeline	Application portfolio review
Critical assets	Domain controllers, certificate authorities, key management	CMDB and infrastructure audit
Critical services	DNS, DHCP, Active Directory, authentication services	Service dependency mapping

Deliverable: Prioritized register of protect surfaces ranked by business impact.

Phase 2: Map Transaction Flows (Months 2–3)¶

Understand how traffic flows to and from each protect surface. You cannot protect what you do not understand.

flowchart LR
    subgraph Sources["Traffic Sources"]
        ANALYST[Analysts]
        APPS[Applications]
        SVCS[Services]
        PARTNERS[Partners]
    end

    subgraph Flows["Transaction Flows"]
        AUTH[Authentication Flow]
        API_FLOW[API Call Flow]
        DATA_FLOW[Data Access Flow]
        ADMIN_FLOW[Admin Flow]
    end

    subgraph Surfaces["Protect Surfaces"]
        CRM_PS[CRM — Customer Data]
        SIEM_PS[SIEM — Security Logs]
        CICD_PS[CI/CD — Source Code]
        AD_PS[AD — Identity Infrastructure]
    end

    ANALYST --> AUTH --> CRM_PS
    APPS --> API_FLOW --> SIEM_PS
    SVCS --> DATA_FLOW --> CICD_PS
    PARTNERS --> ADMIN_FLOW --> AD_PS

Deliverable: Transaction flow map showing all access paths to each protect surface, including ports, protocols, and identity context.

Phase 3: Build Zero Trust Architecture (Months 3–6)¶

Deploy the core components (PDP, PEP, PIP, PAP) starting with the highest-priority protect surfaces.

Priority order:

Identity infrastructure (IdP, AD, certificate services)
Security tooling (SIEM, SOAR, EDR consoles)
Developer infrastructure (CI/CD, source control, artifact repositories)
Business-critical applications (ERP, CRM)
General enterprise applications
IoT and OT environments

Do not attempt to deploy Zero Trust everywhere simultaneously. Start with one protect surface, validate the architecture, then expand. A failed big-bang rollout creates security gaps worse than the legacy perimeter.

Phase 4: Create Zero Trust Policy (Months 5–8)¶

Define granular access policies using the Kipling Method — who, what, when, where, why, and how:

Policy Element	Question	Example Policy Statement
Who	Which identity?	Only members of `sg-soc-analysts` with active MFA session
What	Which resource?	SIEM query API — read-only scope
When	What time window?	Business hours (06:00–22:00 local) for standard access
Where	From which location/device?	Corporate-managed device with compliant posture score ≥ 80
Why	What is the business justification?	Active incident investigation (ticket reference required for sensitive data)
How	Through which access path?	Via identity-aware proxy; direct network access denied

Phase 5: Monitor and Maintain (Months 8–12)¶

Deploy continuous monitoring to validate Zero Trust controls:

Policy violation monitoring — Alert on every denied access attempt; investigate repeated denials
Configuration drift detection — Automated checks that PEP configurations match PAP-published policy
Access pattern analytics — Baseline normal access patterns; alert on deviations (UEBA)
Control effectiveness metrics — Track the metrics defined in the Metrics section below

Phase 6: Automate and Orchestrate (Months 10–18)¶

Mature from manual policy management to automated orchestration:

Automation Target	Manual State	Automated State
Policy updates	Admin manually edits firewall rules	Policy-as-code deployed via CI/CD pipeline
Incident response	Analyst manually blocks compromised account	SOAR playbook auto-disables account and triggers step-up auth
Device quarantine	Help desk manually removes device from network	EDR auto-quarantine triggers PDP policy update within 30s
Access reviews	Quarterly spreadsheet review	Continuous access certification with auto-revocation of unused permissions
Threat response	Manual IOC blocking across multiple tools	Threat intelligence auto-propagates to PDP deny lists within 5 minutes

Technology Components¶

Software-Defined Perimeter (SDP)¶

SDP implements a "dark cloud" — protected resources are invisible to unauthorized users. Connection is established only after authentication and authorization.

1. SDP Controller authenticates user + device
2. Controller validates against PDP
3. Controller provisions encrypted tunnel to specific resource
4. Resource is never exposed to unauthenticated scanning

SDP follows a 'authenticate first, connect second' model — the opposite of traditional networking where connection is established first and authentication happens at the application layer.

