What is zero-trust architecture?

The longer answer

Zero-trust architecture is formally codified in NIST SP 800-207 (Rose, Borchert, Mitchell, Connelly, August 2020), which defines it as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” The document explicitly states that zero trust assumes there is no implicit trust granted to assets based on their physical or network location (i.e., LANs versus the internet) or based on asset ownership.

The architecture rests on three logical components from SP 800-207 Section 3: a Policy Engine (PE) that makes the access decision, a Policy Administrator (PA) that executes it, and a Policy Enforcement Point (PEP) that sits on the data plane between the subject and the resource. Each access request triggers a fresh evaluation against signals including identity (typically from an identity provider like Okta or Microsoft Entra ID), device posture (managed, patched, encrypted), network telemetry, and behavioral analytics.

The term “zero trust” itself was popularized by John Kindervagat Forrester Research in 2010, though earlier conceptual work appears in the Jericho Forum's “de-perimeterization” papers from 2004–2007. Google's BeyondCorp, documented in a six-part series in ;login: magazine starting in 2014, was the first large-scale production implementation, eliminating Google's VPN for employee access to internal applications.

The U.S. federal government mandated zero-trust adoption through Executive Order 14028 (May 12, 2021) and OMB Memorandum M-22-09 (January 26, 2022), which required federal agencies to meet specific zero-trust goals by the end of FY 2024 across five CISA pillars: Identity, Devices, Networks, Applications & Workloads, and Data. CISA's Zero Trust Maturity Model v2.0 (April 2023) defines four stages of maturity: Traditional, Initial, Advanced, and Optimal.

In practice, ZTA is implemented through several converging technology categories. Zero Trust Network Access (ZTNA), a term coined by Gartner in 2019, replaces traditional VPN with brokered, identity-aware access to specific applications rather than entire network segments. Microsegmentation (Illumio, Akamai Guardicore, VMware NSX) enforces east-west traffic policies at the workload level. Identity-aware proxies (Google IAP, Cloudflare Access) enforce per-request authentication at HTTP layer 7. Continuous device posture is evaluated by endpoint platforms (CrowdStrike, SentinelOne, Microsoft Defender).

The threat model zero-trust addresses is empirically grounded. The 2024 Verizon Data Breach Investigations Report found that the use of stolen credentials remains a top initial-access vector, appearing in 24% of breaches. Lateral movement after initial compromise — the exact failure mode flat perimeter networks enable — was central to high-impact incidents including SolarWinds (Mandiant report, December 2020) and the 2017 Equifax breach (GAO-18-559). NIST SP 800-207 Section 2.1 explicitly cites preventing lateral movement as a primary design goal.

Common misconceptions worth dispelling: zero-trust is not a single product, not synonymous with ZTNA, and not achieved by deploying MFA alone. NIST SP 800-207 is explicit that ZTA is an architectural philosophy implemented through multiple controls operating together over years of migration, not a procurement event. The Department of Defense Zero Trust Reference Architecture v2.0 (July 2022) similarly frames it as a multi-year capability roadmap across 45 distinct capabilities.