NIST
SP 800-207
Basic reference on Zero Trust Architecture from NIST.
Zero Trust is not a “new firewall” or one product, but a way to design security around identity, context and constant access verification. The main idea: the network itself is not a trust factor, so every request must be checked against the policy.
Zero Trust Principles
Never Trust, Always Verify
No request is considered secure by default: check identity, context and policy every time.
Least Privilege
Access rights should be minimal and short-lived, tied to a specific task.
Assume Breach
Design the system as if the attacker is already inside the perimeter: segmentation, observability and fast revoke.
Base
Identification -> AuthN -> AuthZ
Identity and authorization model is the foundation for Zero Trust rollout.
Reference architecture
Identity Plane
- Workforce and workload identity (users, services, devices).
- IdP + lifecycle management + MFA/passkeys.
- Short-lived credentials instead of long-lived secrets.
Policy Plane
- Policy decision point: RBAC/ABAC/ReBAC or policy-as-code.
- Solution based on subject + action + resource + context.
- Explicit deny-by-default as base mode.
Enforcement Plane
- Policy enforcement points in gateway, mesh, applications.
- mTLS and service identity for east-west traffic.
- Full audit trail for access decisions.
Telemetry Plane
- Continuous verification through logs, metrics and security signals.
- Risk-based access and dynamic restrictions.
- Fast incident response and automated revoke.
How to implement it step by step
1. Inventory
Collect a map of identities, services, secrets, critical paths and current trust assumptions.
2. Strong AuthN Baseline
Enable MFA/passkeys for users and workload identity for services; remove shared credentials.
3. Policy Centralization
Move access rules into a single policy layer and implement deny-by-default for new resources.
4. Segmentation + Enforcement
Separate the paths (prod/non-prod, data tiers, admin paths) and add PEP to key traffic points.
5. Continuous Validation
Set up monitoring of access anomalies, periodic review of rights and automatic rotation of credentials.
Antipatterns
- Consider Zero Trust a product, not an architectural approach and operating model.
- Limit yourself to VPN replacement only without revising the identity and authorization model.
- Do 'allow all within the cluster' and call it zero trust.
- Do not have revoke/deprovision processes - even with good authentication.
- Leave admin access permanent, without JIT/JEA and explicit approvals flow.
A quick practical criterion: if after compromising one service the attacker gets “almost everything”, then Zero Trust is implemented only nominally.