Zero Trust Architecture
Zero Trust, without the marketing.
Zero Trust is a set of design principles, not a product you buy. This is the implementation pattern we use on real engagements, aligned to NIST SP 800-207 and the CISA Zero Trust Maturity Model, delivered in phases your operations team can actually absorb.
What Zero Trust actually is
Zero Trust replaces perimeter-based trust with continuous verification. In a traditional network, getting past the firewall is most of the battle. Once inside, lateral movement is cheap and detection is weak. Zero Trust assumes breach. Every access request is evaluated against current identity, device health, and risk signals, independent of where the request originates. The reference document is NIST SP 800-207 Zero Trust Architecture, which defines the seven tenets every serious implementation maps back to.
The practical shorthand: never trust, always verify. The user who authenticated 20 minutes ago on a compliant device from a known location still has to prove the request made now matches their baseline pattern. The service identity reading data from the database still has to present a valid, recently-rotated credential and a workload identity token. The laptop that passed posture check at 9 AM still has to re-check before it touches the crown-jewel file server at 2 PM.
The five Zero Trust pillars we implement
Most authoritative Zero Trust guidance organizes controls into pillars. The CISA Zero Trust Maturity Model uses five pillars (Identity, Devices, Networks, Applications & Workloads, and Data), with three cross-cutting capabilities (Visibility & Analytics, Automation & Orchestration, Governance). That's the structure we work from on mid-market engagements because it's the same structure federal civilian agencies run to under OMB M-22-09. The pillars below are what we implement and operate end-to-end.
Identity
Strong authentication, continuous validation, and risk-based access decisions for every user and service identity.
- Phishing-resistant MFA (FIDO2, WebAuthn, hardware tokens) for all privileged and remote access
- Identity provider consolidation (Entra ID, Okta, Ping) with federation to SaaS
- Privileged Access Management (PAM) with session recording and just-in-time elevation
- Continuous risk scoring via Identity Threat Detection and Response (ITDR)
- Service account inventory, secret rotation, and workload identity federation
Devices
Every endpoint is known, healthy, and policy-compliant before it touches a protected resource.
- Unified endpoint management (Intune, Jamf, Workspace ONE) across managed and BYOD
- EDR/XDR deployed on every endpoint with health posture enforcement
- Device-based conditional access policies tied to compliance state
- Mobile threat defense on corporate devices
- Certificate-based device identity for workload-to-workload authentication
Networks
Microsegmentation replaces the flat internal network. Every connection is authenticated, authorized, and encrypted.
- ZTNA replacing traditional VPN for user-to-resource connections
- Microsegmentation inside data centers and cloud VPCs
- Encrypted east-west traffic (service mesh with mTLS where applicable)
- DNS security, secure web gateway, and egress filtering
- SASE architecture consolidating network and security at the edge
Applications & Workloads
Applications are accessed through policy-enforced brokers and continuously monitored for anomalous behavior.
- Application-aware proxies enforcing per-request access decisions
- SaaS Security Posture Management (SSPM) for cloud-app configuration drift
- Cloud Security Posture Management (CSPM) across AWS, Azure, GCP
- Runtime application self-protection (RASP) for mission-critical apps
- API gateways with strong authentication, rate limiting, and request validation
Data
Data is classified, encrypted in transit and at rest, and protected by policies that follow the data wherever it moves.
- Data classification tied to sensitivity labels (public, internal, confidential, regulated)
- Data Loss Prevention (DLP) across endpoint, network, and cloud storage
- Encryption with key management under your control (BYOK or HYOK patterns)
- Information Rights Management for sensitive document flows
- Database activity monitoring for regulated data stores
Maturity: where you are vs. where you need to be
CISA publishes a four-stage maturity model (Traditional, Initial, Advanced, Optimal) that gives organizations a common vocabulary for Zero Trust progress. Most mid-market clients we assess land at Traditional or Initial when we start the engagement. Getting to Advanced across all five pillars is a realistic 12-18 month program. Optimal is a multi-year pursuit and many organizations intentionally stop at Advanced because the marginal cost of the last few percentage points doesn't match the risk reduction.