Zero Trust Network Access (ZTNA)¶

ZTNA replaces VPN by providing per-application access rather than full network access:

Capability	Legacy VPN	ZTNA
Access granularity	Full network layer access	Per-application, per-session access
Device trust	Optional or basic check	Continuous posture validation
Lateral movement risk	High — user has network access	Minimal — no network layer access granted
User experience	Client software + split-tunnel complexity	Seamless browser or lightweight agent
Scalability	VPN concentrator bottleneck	Cloud-delivered, horizontally scalable
Visibility	Limited to connection logs	Full request-level logging with identity context

Microsegmentation¶

Microsegmentation enforces security policy at the individual workload level rather than the network perimeter:

Implementation approaches:

Agent-based — Host-level firewall managed by central policy (most granular)
Network-based — SDN controller programs switches/routers (infrastructure-dependent)
Hypervisor-based — Virtual firewall between VMs (virtualized environments only)
Cloud-native — Security groups, network policies (Kubernetes NetworkPolicy, AWS SGs)

Identity-Aware Proxy (IAP)¶

IAP authenticates and authorizes every request at the proxy layer before forwarding to the backend application:

sequenceDiagram
    participant U as User
    participant IAP as Identity-Aware Proxy
    participant IDP as Identity Provider
    participant PDP as Policy Decision Point
    participant APP as Application

    U->>IAP: HTTPS request to app.example.com
    IAP->>IDP: Validate session / redirect to auth
    IDP-->>IAP: Identity token (user, groups, MFA status)
    IAP->>PDP: Authorize (identity + device + context)
    PDP-->>IAP: Allow (scoped permissions)
    IAP->>APP: Forward request with identity headers
    APP-->>IAP: Response
    IAP-->>U: Response (logged with full context)

Secure Access Service Edge (SASE)¶

SASE converges networking and security into a cloud-delivered service:

SASE Component	Function	Zero Trust Role
ZTNA	Per-app access	Replaces VPN; enforces least privilege
SWG (Secure Web Gateway)	Web traffic inspection	Inline threat detection for outbound traffic
CASB	Cloud app control	Visibility and policy enforcement for SaaS
FWaaS	Cloud firewall	Network-layer policy for branch and remote
SD-WAN	WAN optimization	Secure transport; traffic steering to SASE PoPs

Vendor-Neutral Reference Architecture¶

This architecture is aligned with NIST SP 800-207 and the BeyondCorp model. It does not depend on any single vendor.

NIST SP 800-207 Deployment Models¶

Model	Description	Best For
Enhanced Identity Governance	Access decisions based primarily on identity and attributes	Organizations with mature IAM; SaaS-heavy environments
Micro-segmentation	Network-level enforcement at the workload level	Data center and cloud IaaS workloads
Network Infrastructure + SDP	Network overlays and SDP controllers mediate all access	Organizations with complex hybrid infrastructure

Most real-world deployments combine all three models. Use identity governance for user-to-application access, microsegmentation for workload-to-workload, and SDP for infrastructure access.

BeyondCorp Reference¶

Google's BeyondCorp model demonstrates that enterprise applications can be accessed securely without a VPN:

Access depends on device and user credentials — not network location
All access to enterprise resources is authenticated, authorized, and encrypted
Access is granted on a per-request basis — no persistent trust
Policy is dynamic and sourced from multiple contextual signals

Integration Points¶

Zero Trust architecture does not exist in isolation. It integrates with the broader security operations stack:

Integration	Direction	Data Exchanged	Purpose
SIEM	PDP → SIEM	Access decisions, policy violations, denied requests	Centralized logging and correlation of all access events
SIEM	SIEM → PIP	User and entity risk scores	Dynamic policy adjustment based on SIEM analytics
SOAR	PDP → SOAR	High-severity policy violations	Automated incident response for Zero Trust violations
SOAR	SOAR → PDP	Block/allow directives	Automated policy updates during incident response
EDR	EDR → PIP	Device health, malware detection, IOCs	Real-time device posture feeding access decisions
NDR	NDR → PIP	Anomalous network behavior, lateral movement detection	Network-level context for access decisions
CASB	PEP ↔ CASB	SaaS access policy and enforcement	Unified policy for on-prem and cloud applications
IAM	IAM ↔ PDP	Identity attributes, group membership, auth strength	Core identity context for every access decision

flowchart LR
    PDP[Policy Decision Point]