Traditional
Perimeter-based trust. Network location is the primary access decision. MFA only on selected apps. VPN for remote access. Limited device posture. Minimal segmentation.
Initial
SSO across core SaaS. MFA universally for remote access. EDR deployed. Basic conditional access policies. VLAN segmentation.
Advanced
Phishing-resistant MFA on privileged access. PAM in place. ZTNA deployed for at least one critical user group. Microsegmentation on highest-risk workloads. DLP operating.
Optimal
Identity-first architecture across the enterprise. Continuous risk scoring drives access decisions. ZTNA as default remote-access pattern. Application-level microsegmentation. Automated response to policy violations.
The 12-month rollout plan we use
Zero Trust is a transformation program, not a project. We run it as a phased 12-month rollout with quarterly milestones that each deliver independent risk reduction, so budget approval doesn't depend on the entire program succeeding before value shows up.
Quarter one focuses on identity. Universal SSO with phishing-resistant MFA, a consolidated identity provider, privileged access management for the top 50 privileged accounts, and conditional access baselines for major SaaS. This typically eliminates 60-70% of the phishing-driven risk on its own.
Quarter two focuses on devices and endpoint. EDR universal deployment with health posture enforcement, unified endpoint management for managed fleet, mobile device policy for corporate devices, and device-based conditional access wired into the identity layer. Combined with quarter-one work, this closes most of the credential-theft-plus-lateral-movement attack path.
Quarter three tackles network and application access. ZTNA deployed for at least one critical user group (replacing VPN), microsegmentation on the highest-value workloads, DNS security and secure web gateway, and application-aware proxies for the top 10 SaaS and internal apps.
Quarter four focuses on data and continuous validation. Data classification and DLP across endpoint, network, and cloud. Key management under client control. Continuous risk scoring wired into access decisions. Automated response playbooks for the top 15 policy violations. Full visibility dashboards for the security leadership team.
Common mistakes we see in Zero Trust projects
The most common failure pattern is treating Zero Trust as a network project. Microsegmentation is high-effort and has long tail risk if you get it wrong. Starting there before the identity and device layers are strong leads to expensive projects that don't reduce risk proportionally. Always start with identity. Always.
The second failure pattern is buying a product labeled "Zero Trust" and treating the purchase as the solution. Vendors all claim Zero Trust credentials. Most products are a useful piece of a Zero Trust architecture. None is the whole thing. Buy discrete capabilities that fit your architecture, not "Zero Trust in a box."
The third failure pattern is not sequencing the rollout against business priorities. Zero Trust affects every user and every application. A rollout that disrupts revenue-generating teams without clear communication and rollback plans creates organizational resistance that can stall the program for months. Plan the change-management component as seriously as the technical one.
How Zero Trust maps to compliance frameworks
Zero Trust controls satisfy a large share of access-control, monitoring, and segmentation requirements across multiple compliance frameworks at once. For SOC 2 Type II, the CC6 (Logical and Physical Access), CC7 (System Operations), and CC8 (Change Management) common criteria map directly to Zero Trust pillars. For ISO 27001, Annex A controls A.5 (Information Security Policies), A.8 (Asset Management), A.9 (Access Control), and A.12 (Operations Security) similarly map across.
For regulated industries, the mapping gets even denser. HIPAA Security Rule 164.308(a)(4) access management, 164.312(a) access control, and 164.312(c) integrity requirements all benefit directly from Zero Trust implementation. PCI-DSS 4.0 requirements 7 (access control), 8 (identify and authenticate), and network segmentation expectations align naturally. CMMC Level 2 maps to NIST SP 800-171 controls that a properly implemented Zero Trust architecture substantially satisfies. See our healthcare, financial services, and manufacturing pages for industry-specific Zero Trust control mappings.