    SIEM[SIEM] <-->|risk scores ↔ access logs| PDP
    SOAR[SOAR] <-->|incidents ↔ policy updates| PDP
    EDR[EDR] -->|device posture| PDP
    NDR[NDR] -->|network anomalies| PDP
    CASB[CASB] <-->|SaaS policy| PDP
    IAM[IAM] <-->|identity context| PDP

Metrics and KPIs¶

Track these metrics to measure Zero Trust effectiveness and maturity:

Coverage Metrics¶

Metric	Definition	Target (L3 Maturity)	Target (L5 Maturity)
% of resources behind ZT controls	Protect surfaces with PDP/PEP enforcement	≥ 80%	100%
% of access requests evaluated by PDP	Requests going through policy evaluation vs. bypassing	≥ 90%	100%
% of users on passwordless / phishing-resistant MFA	Users with hardware key or biometric auth	≥ 60%	≥ 95%
% of workloads microsegmented	Workloads with granular east-west policy	≥ 50%	≥ 95%

Effectiveness Metrics¶

Metric	Definition	Target
Policy violation rate	Denied access requests / total requests (high rate may indicate misconfiguration)	< 5% sustained (after tuning)
Lateral movement detection rate	% of simulated lateral movement attempts detected and blocked	≥ 95%
Mean time to policy update	Time from threat detection to PDP policy enforcement	< 15 minutes (automated)
False positive rate (policy denials)	Legitimate access incorrectly blocked	< 1% of total access requests
PDP decision latency (P99)	99th percentile latency for access decisions	< 100ms

Operational Metrics¶

Metric	Definition	Target
PDP availability	Uptime of policy decision infrastructure	≥ 99.99%
Policy drift incidents	Instances where PEP config diverges from PAP-published policy	0 per month
Credential exposure events	Service account credentials found outside vault	0 per quarter
Access review completion rate	% of access reviews completed on schedule	100%

A Zero Trust architecture is only as strong as its monitoring. If policy violations are not tracked, if PDP decisions are not logged, or if metrics are not reviewed — the architecture provides a false sense of security.

Common Zero Trust Network Mistakes¶

Avoid These

Treating Zero Trust as a product purchase. Zero Trust is an architecture and strategy, not a single vendor solution. No product delivers "Zero Trust in a box."
Deploying ZTNA but keeping VPN as a fallback. If VPN remains available, users and attackers will use it. The legacy path must be decommissioned.
Flat microsegmentation policies. Microsegmentation with overly permissive policies (allow-any within segment) provides no value. Policy must be granular.
Ignoring east-west traffic. Most Zero Trust projects focus on north-south (user to app). Lateral movement between workloads is the actual kill chain vector.
PDP single point of failure. If the PDP fails and defaults to "allow," the entire architecture collapses. Failure mode MUST be deny.
No continuous monitoring. Zero Trust without continuous verification is just a one-time gate check — not Zero Trust.

Nexus SecOps Control Mapping¶

Zero Trust Network Control	Nexus SecOps Controls
Microsegmentation enforcement	Nexus SecOps-121, Nexus SecOps-122
Identity-aware proxy deployment	Nexus SecOps-111, Nexus SecOps-113
PDP policy management	Nexus SecOps-114, Nexus SecOps-205
Device trust validation	Nexus SecOps-130, Nexus SecOps-131
Continuous access monitoring	Nexus SecOps-049, Nexus SecOps-119
Credential vault integration	Nexus SecOps-104, Nexus SecOps-112
Lateral movement detection	Nexus SecOps-062, Nexus SecOps-065
Network traffic encryption	Nexus SecOps-123, Nexus SecOps-125
Access decision logging	Nexus SecOps-005, Nexus SecOps-007

See Zero Trust SOC | Reference Architecture | Integration Patterns Related chapters: Chapter 13: Governance | Chapter 33: Identity & Access Security | Chapter 22: Network Security