Platforms we work with
On identity, we implement across Microsoft Entra ID, Okta Identity Cloud, and Ping Identity depending on existing investment. For PAM, CyberArk, BeyondTrust, Delinea, and HashiCorp Vault. For EDR/XDR, CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender XDR, and Palo Alto Cortex XDR. For ZTNA, Zscaler Private Access, Palo Alto Prisma Access, Cloudflare Access, and Microsoft Entra Private Access. For microsegmentation, Illumio, Akamai Guardicore, and the native capabilities in AWS, Azure, and GCP.
We're platform-agnostic by design. The architecture decisions drive platform selection, not vendor relationships. If you already have significant sunk cost in one stack, we'll typically operate that stack rather than recommend migration unless the gap is structural. For new deployments, we recommend based on fit with your identity provider, existing cloud footprint, compliance constraints, and operational team capacity. Our managed detection and response and managed SIEM services operate across all of these platforms in production client environments.
Measurement and reporting
Every Zero Trust program we operate reports against three categories of metrics. Implementation metrics track pillar-by-pillar maturity progression against the CISA model: percent of users on phishing-resistant MFA, percent of endpoints with current EDR health, percent of critical workloads microsegmented, and so on. Operational metrics track day-to-day health: policy violation rates, authentication anomaly detection, failed access attempts, and MFA fatigue signals. Risk metrics tie Zero Trust posture to financial-risk estimates that the board actually wants to see.
Reporting cadence is monthly to the security leadership team, quarterly to the executive committee, and annually to the board. The annual board report maps Zero Trust maturity to business risk reduction, usually expressed as expected annual loss reduction under a structured FAIR (Factor Analysis of Information Risk) model. That framing converts technical control progress into the financial language board committees need to justify continued investment.
Related reading
- Zero Trust security implementation (blog) — technical deep-dive on implementing Zero Trust in mid-market environments.
- Top cybersecurity threats 2026 — the threat landscape Zero Trust is designed to defend against.
- Incident response pillar — how Zero Trust posture changes incident response outcomes.
- Build vs. buy SOC comparison — the operational model behind running Zero Trust 24/7.
Frequently asked questions
What does Zero Trust actually mean at a technical level?
Zero Trust is a set of design principles rather than a single product. The core rule: never trust, always verify. Every access decision (user to resource, service to service, device to app) is made based on current identity, device health, data sensitivity, and risk signals, independent of network location. NIST SP 800-207 is the authoritative definition.
How long does Zero Trust implementation typically take?
For a mid-market organization moving from Traditional to Advanced maturity, the realistic timeline is 12-18 months. The first quick wins (phishing-resistant MFA, EDR universal deployment, conditional access baseline) can land in 60-90 days. The harder layers (microsegmentation, application-level policy enforcement, full ZTNA rollout) take most of the remaining time.
Which Zero Trust framework should we follow?
For US federal alignment, CISA Zero Trust Maturity Model and OMB M-22-09 set the reference. For technical architecture, NIST SP 800-207 is the primary document. For cloud-native patterns, the CSA Zero Trust Architecture guidance maps well to AWS, Azure, and GCP. Vendor frameworks (Microsoft, Google BeyondCorp, Cisco, Palo Alto) are useful operationally but should map back to the NIST pillars.
Does Zero Trust require replacing our existing stack?
Usually no. Most mature Zero Trust deployments layer ZT policies on top of existing identity providers, EDR platforms, and network controls. The work is in consolidation, policy design, and connecting signals that were previously siloed. Full rip-and-replace is rarely the right answer for mid-market budgets.
What's the biggest mistake we see in Zero Trust projects?
Treating Zero Trust as a network project instead of an identity project. Network controls matter, but the identity layer carries more weight in actual Zero Trust architecture. Organizations that start with phishing-resistant MFA, universal SSO, and PAM consistently see better outcomes than those that start with microsegmentation.
How does Zero Trust interact with compliance frameworks?
Zero Trust controls map cleanly to SOC 2, ISO 27001, PCI-DSS 4.0, HIPAA Security Rule, NIST CSF, and CMMC Level 2 requirements. In most cases, implementing Zero Trust properly closes the majority of access-control, monitoring, and segmentation requirements across multiple frameworks at once. See our industry pages for specific mappings.